7a8e181e30d97eb0575b355ae2a7493a4b5d5de29348dc885c2564a325005813

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Size

2.1MB
MD5

b9890640bd6bf55c05c653042518f32b
SHA1

81404caeda6e6b0304c11a9d899c0023b139e036
SHA256

7a8e181e30d97eb0575b355ae2a7493a4b5d5de29348dc885c2564a325005813
SHA512

981d5558364cf70192cb20f6fc349f831ae765da5d4e1417568caf1171c6e1f2db8f824d6e8c2199f8f9abe2440ca99563d7d356a06e3efc22991900c30ae071
SSDEEP

49152:0Ix5yCn2/zDKEsQc6sa6wvB9r2Oi/WvA+b:0Ib5kzeEsQc6sa6aBC+b

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3652	alg.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
3252	fxssvc.exe
4852	elevation_service.exe
3588	elevation_service.exe
3804	maintenanceservice.exe
2704	msdtc.exe
4276	OSE.EXE
4860	PerceptionSimulationService.exe
1016	perfhost.exe
4248	locator.exe
2212	SensorDataService.exe
3776	snmptrap.exe
4028	spectrum.exe
3740	ssh-agent.exe
4516	TieringEngineService.exe
2836	AgentService.exe
2588	vds.exe
440	vssvc.exe
4240	wbengine.exe
5056	WmiApSrv.exe
5092	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\86b7280a4521e136.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E9FAE721-C42D-4B32-B146-9DE88A456C64}\chrome_installer.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaw.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2e467574fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fdb21584fe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd3b43584fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000264f56584fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093ef15584fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041fa3c574fe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047e548574fe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000372225574fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d01099584fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011fb1d574fe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe
4456	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeAuditPrivilege	3252	fxssvc.exe
Token: SeRestorePrivilege	4516	TieringEngineService.exe
Token: SeManageVolumePrivilege	4516	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2836	AgentService.exe
Token: SeBackupPrivilege	440	vssvc.exe
Token: SeRestorePrivilege	440	vssvc.exe
Token: SeAuditPrivilege	440	vssvc.exe
Token: SeBackupPrivilege	4240	wbengine.exe
Token: SeRestorePrivilege	4240	wbengine.exe
Token: SeSecurityPrivilege	4240	wbengine.exe
Token: 33	5092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5092	SearchIndexer.exe
Token: SeDebugPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeDebugPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeDebugPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeDebugPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeDebugPrivilege	2824	2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
Token: SeDebugPrivilege	4456	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 5076	5092	SearchIndexer.exe	112
PID 5092 wrote to memory of 5076	5092	SearchIndexer.exe	112
PID 5092 wrote to memory of 3224	5092	SearchIndexer.exe	113
PID 5092 wrote to memory of 3224	5092	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_b9890640bd6bf55c05c653042518f32b_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4668

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2704

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9f5f477944c8d6654b331402a11e048c

SHA1
a4749925da38177a3a6fb579758404a326bca23a

SHA256
c151b5a1ea1043c826d88ba0cd3252df750e0f84571490cd6b231b4fa1f93d61

SHA512
58dda0b785cd17fd9a12b889df65072e858833efdd7a0815d6dbc325e38c4d6ee9b6055d1b8f0f8b157fcb1663d61b8b965b444147190f6b282bd2abb27e9927

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
81334b464bc6cd36b8f699c7bad93291

SHA1
0514e1ceae4dc293b0f3180a5ea9694282e68414

SHA256
b0098b32d6df68fb00fea52e7127de3ba1fb607c6fd93e1045dbeaabd95f1260

SHA512
9f033a0277d6cb452ac78740c03b6f867c2cb09731ecfe2bd4d598fe119d41b89d90bbe59df5708630258abf4e0b00219f2fc0c71eaadb5ebdca97654eb7355c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0a03c370186281fa7d758f364bf5fc39

