5c53e3b0b2cdecf3bf8fcd08b136147c7b92e170e22ecd93efb36952b0658804

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Size

4.2MB
MD5

e9a9729f59b4a5253b487c0c1d292f0f
SHA1

9a142d8dadff79d89930ddfc26c3584aa9852daa
SHA256

5c53e3b0b2cdecf3bf8fcd08b136147c7b92e170e22ecd93efb36952b0658804
SHA512

5267845bf6228e29e841737d9773c8df7672e87b677eec0296f90ec425bf1243a0ae593ea257bfe07a5b1dff556d769f383281f02a95cc7882f687c2784813b3
SSDEEP

49152:j/2h19dm8D0LMA4iiYWywXduVOgUwC8S0RJVE9rHFrDmg27RnWGj:FDbZwXkJZE9TRD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
936	alg.exe
728	elevation_service.exe
888	DiagnosticsHub.StandardCollector.Service.exe
2972	elevation_service.exe
1528	maintenanceservice.exe
4348	OSE.EXE
436	fxssvc.exe
3492	msdtc.exe
4820	PerceptionSimulationService.exe
2568	perfhost.exe
1492	locator.exe
1308	SensorDataService.exe
1160	snmptrap.exe
4428	spectrum.exe
4920	ssh-agent.exe
3624	TieringEngineService.exe
2960	AgentService.exe
3604	vds.exe
5008	vssvc.exe
2604	wbengine.exe
4156	WmiApSrv.exe
3916	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f7637cc6003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a8fc7325d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa91467425d2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e564b7425d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026d8497325d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d09f107325d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a00327325d2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9f70a7425d2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4720	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeDebugPrivilege	936	alg.exe
Token: SeAuditPrivilege	436	fxssvc.exe
Token: SeRestorePrivilege	3624	TieringEngineService.exe
Token: SeManageVolumePrivilege	3624	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2960	AgentService.exe
Token: SeBackupPrivilege	5008	vssvc.exe
Token: SeRestorePrivilege	5008	vssvc.exe
Token: SeAuditPrivilege	5008	vssvc.exe
Token: SeBackupPrivilege	2604	wbengine.exe
Token: SeRestorePrivilege	2604	wbengine.exe
Token: SeSecurityPrivilege	2604	wbengine.exe
Token: 33	3916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3916	SearchIndexer.exe
Token: SeDebugPrivilege	1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Token: SeDebugPrivilege	1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Token: SeDebugPrivilege	1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Token: SeDebugPrivilege	1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
Token: SeDebugPrivilege	1632	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 1632	4720	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe	82
PID 4720 wrote to memory of 1632	4720	2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe	82
PID 3916 wrote to memory of 3016	3916	SearchIndexer.exe	114
PID 3916 wrote to memory of 3016	3916	SearchIndexer.exe	114
PID 3916 wrote to memory of 4832	3916	SearchIndexer.exe	115
PID 3916 wrote to memory of 4832	3916	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-07-09_e9a9729f59b4a5253b487c0c1d292f0f_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=126.1.67.123 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2e8,0x2f8,0x14032dfd0,0x14032dfdc,0x14032dfe8
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1528

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4428

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c01bd030d10b222666eb35a7675348bd

SHA1
e65f097dda8d4504395ed59b2bc7639f3da3755a

SHA256
7eb4e1455b5618c6d2afc6835a42c409337e10d1e6c1de0e4844ca1c0afb0d30

SHA512
a73762766765b4b3dee9fdc025747712b0ff30784add6f58924e689150e6b8510af9dd31b88d2dd884d4264d657dcd3031f553c7403e1cf5cf383dc290fa72e5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d1be73cd364a27ebef0cbd4746cfff27

SHA1
62557163eb474a8c0d37a85b53a0dbe4990ac87c

SHA256
f2fd9e39b099a4e23282e7478776c1453c31059c23ce2f63422674d6bdc4e930

SHA512
6fd3d21c0ce95f0ba84de2654351d1fa6bbb961884040274a901f3fa83a1d77bbfb69e524fc319277e27c9ef6615aca22248aa5ad14d6c823e5238586798ec53

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
054ebd66064f6a45d304da572adb8eb0

