04d44ecbb5058c8140ea2848124ff58c87b59b5fb8db3f499aff4e8708a6b173

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 18:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Size

4.1MB
MD5

079b13afe20c3a13d9e5eadef530cafd
SHA1

1672454b42cda46ec28b7d6aece40ec4a2ffe951
SHA256

04d44ecbb5058c8140ea2848124ff58c87b59b5fb8db3f499aff4e8708a6b173
SHA512

7fba50a1b1cf3042e203236ec0b096dea85bd657ed7a2d41e8d349791af390ac02a38717e88c15b2985d36bd874736ddaba951f2d804aec262cd2b03461fd99e
SSDEEP

49152:cWRqwwZBbklQCzHswt3Eo0Gl6zanvVD9ctavPDetDsDmg27RnWGj:w/DQHphEo0MG/ID527BWG

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1124	alg.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
4984	fxssvc.exe
1860	elevation_service.exe
3440	elevation_service.exe
3948	maintenanceservice.exe
5112	msdtc.exe
5084	OSE.EXE
2156	PerceptionSimulationService.exe
4232	perfhost.exe
2564	locator.exe
1276	SensorDataService.exe
464	snmptrap.exe
1600	spectrum.exe
4284	ssh-agent.exe
4044	TieringEngineService.exe
4100	AgentService.exe
3672	vds.exe
3668	vssvc.exe
2176	wbengine.exe
524	WmiApSrv.exe
4872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5095ad7d1b02b8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd31a095301db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004d058095301db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6456e095301db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000856d56095301db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002975610a5301db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000486c75095301db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000890c35095301db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4244	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	4984	fxssvc.exe
Token: SeRestorePrivilege	4044	TieringEngineService.exe
Token: SeManageVolumePrivilege	4044	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4100	AgentService.exe
Token: SeBackupPrivilege	3668	vssvc.exe
Token: SeRestorePrivilege	3668	vssvc.exe
Token: SeAuditPrivilege	3668	vssvc.exe
Token: SeBackupPrivilege	2176	wbengine.exe
Token: SeRestorePrivilege	2176	wbengine.exe
Token: SeSecurityPrivilege	2176	wbengine.exe
Token: 33	4872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeDebugPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3200	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3200	4244	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe	84
PID 4244 wrote to memory of 3200	4244	2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe	84
PID 4872 wrote to memory of 3076	4872	SearchIndexer.exe	113
PID 4872 wrote to memory of 3076	4872	SearchIndexer.exe	113
PID 4872 wrote to memory of 4972	4872	SearchIndexer.exe	114
PID 4872 wrote to memory of 4972	4872	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-09-07_079b13afe20c3a13d9e5eadef530cafd_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=128.1.69.162 --initial-client-data=0x2cc,0x2d0,0x2d4,0x2a0,0x2d8,0x14032aef0,0x14032aefc,0x14032af08
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3200

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4892

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3948

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3f8fbabf8d3167668bfd30863407ae2b

SHA1
a139eca94322e3022ebb3cedf2ee3dd36210c64e

SHA256
0adab1505c7396e96a216800446ad7f8ca78b020a43a45b9807f6dab9e23a8c9

SHA512
a6b7e34f8801f240901e323277a0c12ae102634634ffa5125803791b904ca69b8613e91b2dc54761904cfb70a038d5356717fd77b1f0eb3b154fce766f5d9747

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
779a52f20ce0094148a12dcdc3ad035d

SHA1
fb725eb506411ff57065e743aca6fb608242f0bc

SHA256
86b74b844c5d5a8eedcc69537c58f4d16c3f0a211e4353573e8b92d725b48c57

SHA512
54d1e25d60fbcf63217af2aa0e5a7a5f103279f68295ee0307b56a30d12b3c7eb07ecb4fe1de04d5b114d21307b8be8fb45a2e143fb915a08b7c857a78917c73

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d5e34683f86a7ba49a52ac55db1beb66