SHA1
01c640fffc9e8acf99d8093b060914fbc6677b96

SHA256
db394354b3a934952830b17d74ec2515d8555d81b354f19d96fe5481a709e13b

SHA512
f099f99f0d189cc3d8c528f5ea1204bf395a8392b6e6581f13e7d96703efe8a9cb15392dec37ae0240cf774e97dbf7068c2224b2812577053d8fd5b7a53aba1f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
59c9d1efdbb975dbb4cf0ad12acc1c1d

SHA1
bb010a0252f533f9fac18b8d24b55dbb559cd9a7

SHA256
6a3b90b8b73cc36816333d0bf6b8df25e2b5f14d9584e91138f0b2e7fa0bdf4f

SHA512
19bdffc472f3ee03a3ae3b1af28ccf22924f77c9975c6c921824aef6684e52d58927e6c0b276f5ba40560decc3781e8e4d1d8008048a1ad412ab1f6dd1ee7afa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
55a27589b77ae8b3a2d9ce5873ab7814

SHA1
fd5800437dca8d3cf088bc14620fbff95fdf3aec

SHA256
ccf94af5aa7342e9fa8c44714054788d4dcb737d57c2c559c077a612d2fee796

SHA512
54ba6298c8b7bda8533d57b22e6e57e9932ac671db24e4b146f3a0b46f6b484c24f8285c8d7bde65727311407672597d4756dd755deeebbe2335ff86dfc51c7d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b57db78567e5f7704cee8e87bad760a5

SHA1
07659dc76e341911a82776bff289e825450739de

SHA256
64c3c7211d2940786b6f4e5d0cda7d76991ed0d441462ca5857d806089667bc6

SHA512
4594eeefe58ee8f4d6cbaf90143a3de47cedcd741f1e3d99dfa0f8dd2a6f69fd1634a2bc3a5a4e9112a421178051d733fddfad44073cd7f071d3ede550cae33f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b0f26bcd034e85b49a618e091f191752

SHA1
c25f1cdbaa42db0919416657a4419edfcf579f97

SHA256
f41b6f31eeb650a592c310d8a82186ada5ad9f45a092e96d1d25c56151338e0f

SHA512
53ea46d670c2754608d6db40f5280d1c7846730f01a2e669aeef24376239df9c0c2647824b150e7fa6c0b0abd4c23c02086c406d4b3b163b9cc2d4aa197c4946

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
986f44fba0c46048cbfeab2e3b5eaeff

SHA1
69ffa21d257ffd4193c9a1522b0e774c898b38df

SHA256
408f126a81b14cbd30260810fcd0b1966bb8363ce6eb69e94e7deee13ff70429

SHA512
478beebaacec20ce6a8cff98531cd986c96b4bb09b326ab148ee98bd48d526a710838f83e650716ba098dd0c52872e4952837c1c3e3e8a2c766b5b52afe4d48a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a576cc3797cbc5dcf74035b7a72afb60

SHA1
560b846b9b0bb9b9d612d467667419141dbf54ba

SHA256
f69719281b28b752f9d7bb22f5b602cbe0cac8d359bc10859dc5cf021f0aee06

SHA512
ef0e776b0485ce139572474ba842cfd5b4b2f3180b81b3d328bd60750efa5364138462227efeed465ee5270a00e2af7b95de25cc9c4ed8d2d5fa16f23cb6db88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
58b9ad873d339be20b622731419173a1

SHA1
f470ca16ca80192396db9ecb8739c0744f4b0cc2

SHA256
3328de62aae12f7a49466c8793a7033f0856be92f9264e630f9e625c4a6cc287

SHA512
7144fcca659b4166ec89081b32347cc252d5b3fc3533ef5d3eb690c0042c607c7e4e57f3132e9a8821118fc85b6c82e133f5a69e2466c62c56027bfa17fa32ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
df616dcd45bdc3715810e6514a4ee527