SHA1
5f478c2482eb211bc3722e2a05dac1a5ff156172

SHA256
93ebc7b6b8fca627bd35104a474c97cec3fc23e407802e21feb5ce86761b330b

SHA512
8a33e087f0b48ac9c64c6d6653eb907166c01abc3941c5e326f4fc3a099d1c6320a0d74407bff6461e99b50b45c5e112b69b260c690852ff70aaa4ce3bbdd8b9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ca93df4843f7d29df3ac09ba979dd73

SHA1
4c78696240408ec49a1f530886f0f5c58449a838

SHA256
7d1821fbaa4d8c242f33867e88f6462313fe43d03523f06c0a40a91fb5b496cf

SHA512
b1e2458e0cec3964e5e4a8bd495dba3a8c4fdcfdab02c8ac7275abbd32b49a4a28756510094b59e15e5594f7a4155c450b7e166a84fbb16f0c0b4610615ea0e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
567740f79395c8fe2ee47e038aa79561

SHA1
34edc657d17fa2c0754ba5993dfdb54d6f6cae6a

SHA256
fb990306e080cf53d2a9998b9913ed99e99427ff01bc6f90715d67e1622c6f13

SHA512
92bd9008bb5a19d3d4c8ddf7a3c8239fc82ac29a2c53c55843121b216aa8467fc879092b9e54c2a4ec231f9d7799c0a4bd94ebfb9a954dbf36c79d21f24098f9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3d6d47ca474f4a1ce62f2859e79745d3

SHA1
716d52f0e65f12e046be64eb4dd93bdff29bd01a

SHA256
1e6d9aee17f1a5fa1a3b90569ba940687125928c44713a0fde2c017695b88bdd

SHA512
f8946ed869c10bcb963f66d4450227f213bc58684a98b23b3fdaaf3d8ae5c69887ec1626ab6368616f71898c210d9ecfe1bd8358cb3e599e5eb5e387677010d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3c627711e282f8d1b1c9ebc4dae9c281

SHA1
1016093ce644abdc9fb8f7afb18987c9c20a35b4

SHA256
7da8e9819ddf18e7ea923a83cb380649e98684832fc98a4657bb4c99aaf450d0

SHA512
d7d4190e2e41ccf43b8c054f2c7e281493a00252a8aa964ca0880de973f3d4f13b2bbcaaec23af454dc7a23bdc2ba69be6c6b9e5ea197559bb0ab87e0d3f6419

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5285ec7cf92109bba78f57ee8a91c679

SHA1
434d9c0fb08ae8ba12de719fc91ed536eecd40b0

SHA256
9fd66bc42935adeb154cd0d9324f3c2ab68cc8e3dc2d2737392d4bb6291e8afd

SHA512
f3da4641efa5d57a4f851ae627309ddb2615523a7d294b689561a1e873181205b4946433ff0844bc0a71b2287f0a994b73ceb65124cc3e23d92eca070c7d5bbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c13050554ad655cbc1172f36498160b9

SHA1
e82b703772d31f22dda8482226ffa2dcf6bd19e9

SHA256
254cea7685e854f56ad1d0dcc1a7bbf683257ed36cc7caa4d08f6a8b7179cef2

SHA512
020dbad7a469ae9e4b33e7edf2bcd6a3b208868eab14725f3ff8693c8bbfbfdd9072e9a8ea6f1ed6e233489758d6214594e5283ce3ed7c6d4ac2c9e3cc424926

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a0c5cc9551166e594404558227769f2c

SHA1
60e8fc180b4af262f11ddfb4aeb67aeb5fce2651

SHA256
9a744dff996efb86d1b4fb42dd8030bc3bafee4e1947141e3019700e73fd570f

SHA512
ba44b5a0b4d2b7348d8f333674f917958a9faf43046763a491a95af65c1b7d0fe7de4e7000fb85a9b2c1eb7ed00aaa88389f020a54e79f5ce4800881bb9e7b5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
18dc197439abbf8bf975c263717e32cd

SHA1
f85cab9d1365b41974fe8f2d623d6a1f1f563177

SHA256
25729b712ab5d62797543ef997cf095836124ce900a9294b75e942cab056692e

SHA512
2df5a30a321433e81574c72141ae25ff1cb1bb11334a31860a7c183ae25299d06d59078f7a4ee4094bd1fc173ce3bfabcf95650e2baf17c4f9340875703f61cd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
66e5e34fba29f4002f673f40a84ba289