SHA1
fbc95401c59e73d9109ac96c01011eea81b80241

SHA256
ba73eedf6b02d1470983cbb0ec2e2a831fa6ca2f3038755e92dbd5db445194db

SHA512
b6cef09990af14f7da8de0389d918e96d36fdb8c1b128f54c265b9ccab4ed87d6867c5dd5fbf31773eb36709eb63ed349bf1e36785eea79b4ed9fa2ddc65daaa

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
383d9fc60852b24fc8601b343713a800

SHA1
0d5eff5f1636fdf22a00b22a24a374e4f5a520a1

SHA256
57a593f9dca4cd5db0a5cc7c187d240230d490b2b9e210d334ac8b568c452817

SHA512
94477d423a307b04a81e29a22da852f29fbd0712d9d0827f5227d8085a920d003d629cc1c8060d804fd7008a81b13ce78e93feb3389156da86f08003bb8b3e2b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
330b8828e108568bd1d9837fcf6f31e2

SHA1
aaa4f7fb3b5729ad89d98cc2f4ccb5bdd1e3c85d

SHA256
67588e0291650b43459db0506af2bfd98fea6bac949a72f582c6012dd6d52e19

SHA512
248a206b78d868a7bf39dec9556eaa25a60f009b4f15e415904efba5e699b9c7f37324e2674886040f4a88a79f268cfc0886ef0f71b0cb27610aed3bf85defd9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b1c0e5129ee9ced8a961e6a0f7d4df82

SHA1
654c222a6b867afa7ee5c20724c9067eb3461e3c

SHA256
411fdb0445b73e7ff1fe4f8e2159c78fa109293cee6aeefaeb2af881d2e57d04

SHA512
6fb3674133dce7b10dc0ceb62ae0afac212cb9d2385e63baedf4a9339c04586bc1b55032b1ac59e852526419f9401cc659eab048a026df266a5d89a86b45bb83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
30825aaf1bcef3bfa851cf3e9ef332dd

SHA1
29f85f883f26bbede2bf634ef18e41e07427dca6

SHA256
02810d88d41d72a24f02ef4a4910885fe8fc5b087d0f74ce5fa59df287f1ea84

SHA512
0381b9e8465a794ab7134a83cef158f705559e163ee8b42e5e447ccfddbf5692942e81f0fa77e3ff62a114b90706dcbc2dc3b3a584e7aa89a34eeb51a02c224e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cc3150fdb981159a11f3910d574b2d18

SHA1
9f524cf4d5373c83543e673c090c10dab619da37

SHA256
996be318d67e2352ca03da24be16eda0a51ab7c855a88bfeb627851cd5bb6b79

SHA512
df06451e3ca408000f85e2dc25b1ac4384f302bde39c8b478a3a3bca9cebc97b4c8fb58c90e642753a971c941f45853741a79d2175e40d744e14ad277ff2bc2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
150e1e3206d5d355759f41a8413682f4

SHA1
b17837503dc6692c0de857db28baf99ca943f8ff

SHA256
e5fad47cb520993c9daed50a62431989ac322ae59b24f1608dc9c62c0887d369

SHA512
c36a96dd2b51ca5625995c7bb69bebf96c0d82ebafbfb34d8893ee458fe7f5f8144a31c1c4671d48b181ab1cadde670f4a96aca424e590c425302271e46f6816

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
822013b3920ba5cc48211e880f122682

SHA1
86282fcd7efccc2ef650043c48e6058fa017f70d

SHA256
5e29451ce1191ce891b05f7d8aebe455fe55c88e42d9f8a492f9fbbdb8ff506b

SHA512
ea36ee975c9ac4c5f7a9e3d43c4c95500b7b1c53af9d30301458c466432e0d3e6604d0a17d5eb6a24c9a80a24436ebb910fec2c5b9ee3fa42f67920c8abbba58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c11baa16baf18719c1b34bfef2af61c1