SHA1
65682a7e3cd22b9c1f549b213908edf9004df28d

SHA256
7cdc7eb843e4e3e1d7da877b9f8c685e998baef9a069c55fe33c53dee95af37f

SHA512
4031687e52713278aa3d037e5f9095128b7dd9a0fdb3d6852762b62e2002d112607bc96fb81420282a54c8b2f529b820391dd75a806b65603a9d97e16b43f650

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
64f0265d286fd8b0fa0edb1aca06af0d

SHA1
50950ef41b68493ebd48705b8dbdea07d4c83c4a

SHA256
83c298826953f454f3741474b16d9844a17a3a06cdbfed4084950b6bbbee6f26

SHA512
a78482e553cced56431f97641310423ed5c35a6681feeade99b99c2b253bf7fabc793be5f222e68e4b1733eb7f9f4326d1e27ea986367cca03da243f1d78f016

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dc812c60b4403fbb42dd4dfe1030bd7b

SHA1
4a0489e827f069ca913db69a2001685302c82a0e

SHA256
d558473d8327e0094df6ac41814ee7d0922b4f10b0dbfe44bfb0d621da057faa

SHA512
7b1de0f290883f92c95dffabcb958503708f7ad32b43f8f0eeaee5f14f3dff1777b4f022e7be5a5ffca5cdc722016dbef29d3874dfe3a7d756061bb307c855ff

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
99572194853e67785f2c02b33c767760

SHA1
0e47b9a1e6e443ea024324cba5dd45108e09b20d

SHA256
781fbeeb354617ff24f85e86b4e2027eec735e61526408ef66676be44ec64779

SHA512
32c1b4bd70e09606cda5449481378696cbdb326e9727600e268016697469f497abf679cd78030932e31f0fed55b9c33ca6533f1c8b0658127f3f221e3d21dda0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
88f6fa1c89aae4f3dde7382f74072377

SHA1
a3634b01e82ee21d9aa2e9d5e98a27120b320c36

SHA256
e9a4e2b7dad7b8d386ff585b5e08491b0e193b514f8560798a4dd6f1e7bfc86c

SHA512
0e6fa73dba463df7d40eb5487c3fdc726783b76ed1a8bc21caaf5c24fc6515edc2767ed1bf3977679d41820585f67a2f11c66e68b19baf1c0dd9b5de67b2f28a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c71309897553d8798ba52d502ad1a235

SHA1
e14074e5874190fae3ee60f05819c85dabd6cc2f

SHA256
a99259cea89648aa6acdfdf06052f98eb3abebc1600a08ddafa5c0a5474ece50

SHA512
d2550b8ea35cb8ad3b245c64846731255e64464547d932ad46b4a95b911fa493d71366503e0698a63c173e07c73bff64ab1bf1dfe893dfdfdb0407f9775ba112

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d2ad7eb671a1be0bd205786412caa41e

SHA1
507e4cc4926417183083997021a5b105564e100b

SHA256
309b26329abcf59d0db1696ebca10f8218dcd12133ca150d61febcb9f4f12f22

SHA512
940070d738e6333a00ab27a31509ade458a80bfc915b8cbef58d17cde5d16329b3ed6e1f48f4df6e4682c4a197565c6d5922c9a59967657e938f8d38e6373be9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
29ee1b17a2bc8f7c778279d2360f636e

SHA1
4a7f333ed036b78c072a33a9ed037a1087ca4f8c

SHA256
b76fb909a19634c35c56f554f85f8a59ce62f5375b904f802d124cba17e0cd25

SHA512
99ef02556cbbc05c171c4dbb9bba14963641c5497cd027162ad6ca761f1b366786de5f7d3c5a99cd519bab1f48b80072d71ef4c9a80612361c6108a33dbdccbb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
be08f81f097f2a8c0c3b0e371f744654

SHA1
af9c5675001e1cb15672917654d02d111a0ead4c

SHA256
b51f1e6311906776a4a652e34b84bf022b55c57b25d13dc2ce8fb9181415c971

SHA512
749638650316d570c2fb904593b8eccb1069736b66a06ef502e70c5e581d67501e132dc8adc196578de96c159b8d38389ef553f4a721a29dbdb8df4045de3b4f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ca58aeac87b9e1fa747ca659e8938c8c