SHA1
ba65ee507fee3337d2b857f284f78e0a75d719c4

SHA256
28874f10c3df9efb66a52479f9c64dc5e91c51ee09dbd5946db600265565b4a5

SHA512
659eaaae943b7edacf8b81b40abf3f3769b905bbfdbd31be589919900911fbb4f7322060eb6a3501eeec9923517310cbf1a1ebd9c3e2c407edb7978308556518

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
69a5eee495225f05d94196b82692fe6d

SHA1
8e6fe3c6c81f60f2a1269ee2eef6ae8250e682ad

SHA256
5d4d216bd913ef1aed8d8fbb10bda836cd63065727a4e6ca8bdb51b03f3c3753

SHA512
bb8e95f36e48f9ea3f5d05df551d2c1af52363a66a557a4304c570a11c845c3624c8c2e9e4639f7e44a4b4f58a0065f8b7eff97b1bf593e6fc8e751fa88059f8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
005bf2f7ab7655ceb462c0de9285ef25

SHA1
ba407ea352c0966e1ed95ccec4d14c7e1356d676

SHA256
a93c744cf3005d35d53465afb3845d538325e0bbcf2ec3ab7715778bed9aa1dc

SHA512
249e046d0f4228543b7b8905e1c308b62498a952a9648e0bb29c21e21902bee707d154ae2bb15fcdd87cc769a3f0a759f013e9c86eabe528927b98aed35eb7c9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b8c1c684a8f70676f731268cc878afc9

SHA1
6e7765e5e533a99b6e8f7c6dbae2aa02994d9c13

SHA256
5d678e3ad86c80a4560ded2f17e1e25d0db9b056fc8c7d75591d9f6aba30cfc8

SHA512
df8a95f6a492a324ab241ea140933426388bd2676d665329842bf87b722c873a19dc91cdc2690e89cab926285538430abc7143f40e9268be778487f9b97fd02c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
71807fb7b5a2d2ad0fac152fc54d5929

SHA1
848462734ccf0b1c9706dd4aa5843ca610b17f18

SHA256
76462a19ed451d132b5d17489a92b8ab6f91e7dc6520e7fef9aadee006b92907

SHA512
6227f68deae3f40c5838f9a3bcfb3ebc43ecf43ccc460408119ab63af78753c0695a34ee44fb1a8c5a72e6ceee968506822f4f9152df8d3180c8050843321dce

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
cf67910ef11abe1ed0a5438903781b98

SHA1
d4fb34537668b07ffd6c9420ace5b34d48d9f5f8

SHA256
8468248254b3fcfd3bff0c224dc560ed916d366536f5a52c653fca7c2807b42a

SHA512
cd52d9d54731c4f24d202986c5657a46d60a1f14df744ea57043dca49b004bed010f44be00f95099db670db30e87fccbeedc8cca08c08676e16765dfd5ea5375

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
9cefba266ffaa65fa6da74c899602f51

SHA1
d133f78a4ccedcc0877b6c0d9ccd76b5a70b796f

SHA256
689d37f5429e66f1bfb0aa19adebee3c6a3af1f8b14afe364b4021639fa6166f

SHA512
3f17c6f54d1beaf9be5aac1b08592af9194d3d653ff866b751bdb42155500a6a57b204d981a7e053d7df92786f560a7d2cb65b31658446dfdc49d321ea44f48f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
f7b697811929ff4c6a922cb992b4be1c

SHA1
87d9ae8939bb2e654bfe1b928895967ff8078730

SHA256
fde5febb6dd908dc5522844155eaa051ae8c8ffcce2a7d1c21c63fa6a3c0b345

SHA512
d91783b3cc7675933b917659d0b9644a94135745269450921f303821a75ed0a8805b63bb6e242dbd2795892f20760b3390a31fc06f9b19a746763b7c988c6c1b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1263d072d86ec0dfa9494b303553bb03

SHA1
a03057d2d53ce41e5a3d4786e5d26e90ba0d9cdc

SHA256
32e9eb24df6ea7ca4fe05dfa218aefaa073a57f3147bdbc2be6aaa81b27afb12

SHA512
e6648a92269bf5e89fbedff2973ac487816975e32bf850432a3f9ffa66f6c75834a8d7de967159a5890d8f5f4bae0c5fa8c5d563b790cbf68da7e7c0fa320dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d81cc9e83b9e0f68129b1810db8624fa

SHA1
c811239b9503258e714f6884f555b17bcff37ef9

SHA256
89c32327a77602d5b45d911a026dfa8daec62feee3a157de9d9945c78e6a8df1

SHA512
7ab88b6742cfead7a6587a5812f7f652c30da8ca1b525461a54a2f06ef82164f662f7c65fe2668dd02e51fdeab7d13610b257efc1dad181dac7eb09069a03450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
819e6fef52bd86682f7d35275c4bd254

SHA1
56aa7410f8ce51a7a1e8fa6601a8ee0d8ca56502

SHA256
c1ab99e0daa2929ee85731027a76ca0bc08de2a558decf426c93af28b28b869b

SHA512
f684729100e1271c7f503fd145ab8977d639e4837a91cd94f1ffc64b0ca5b9d506d1091f473e46abfa29fe160e502a009e76e11a94f5e55151fa371e779cf53d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
09d494d74db6da80b087f487173fe3aa

SHA1
ec00acf2c1a5d9f21aa00e45288cb6c9c1676032

SHA256
9622c09cbec21f5b3f9131b8ada0a0787e655bd117f3e7ed802412b6ecec9268

SHA512
2b00a0b6471fb3cd93f16b632fd0e2f6a6a8662df96df5cfe7a800b847025cf7bba6c9f74208466da5db28d147f9ff1daf484f902d63b587c208b806a4c20eb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1df87152950dd106faac088f2fcb339d

SHA1
b72543f093cbc1d9eba1ca5aba2675c7c3c4a87e

SHA256
1a245aa1b4edfcdecedcbcd19b5f126c32d0031ff7d214b7e8464f5bb87cd562

SHA512
e30e819af3593589288bcddbba5a85cfd162eb61eae0356966405943d5e99faa7200f8acc917ec3f719470b9aa332908f5e03290fc59fe578e953698c22f8169

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
89118207cead70933fe6ecbe02ee846b

SHA1
fb203a5da94f1e9936d31eb58199532fe3350374

SHA256
892f049e5c980963558190c288a8cecaf20b6aad8dc9c813a79a2247c5f145e9

SHA512
055ae649a82d0a7f7db14b64c293bed5a71747b5f6d642406811bd416927083886b41a8338e6e8e9c9a4ad51ee3b0255db187dacb2dc99c6908cc4beaae4cfb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
747b7fad7ae1857f43f2bd48ca331eed

SHA1
544a459d82bb2e71d3b501d9a432216f66d1646f

SHA256
dbd05796b7831b3b5348c8d96b1cb81bc942d2432f2cb7d8333f122f14affc60

SHA512
0fa40e496fb7aae804cb494dc16640495db1d2bbe2d8355fd20b24ace90d7468fc1d18ae7c7436488882b49d0f515ef4e4de21b1ac9b53eb953556e425101956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bdaca744b4ea53640cb91351cacfbd13

SHA1
73db409cc4f26c7840684e2597bec1d4532060a6

SHA256
f2ccb95f2fdabb78a7345b7a147dd7d7a224b5e115ae3826efe89051908b3926

SHA512
4728f7d542fad052ce3e96a3adbc4e2666612feb11973c93e18baee86e5f8392ff8cb54ea6253d767010db1594270efafa8b9762a747630510e733a582071bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2f80b4666eaf7d530bf4bff3756f6558

SHA1
3916e7217ca76243542b9dc11eb9ec0a8e383f80

SHA256
52c5e148db69492856da4066399eab11248db932764158ff8653ca7e1ec9241f

SHA512
2daac494c8b3c49cd5aa13e450b7759f8fad29c0e2aa12c0282da7a87d1b1b1a48f260b618a79143ccb4360629028f8066cf951c09534eb1f2ea6504517e03bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
585ce7c2c3c84a6e1124dadf4561c5af

SHA1
ccc4eb1d8f4f433cb8fcaf32254400a55e070405

SHA256
991f7f94ed6840451c75c875e4b08e17078343a6bf6998237e5d1a9abf5d4dbc

SHA512
355238688de8ad5fe784c9396456aa4a6f94ec496c98f88d594183f33cdab9d166d380af1cec0a1695f6ba03d6358af61ff46cc0ed07e443d92d7ddf72cc1b91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b0d49d637252b63b8dbc3f61c35d5919