SHA1
b903d81adb5517f6409f1f65309d14b5278d65d0

SHA256
af45aa48eb995d8d9a0a65bc67bfdf9fda347b27ec6a43b23884f5d7cb93bd43

SHA512
ecf36991dbfcf3209e5f2c73d7f3f08d46e59d8bb47686f5694559ff944f59b399b302eda6f737e6c2f181199ef6806e56514402451f7c59fc961401f6270355

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0d466c57b3ed067fed439ec5ab32771d

SHA1
aeaff33079565231d8b3d7e0a66063b0d6c5635f

SHA256
5da630ee97f0ac2da01b9778d84502324d0845866fb538efb877c5e6eb6b835f

SHA512
105aabf456b6bc6d77f8ec4bb76199faeb30aa0d1a3891ac715b4aaf00d2a637f9e3ea08ab719e6bb61f7a7e42d8ed1ad28d75c8f771fc034ba26fb52ca328fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7c2366329256f902567b5d428fa9ad6a

SHA1
4f9d702e072e6e8b729d38855f22a72ed2c9e2ed

SHA256
f2c6ad91131566e47845fc7d10f221f75735d5f30fa8831848385268438fd360

SHA512
7f5b3df02d0fd9be6fa958c557e63b326691ddee73a7a5c4afa17df45b49bbdb0dca07bcc82d44920e5a6ab4b09202c73210de36b9b23e5265828c5f8b83fb9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f8f150ca33394963a43ce9bf7e8ab08b

SHA1
633f7fcd37101947e45acc91cfb204d05d57d639

SHA256
5700cd765c0f406bafbaedd2b4996836c6778ccb7a8d6c22e8edf48f56654604

SHA512
ed38113b3018fedafff7b548adf829419ea079f26e52c7ec3185dc223d687321bfc3b71bc60d1ee457678baed11c2a43f4bd86accc49aae5c0cd3326f66da360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1c6927ea6055d8627ee6fbac347b6b80

SHA1
3769914c8debabc8eda275b099646c76c1ebda46

SHA256
a7337f12db1281d5c7bf19dfbebfc77b137eb451ba831cba2acf18639050a524

SHA512
f0823480b0987e314f912026fe9ba1059efca47c94bacbf5e3b67f7daaef31a0d882992585d74b8f2d6f9e2b51502cc3697e4384c22e3ad438e8f89a3ff12bb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
70d0952d0b84d0f22ceb1fea62eb4bd8

SHA1
7e207370cb941a3a323f306014c4a27f30be7ea7

SHA256
040c6182dd734b5507ee389fb2b686b4571cf147deaecc3acf6408da27c41f35

SHA512
8e6a5f67537addd4437d1d90f2733619500f758539afb87d32f24df2635750141df36f956c5cb1a7e377272cf8179e1a5f796a45b8d8c9cb41d06b194691fcb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
275eca9575802cf23d5c8f2d4d694c87

SHA1
2c15a7b50cf511ab496db05cc877e1aefdbed612

SHA256
7d8d857e4a34e1f10a702da8c60f94e5110428539b38674a6c2c7d4f7b08e1cf

SHA512
c0c9e0baca199a23e24b13547ee168830c751f3eda207cb10c4c361f039be75757c91bef3b39d79155706f552a7610d4e051e2d1cc82b3f3f45b93dc9979170b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
99e6a1e43ca65e0719475f1ad1f37d60

SHA1
c60f24c678ba42ac8a7d5e8020c9770bca1562c9

SHA256
7ac9e9d9bdd956638bbed1fd02a0de2fc09efea683cc7f99f849392e453b3a9a

SHA512
dbd11af64e22694c4898f4320d2d8b67b5c3f01cf32f93faff1afa3bbba5ccd7f6bb6a1dd9eae7876969bb7688f0666200d251e4100319bc9742db62afae09cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
82db8f2ace41caf1c21034617d72624f