SHA1
8ac650d9c6f3d55e55fae4524012524eb5a5993a

SHA256
7f0c38169580c6c4fb6bcd85459b2ce38752d51ae8fbd429f74b40acb79e13f7

SHA512
80b5debc40aa5fd09ccf29543ceab63db3379c6f7da080013c33e90efe41e486ecfe3b7c9159c86db845ae7e9bc4c57ad8a2b8c476aa758d27b581fb78b93367

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
fee81a750a3ca145bc8393ddf023e201

SHA1
28f97bf295a24a3a6a4e1f494679cd5066346e1b

SHA256
8995e3c1809e71f79f3553f41777e7bf8557eb36a93dfb84bddeaf677bf35935

SHA512
cc19ff0d20e587019de03102b7c1903af1e7417ec56b25bc06bae6535a9c4173d99e3194889f821ad9c099d4be67073d46dcf83df5a372ee18274d71d27bfbec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b24f6e7b08282292280a8973cc13c9f5

SHA1
cc2f6781fef9f61d80546e990a33e79a6b8a8e7f

SHA256
b857f2f941dbc62467da78194894c6c9159bec8a8691c16e17301d9a0804cbd3

SHA512
d5fc95e5b377a6c522405f070c37c1dd6bb2921e4eb8681747ac2542988eab8ddadc2a1fb0fc89640567def49b5ae79277ed44db846ff44bb1956e9c5eff3782

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
28471172612b5a57b6bc5fd3783b3ae7

SHA1
c0ddc114bdb391e881db92401f6c8e25caac64db

SHA256
b154ab740dff05c5d2056c946522bf2fe0b8ce8dee037054d106cde224205fcc

SHA512
e28e13a727dc2d28bc95454d55ad2167858a6c89c021f52105c2f8e760db55db5de4f04ad37292a94c3587b6e5ac405b16e0b35ee717e317e4e6ea923904e6e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6f30afd58a328aa6f8c0bca89c8a2f8d

SHA1
e094f3a3beef7068cd4f4d99ab948a8da3ce0f5e

SHA256
16584aaff3ad4b48698d8d39c6db76741b1fa0412e4565cf04c3e06dfa7cfb23

SHA512
6815244258a9f04b6c6a91bc6fe895a3a030449770cc53a74fa571f09e489a103d489d3c794448c2f3f5114a6c72b53796f4b8067d6b57d6c8614dfef9e9af3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2aa0290c0ec8e6627edde220b5401647

SHA1
7bf21855c1ea6e7f6f3a140b5cd271a6b603db5f

SHA256
a0b5a10bbf1037b16452a6055100aaead730f3a5de2453d80faa169c9a4f51aa

SHA512
d8b05945e821e4976a11b37f7f8a1e72a6cc7217f491a980a9a46362cacfa243c6ebc295568ca3be6df6f82851dfb39cfa914db4c28bc84c3e7402095b5fbc0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d9917af91509118285212cfe9307e305

SHA1
9facfa252c231306b8910258628ae262a83abaf0

SHA256
a97b76af0692f9fb6da0a5afa1bc8b6d6d57504ca55f19cfb4c97d5b28d4b088

SHA512
221e10d8bc9dfed3cdb314c1468d48c6eff550e9a4f0be2a39e8d33ac7d11fe691594977505e7cd7fac3a3be834873391999a7605403f256d5e4e94c33961eb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
41d16da51a50e035696b0b320fd911f6

SHA1
b47b9883ab783c04d07dc00092702ae717330e24

SHA256
ca45347963147d71f1624a56626bc8d1b5999c1633bb4baf4554b11c4cd701f9

SHA512
ae70291a2e8526ed4bdb6096636fc043573f75e395cddd479471485435d16ea590ede87638418effba6dee458a6010cf0a02d40135bfa210d811c2edb689e0b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
99192e81459d91f50a99550a2ba1e206

SHA1
52371901df50f2e41d8264b93e918a5636f05663

SHA256
25f5a32daa09ec16a1da31c88777091088e3bc39585990bd227e1a610afd766d

SHA512
0c623ec37caf8aa01934fe93dc08e77be3b5b2316983cec14acf62f35aa2ffa4b19338e45383b8e0e80e4649d4ac8a774efaabb71457b9f5fa6b072beb72bafe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
d56803277e5b8bc635be3017e52742e8