SHA1
70dbd034215c703e2e9e189920f605423ef07033

SHA256
d580f1b6fccc14f594a3499d56b505150471d2c3926e35367ec66a1d7034db1e

SHA512
2b0601c0c1981bfbdbdaef37ff0b216e4d563dfe8033b22a3f2472c6fb34691b7d8c88feda069bda810c513543aafa212ece6b8415aff285e5b3d81fcb7b354b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
06cb5f8974784eacc409e93b7d1fde45

SHA1
cf56443fe0164618d1e2b9c4bf1c0425a08761af

SHA256
d377115dc233684c1a6da2935c82e809717b16297d794f6210b8d8af5a7dd484

SHA512
251dfad65d4ff06284aee8f5f1071606386134cfe611d2634c4368c4b35ec3038a97606387f543618443ba21653ff0c9c28773ccb4f1133e1073c6763a1ba7c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3df563f2bdcfbcc13366105db5376005

SHA1
e2e7a5760cfd3a25a9e7f85710e9d04ee44c889f

SHA256
66e05464f898d05ca71e084b1eaf72f4505bc2a4f15d2e77f09a2cca52bc1452

SHA512
d22cb220a90115e9f8ecb652fa1ea0bc06a482f85f66496af08bd95159f58aad68d17fae0b0341c4f69b96df603e55afe4d2782b8215e6fc2db6b11faff77896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
950ccee3f3610684b8458b8a7e00d054

SHA1
d51f0493f3509fed6bee136b2dfb5278c88f8bf1

SHA256
0d23ccacc536777ae632a6dc43fd55a59adfc1cfe5702aa3ba782d5986c56890

SHA512
040a769cd08384effa2671fa5f7627bf54aaae2ed02da69cdc5d16f2ffe6da96ccbf192b4a61394407212b7aca2aed57a390fcf4c12552606a6920cc76670eb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
be199c4b93955e646b856647b8a6bd42

SHA1
3064218e10e099f45395c4a938690b305b9b3e96

SHA256
676a5b5d132609d2b465b3e113d44569ff1e5752608e748de7ad5991111d77a1

SHA512
d407692f6663d643b79aec485a4f86fdd8aa8936417368cdc0159313cc3ca0ebf9eb4fec823f0eb9107384a2b29ca5292ddf3df5bda9020a769cd2a1786fbcaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a06cbb39ba834663b7e130de021ab9c7

SHA1
646c2c4067c77ee3679bf292040a6e23de734909

SHA256
da4ee82fb94ee7cf3badba8cd81867978c3410019d567e06a7b19e301fb2df79

SHA512
af4b2aa70541bbc6fa85d1b083ce85ee928de1360992531e50e93a32a912f016c600f78d7fad14aae9591cf4f9928c85a134baf1d192642880b34145736783ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f5636fba8f923aebdb52af7125aa8929

SHA1
b9d6c1508ca7bd3ab182eb989678733298146cd8

SHA256
825fdc27a04d2c672d83c3a4930e00633338ac1857a344788c977909116f3ca1

SHA512
595adbd0888734d1fbaa9f9a2f83a28a7e47ed2a799e47d378698f191723fbd85a88828685029914ad8cdf57054947c7cabcd94f6dce3b9b0a988c2f69656c42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6db986d1e1b9bbe351776dbbd90f2222

SHA1
8f21a35ec3bd826697d9b2eb77880fd1868161b8

SHA256
7e50517aea3f049b5acf0d6df721931b9db0f94d4ff857a3957f1d08ea404fab

SHA512
ff0de96498bd7c038e3941b88c39f03dd7eec0a885308cc2d20472ec3d1f0283ef92e33c0d18e72b29cb73c75a4435266a814fd1b3734458766c1b518be81c8a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ea7a8c998c025b9a62a652f689e88437