SHA1
9d6de2e57312edfc4881b2b139b7619859831ee6

SHA256
77c746a493da7d26b748a6fa7979cf07ff9a703f85dbe1ec828c4a00d3a87b93

SHA512
426b3b17ad6505ea2663ce31968cee88fb4db3c4bab549c3da40a28a0bab8d600032c0316154cabd7c956154af9a1030c64768bf459e6f61ed236128b15f55ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
b365f1ba21f336f1f93e6048268fb21d

SHA1
3e458bfbf3cd46ade424c6bd40b74b4b3464d9e6

SHA256
bd3d6f337728640fc1f5f018bc616d41ae7ee52911cdfffbd8b05551f6f016fe

SHA512
39ad0588c49184a803e928ed9378bd57a17d46073a23331ebcc3dea64af5d5e518db8419e02ac8d444594b52f5eea49a4f91bd833f71ea38fe50d04900cb4a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
55e2948af113c7f686b673441a9275e8

SHA1
67aaa00d1cd27b45a718f3d51d4234d3b363c39a

SHA256
5d9e730d622944d67c6dbb666e87481a7aedb44d3843c35bb1056b81bc13870c

SHA512
f9f6ce1b2f244712d4d59443381f8484af718dc021254f9c336b05aea42c5533d6a9527115a19d581cebb17f077a14fd6fdaa585d56d33668017bb608ee3d9ff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4089338693b804938666940dea324665

SHA1
4b0be2f664b9dd90af56b5e3f7958f64ad597c07

SHA256
d57fafaf4db14e077d57372f7e32862f34b412965261714520faf67446a8fb69

SHA512
11d4b327d45c202bde2f7a6834ae44b0a1cf7f6c8f6701b6419438ea86cc418a153ae70c14b941fc74a9f54ad46388b3bd0f94f26a67146060dd6b2576c9f26f

Download Submit
C:\Users\Admin\AppData\Roaming\f7637cc6003136b.bin

Filesize
12KB

MD5
3239abfa642c1c1f3f19a7200da3c62b

SHA1
56a7d95bf96f34e72f060e51979a481204a85664

SHA256
8b604df8724bbb8e7a85359c2fecc322f7b1ca35e4b9deb4f46ce8ff7f53a102

SHA512
9e7db325835a857d22ee1fe43b6dcd736e0e08534c25287358bf8bfa49b47bf8647baceea9d434ee65891c05a04af9233d23b8195766c5f11650ffc36dc9a59f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
034b95d8d16543049bb281c509a03d71

SHA1
0d5c3179b38f6207b09f1f41c96c7a8fcdafcf4a

SHA256
77d67138a9690e315cbc71ee286e9252f4543a1aad50871e49c1eb25a6e24cbd

SHA512
ce53402c7eca7fabb4645435624708ebc84bba24b5c759f84239603c2a7a92c4ba7f9274a939a5d20631c09a1565d16f446abc7be154c1e5306bdaecce2544b0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bd42aa92a993fb90945ee42c215b489f

SHA1
105c835626dc757057b166abdac51368a0d0ded6

SHA256
bf1c285f045395620b824304e46cc3daacca25a7ed54070e70c90b5af67d5f14

SHA512
0a752cfa70e4ae99def43d2705607443f72a3eac704c1d6970ca7fe309898389df06dbc63f5875a8499e2d2cd5c91af47308902bea8fd244cdeca7c3e4a12416

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e99d1ea1ceed9bc78a551728aae787f4

SHA1
b9423b6ea67c8df446b47926838bb8d0cd69561a

SHA256
b6fe364133a01683440b8985ce7a0a3f4757af191e19fb7e66c9f6d436041e28

SHA512
3986189f64dfd3e5f7ecffa147d941ecf78730b79d00ab9aa45d0ef4d87cc016c1dc7c326872741fb947fe3e84372f7451c9a8248cce00c6d127b41b5f65c36f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
91639b9a2ed4670b70596b3397b783ec