SHA1
7d8e746242fdce8ce18f63b783229ac852cab066

SHA256
0209e89742f9fe6676e913f333bcee15f3d7691e38507bbba6fd021ef04e3460

SHA512
dfa8b8ff4d14a0370c1867432e820c89b6e4ea980ff768ca4085e23226a5c4f85757b004986f403c49ef602783068147960dd22186aec6b1b3624e44bb66ecfb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
fd571beb3f04f4803a92b3485314eedb

SHA1
716915c4b8d675e545b69336631b40f0f7047477

SHA256
7e3ea88eedddb3df7de75de38d880ead3dbcbf36ac364a47b5979011f582b980

SHA512
eb217a2181bb299fb1b69d77a4653690dfad8f0910d5a232ad050297f7905c16095dde9728108687f5b9064b043c4286a81d94db045521cddeffbe8e3065f796

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1b23fb290957f1e6f1851ca478909729

SHA1
323e024348240533b21c023876b1b26d50314ab1

SHA256
f68a8d520e1e85264cff757be589178bc6112d008b7440de7613570c6493df82

SHA512
70879a03933d33b61068178616ef6ec74823a9bc0e124e328756ddb8953d1d1fb50775babcab13957c6b92f77167a68387d7605da1382b4c509a049d995214d7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8f6e736aa9e5996c80c94828e7162c27

SHA1
f875d4e82316c49c0b0e3e718b70d0de0bfec4a3

SHA256
3f6ebbfcb0ce66b007036d247bdb871eafb6f4dd191ba833b8c03564f473cb44

SHA512
fa4ddf3b4e1123f8c6e1f0c6cbc4dfc8893d33c109201ec65acbf4721525a4da53d175196b3040bc743a3dfca825310dab06b00127f7c50bb12b740f5fd67717

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
90d7fbd21692805f01e6a430e9c33332

SHA1
742400e11a5df9d2d29df9432ef4353efb03b08d

SHA256
6a423bbc280f8700ef9330121e90b9f4c4a3662e263805f61f3e1de6c91fda65

SHA512
b6a75a3e8545479561d0643d47ac3d8fe0b7902b1d56476f2a81848a113f291ac311af4d226c74d10edebc36e504396b34590908095b266f951a03ea74049e2e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f4dc5b13bbbd759c686ea461f8a54a97

SHA1
d58985ae259abe4b496e1353816e59017097e276

SHA256
39b61e687328dd75224b599e483b23dc3561f86686b2d63e99373203de0ee711

SHA512
65c9753aac5b0b4c1a1de75905b91b3bbbae6e2bc2fce6901fabee133983cf0e47840efea5771073970751a52ca39ad375b0947243500fecc7b93e92765a4af9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
33254b5da2af416a1c248a23d19535ac

SHA1
222a36727b65882d6dd1355b66251aaa22b691c6

SHA256
9f5690f273d0a2e521c2c64f8a9b48df26f8965caccb52899bc85df7e0f9b8e2

SHA512
8ee1bd086ee2902d9d4317cd7662cb8c526bb38411ce9b8ad57753ed3867c25ac569f04ebe74a776b6404b1ab1844f5d29f4a5db8269d039ffc8dd9efd4f2b68

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ce49d86b2e1600b0d77734ae7108ca57

SHA1
bd268751e8880f6c57ca41ddaca97a99b4255a99

SHA256
0c8bac843b746c2760cef35f5fe248668b27b5a46485db642cc5c74ba725b4b9

SHA512
dd2be9b59f86b0348573167913d57360290acdb157b5d964a4daeaeeb6d59eb0258eebd9ef5b3a1023c5b70a6084b436cfd414e343babb9bab0603c6253a931e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b634e078a00b1f94a3201351f736d1d8

SHA1
688eef8f71da277284b764e88d1c47808b1986a9

SHA256
8be2eff0164ab67228b95806faa8a30f50783829eeee75cdae4b8ef1f026fc47

SHA512
ca765460b04d1af0c63e58748736dd0f030b6f81107c4a04a043915c1ab3eb33a076e396adf9e30d5b691799cc4c1b9c21c9842a1caba1f602d1bf51276dda23

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
689bb040a74b320bfe38b118920093d6

SHA1
8db59ce9d076fdbe7bc3b25e3fce3997f435834a

SHA256
dd3e9dd419c33753c50f235ae0e96fc6c480f544d4168f3ee46eb916ea8a9b3e

SHA512
99091aea484c3da5896c5a39d68b0aab311e76d6786379e38b4be1ed7b77f23f5126984911a3571082aa02c415853434fdb1b2b17e7fa4d1258ca05f46fbee05

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7caa6b678e65908f11fcf126f4cb4f83

SHA1
f3bf20fe951472531b3bf8a6e29309d4a80fc3c9

SHA256
e5aa4dcbff0152a4e8a5551de3f70a20536f3024c161bc414d8235dd5a878d11

SHA512
f26393d633d8ce071a1ef0ffe0ea5a51e1338ab27f72f2df3cd1ed915077cc7b0e27baf11c782b5fd5882271ca26db7fd8a9e0aa16c6936940a1105e44fa676c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b92713c21684e1c946e940a3d9037a91

SHA1
7dc0e3d2c866faa4832f1db913a49bf6c8e77611

SHA256
56439bfa0d9b3ca9a87a81ffacaac15d1d7e77f966ea2ad7193112c655a22524

SHA512
bccbf4f300c9f90d25b88a26fd62e535b7e33c02942d255702e59c03c92dead6c03035ea56ce6658ded28c9332ff3241a5c2646ef272b3bf072938028ae77fbe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
4b7206c59e18b3ad44288410e4fbf30c

SHA1
d3fb273f8e58de386141c2fd649ecfe07a912c02

SHA256
1d854de85592c33faaac9f1b950b1dca43b749c53fb7a07e62de7792386c6518

SHA512
0c098a61fc9ab6b4243b78856d9410adf1922f7e4cccd6c0e3841e1a471ae534acf89d907b912d6a7c07a177fd33f0a2cbe683f4666700cc2d1100ceb318a799

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
543e9370fb8e729334c6ca59a53b68ed

SHA1
ce0cdf783ffedbf2d6466cef8817e1db74046273

SHA256
1b769a897c7d95494dd412d3bb59e9b02d32bd80a8e1e8b89d427a13c9d792fb

SHA512
99dc4badf3b3965dd702aaef063fabc39530ea4b30b8922ace9ee24bf507d39b3885b1e60e7051b0087eb333baf7992e69b14d70ea1a030843c6772f6e5e15f5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9880dee1eee94b8d8b33bb8e9a633ee8

SHA1
d09c64e0fed688210d9c8bd283940f25f6759687

SHA256
1f9de369caa51deecf743f9c4497bea8779ac5c6cd268b5b0533bb6b975ed489

SHA512
58def892c9775dbc7b2d7abeed4995609f7bb1f74c314f7eadb3a911be2b75e8edaa59b84bb1f77257102252b78e5fc7bf707902003a775a9252245ef4180a74

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
98476e5be4e8b3562d288db150b39fda

SHA1
f2e8881f3ef72b7390bd379ac27c730d40edf0ab

SHA256
4df4aec1088fe1365f074b55285058f773d6e51141c6d2215100745197714821

SHA512
a4b9a08537f35acb7f1c1d88b7e1e407aad1e1c1e7306427f8da742bfca24c5b8b6371bca42c40e2686ac2b69a8b4259ee0168f891b6dd03842ad0426dafdd49

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4eb70442409ed799e3e65e57813fd08d

SHA1
a6523832e475a22ba66fc72b0dbeb6a01e1cfb68

SHA256
7aae28e72c47400978057eb2ec610cb6f0971557fd1a5e8a19c8ad27a0928889

SHA512
7b4fbca219f76315afc519eab9f41ce932289546356e05df7516c336e26339ffca3ff3d9c33615b882bd34cb614ed499b5e67a63697d781db7401330ed72e4c5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5e39cee9805fdcc6205c3c28edfcde59