SHA1
58703df5ba65aa2d222faa021b210befec288fe9

SHA256
dbbd62263f9f23084b735047ae466dc786d4ec1658a1ae9255fba5ffe30a707e

SHA512
a36c708ddd797221e738792b895e88f87bbe3139cd8fd2689f8eb3d9f03725376290967704f191a6ca6c5a03d98991c2ee9946db8cc37a0ca6d08edb45354e5f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
40b58536024d0ac990df48880e86d20d

SHA1
1de3af8e905d8b45b501b55dbacaf7a7040c359e

SHA256
8d7b773c0ebba27356206bda45e615a423babe0917845f763d189958584ce13e

SHA512
58c21441aa5e87c7f879eca6646f3830e678b9a053922981b395c817b00a5acbcf49ce9229477613d8b946a07c81f49406545fa880dd2438df659afdc677036a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
38df59149581da4defccc812c5716a7f

SHA1
850819c0911c0ccd3b7a03e5c4e693fbe1e24bda

SHA256
718ce1d0eca940cedce23e85847f5815a11824e0effa0a34ccc9d9a257a18afa

SHA512
5f548094bec69aa23a2587ddcc7bb10154eee9b1954d7ced2c37543e14ea053b1ff9947fdac36ebea8705ee4964a6e91d20b37c217dba7c328f8bd1e348dba4b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
1922ee34d5f1c09de3447fd0960ec657

SHA1
74ebf384a7b46d314147a514d2400170ce421eb7

SHA256
fde64a7e9effc8a7b6195055745e7deef6dcd20f8fd1f33386d675a57e731f3a

SHA512
9160d733cb31c98b88eda58b255a38a5939a25b07e6d76420fdbd3cbe29dd03f061f41442296f5e43be9e09b53190fdf04aa1821dcb98f8fadcac45d3e7c49f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
909ba5ac3f4981e7e5319a54284e425a

SHA1
649acd60e671ea4dac0617de761de13467435d8c

SHA256
a2b56abcf6dcdac56c537b62efc3d67a43bab4aea3b9cfdea3eef78d994f5940

SHA512
8ca54e8633334b014ff683dfacc0b88d4eb436a76f398e26aadeaff0ef2e718f2c387a6301c4bd5d3d8c135354b3421c9c134883dd89d34370fa4a6867764d80

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c2cd37c25bfa823cd9e7007df88e0c5c

SHA1
789d798c2581ebd78213224a8bf2913887342cac

SHA256
d186a08c9feb028132c1b227a4dc13630e18722a250cd3dda5f0d3b62648e0b8

SHA512
924fc0403a5198ffa32196aaa933e2b0c539535f17a48bebc901560ebadf35f0f2791e9e37f867f61260d3e6aebb7db8ee6b3ec4a671a518fda0d9b8eaac92c8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf213e14c97ad11ba43f96cd0f6eda35

SHA1
3af55da1912d7d89358805fbf41b3477f183260b

SHA256
1fe7b320455c7b2806d4d1ce23a166e17e10ca90b3e38dd5da3057024d83a4f9

SHA512
542f3cf4de2d895aa08980488e5440164c6fbf7b0823fbfce94e9375b3f128b616d80d6b7d1630e2725cc61d34ff33c3993e8767cc826604371c97806f88555f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f47cc926a708a4b33650e14f0227be0a

SHA1
ed8a26f4bf3c2ded35ba0364be6674275d5db4e2

SHA256
dcb205269bc3a97394f21caf6db564d8607793fc4b630e4b0e2c74a3d57fca4d

SHA512
c87521817bab5b0135c63cefcd98fa5917615353b2eb67a096e45eb4e84982f1ffce8f938915330958179b3333d7000b51e70cda4118431d6b924734d50dff18

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
612b5c8bd3c5a9f9993647690de69b8b

SHA1
cfcce0208a825e52b3b1f17cbbc5890709da0b68

SHA256
19aecf77bdd1a7d5468937f6a64c824b99b45a96a3de0764e10b6816656fa021

SHA512
2ed8d832d20d33e5eea127ffa7c40e44d12c1105a1e9de7591e584e7ef5cd80a8dabe5f7bfc850437bad2b2edbb3e638792961c0f55c29755692dd5b7571915d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
91c01019cc873468537a987848bc8b05