SHA1
96a91c17c3f4313306c5232beafa9c04d8964ad7

SHA256
01f6b40401189adaa32ac0b8dd2f4a8311a677284a657cbe58e30f4b9cb89c6d

SHA512
cb8b1847d66f774b15c255d0df0771dd1e1968820828f515e412a4d7b3d4f364c0611a2f2e9c7344c3e6dcb433c443cabbf39e506e150f52f3df4744c56a1c67

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2703703e18e61d791d3a3909fb0d3998

SHA1
2b0e36d0757d45a066c96eab432ae835b1defe1c

SHA256
57b10c2aa45250883caaca47adba8f74c0a96148275bad55bd5362cb5bdd003a

SHA512
16a7847e9d507c1b667cb7ba8d22c4e2c31aa25ec6e2abfac9df91b3df1e87858b2fd260360b5a3ca6d3cdedcba22e9957565c1be264789ee1cc558344ad09bd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7faa24f9d3950aebee4240d457f63455

SHA1
610ec6d8695c8845638ea47872b31386f3c5b214

SHA256
c141b3b799bf1c3f5f906517f77aaaeffc0acb0f4d20baf22c7acbcc59f7198a

SHA512
f8e7b8fe1e7b76eae931f391ff5816562ac335b5f4d165e7c5abf9e5d196840c5b0273e122a74d83fda33490de5616ac37a34fa3c2e5867156c0a58873dbf726

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
423f6a48ad8a27e48073ed46701aadbb

SHA1
b9f2995047007b4a5d25746c518a90ab1d3e8991

SHA256
823a7452aeb0402f3a1b9faa51fb09720bfd19243cd204cfee65534c0a0783f5

SHA512
e1d708e824a99c6bfbbf53cd395a4839b5ed24384d2813cbf6a732cce03efed8dce593b5667a785bf6cb8c65858fb3cb53a5584dc7f3d6347527a9737bcca7d9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4c8111a33b4f2b29208269162c03f92c

SHA1
a1053d871f535675e5cfe4c263f420264a9433f5

SHA256
33e67f2bbdf8cc3b9d207cdb78770998d4ac47c65c7918cc30c04561a2f6d93f

SHA512
9b50776b2bd2291f59aa59453ff59dbbeb1f1ed5f5b118eebc959a4da13308c7997cb8722f5901719aded284c4ef95f5bd81e6456a91f8075c207d123ccbb90a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
4b7f150ec340220fd8deb9612e3c9bc8

SHA1
c76232e0481187b88de37ff50bc6c507e64cdadb

SHA256
41b8a084a86ae4514516bc76070c9c1014c9d090227710b59c04e5b2dfc3baeb

SHA512
d027e929f1ed474490e99ba21898949137e7d8914952130d1b9467ab5863ca19ac6827e1b7a0a366b760b11565a6f95831d709f0a6544553fcb2ebd5d226a2be

Download Submit
memory/440-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/440-440-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1016-108-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/1016-164-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1016-103-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/1016-102-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2212-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2212-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2212-435-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2588-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2588-437-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2704-74-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2704-151-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2824-9-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2824-8-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2824-0-0x00000000020E0000-0x0000000002140000-memory.dmp

Filesize
384KB

Download
memory/2824-90-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2836-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2836-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3252-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3588-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3588-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3588-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3588-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3652-115-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3652-17-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3740-145-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3740-434-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3776-122-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3776-346-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3804-71-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3804-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3804-63-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3804-57-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3804-69-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4028-417-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4028-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4240-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4240-441-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4248-168-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4248-112-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4276-83-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4276-77-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4276-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4276-156-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4456-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4456-19-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4456-40-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4516-148-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4516-436-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4852-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4852-32-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4852-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4852-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4860-97-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4860-98-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4860-91-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4860-160-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5056-170-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5056-442-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5092-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5092-443-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download