SHA1
6cb5f31cb08f1ca56c3781023fbd02240d10888f

SHA256
3fafc6057403a8d0df896782c425697fb42116ed9dc962a85d8b0776b93ecefe

SHA512
25a4440764dc9516613d4dc10f794d3ac969c6e822e003e9751f0d0d2550c37a02dad689082646cdd678ef89819e55b9ccde0fbf28b9c4bdf84852f748762eea

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ba7582da0de3fe44f3e93e9bacfd19a2

SHA1
7db02f6d47c202dfca62cd13a7e78a11f32a7af5

SHA256
3ba4436b7939897caef13e1264e069487aec422af02351a0911d2015939c7605

SHA512
75e616a6c80675fb92f4a519b3a9c42cdec5418adaf8b26501c51bec971d77e3c9d604162f523a5b246ac671f7a414828f860d131b99a93cffcd3eeba559afd2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
67b30c769064b9144583228a30a6f499

SHA1
59009c5a8a069f3b6b69bd8b8d2646933a1d37e5

SHA256
853c3b47ae45ed2687d19ff81c4a381809b581bc81c2d165aca3cc0c8fa158c5

SHA512
2198bd60a352376cd731069b970ed3d4a5b87528c4a40bca0968eed42fbab3257cd69d2ee8ffd6645f74a9bc59bf7b88a3cd43e37927e622ad9ce2404f669f5e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
041b9cb5782388b3d8c95ad668a7a212

SHA1
c31e67ebeb0584fbd66a1d20fc8900136b68407f

SHA256
bd8107f28bdff9d6d5a3f89ed1197ae81f726f025c0f656dfb4432e39defca84

SHA512
073ccf73885d55923d23088f08b0bd52c7459ac93da5134b061e00acdf3b2d0dc6eb20e98548a1767984a2c3b0dcac28fdf442922ffc88a6da0564136a86905a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a7b72001097425cc86c4971472fdaa70

SHA1
c603d13bf06bb88ff6be9ddaf264384e66029cd2

SHA256
19a413c3e4aef09ab3abf725d8f0ed632ca34b6f59839c36dc31b6cc9e077ccb

SHA512
fd73c1b598f3ab1e43eac2e82a9b2b64ab070d57e33173a0cbbb7e749edd97b12b10e22c214010feb94584908d3ff05d20890dcb9c0070a40206e16ab88ef6a9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
50af5220814df6013fe0225eb0c19070

SHA1
935f2d51ade61edc9330323b437bb91417c49152

SHA256
a53cdd07231441e1aab3fe29acc8b5e4774c54372f324c8453417cfc078b64ef

SHA512
1672c70191f0c89c650218686bc07a14100c101a0d2fbd81dd52dd3385749fa2886cdbf93a4104e1a8eb7fe6c93d12a2b0778cc4ff8e4df739d1d424f60c0993

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
29614ee2f0f6770294fe9ac814bb0cd6

SHA1
0efe427daa8898b23b0a3ad36e12c44df37facaa

SHA256
c676f161c772c0cc849cd4a9c6f9de86a05f2846c397193ca215902d9ff1a8f6

SHA512
9aaab6610316d03c07f8ac533d37d0cad3f37a63b28768cf9b4aa71b21fcf55a6ef8d90f617e0fdd257562ae09f44b1e195eb0c8307bb668854a0220bc76d8bb

Download Submit
memory/436-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/436-281-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/728-260-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/728-45-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/728-62-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/728-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/888-60-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/888-54-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/888-63-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/936-25-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/936-257-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/936-20-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/936-27-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1160-341-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1160-527-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1308-441-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1308-329-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1308-578-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1492-316-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1492-428-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1528-87-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1528-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1528-90-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1528-77-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1528-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1632-11-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1632-28-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1632-18-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/1632-31-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1632-256-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/2568-416-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2568-307-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2604-417-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2604-634-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2960-390-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2960-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2972-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2972-75-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2972-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2972-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3492-278-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3492-392-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3604-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3604-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3624-367-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3624-629-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3916-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3916-636-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4156-435-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4156-635-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4348-92-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4348-100-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4348-262-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4428-595-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4428-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-9-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/4720-6-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4720-0-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4720-41-0x0000000140000000-0x000000014043C000-memory.dmp

Filesize
4.2MB

Download
memory/4820-301-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4820-404-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4920-628-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4920-360-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5008-633-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5008-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download