SHA1
b0834ffc6b641aba4884eb73ff155fe935145c2e

SHA256
e0848c5f4b48a10d5f1ca8416a2aac9bda9080abcc075e8fcbc80b1322b0c3a9

SHA512
bb3697ca09daf27eca766f7286e286a79496ecf032598e68f7540bcd7f6650a313d7dc19c9223ebd4065b9d5264c0f6ed7e7f7e62e486bcad654f60e64caf973

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9f1e52e031b93e6f06d90cf89d206650

SHA1
f5af6a2ab8c120c9f84d889801e6a51ac8c0bc1a

SHA256
c8218ca4eb4655ffa9555a5a4b4fced9b01898c98139685815f8a7faaa2cae1d

SHA512
18edc9616ad9b9396060bfccd918015a73cb348fc522102ebdd9fb53302256d0cb89dcf8553b73cc75ba0a7ebb57d4d0bb2ec46f454cf7f0b255fa5ba4887355

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
45a9e9a354dd6e620d27318ec768208d

SHA1
b7a07149c784f74982d54cb52e17bb6a24a78b73

SHA256
4517c49273b19277b03d751130135ea634171645f76d2aaf5bfc2c1a957b0165

SHA512
2a7cbeca88588b786de706815f5bd65eca1a4088a69aae0de66121c6dc4ea097dbc443b41aa33c782f8e109afbce8b7cd7a3321984e7ceb82aea8637ffeb64c0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3705bc4964b53857ae95f89523a0e7af

SHA1
c9f3e2d11355ac9b1ca04b74bb3b19a33375d50e

SHA256
9276eef6f4b5fe7fffc88a98b2bec7167afaf3c506e9356df5412f49fcabf86c

SHA512
06d280f420aefe34b764ae822b474c7806560504dc231c184f27a16b3564cda054797546be68a2a85df4f78a50e0644a46950bcb43beafcb3307b1a1cff22022

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e274bd14e52a6ec0d81b8dc7bb644fba

SHA1
e1acc10c108c38cbe70ee626cbf3f51e74f1abd2

SHA256
a0f68ea31d8d9b0e3ba0b79750ca75f89dc1603f871f0f6229955b24a4faea0f

SHA512
22021ecb239b2e1a531249b5f99c296ae604d9284f2341b97b9fac5af50dc72ecf5b828b40cd287a33aaa96e24b7f16c984e15923fa8b8d23ca6a89c2cfb96e8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c77149ee65ce390ba4f30d5b6aca21cf

SHA1
7b71b771f567c6945d1c5961f9e545c975518571

SHA256
bf67c677fdf5f52f00da53b3de560cca43e5e107739040629e775085cef224c6

SHA512
02a2c0588971fcae6a997f8be882362e8c14826ad552b059aedb22f2fb3c9ededcecd9b56f5dc6749613fa9527737790faf9c871d2ab755a97448c646ca7ce5f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
89e4898a0eed65266ae84841af4e1b63

SHA1
30da240050d86be910821cb1dab77a42f4725f42

SHA256
9aa1ba42acdd78c35e010bda1757141f46a142b39e17d980fad9f0829ec1e39d

SHA512
6ef1a080bade4b7a8d5d3b33a075a2bb8e08a8b5333217b48d3be758302da428bd61e396e3a9407367d33678006bed9ce9841943fee658420769b8003e844a08

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3fcc15f473e3a3d049f8fa7aa74ebccc

SHA1
cc21faa903e421f191c54a2524526b24dfce5620

SHA256
ea7567c36dac79b28ff806ee80ed7f5e6f665fd55f7ac6c8181252677807b7c3

SHA512
6306e5253ea1b9314fd915cedc5390bc9838a7e1776774fb23cd844905a586ee3dd8398acbfe602a10e227fc710df193b9629aecd169e2157f2ad3615581561a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
3f25d13f06437dd72b21fb8dc527ee12

SHA1
92039df3c1656800d2c0eff0cc2c4804763eb55b

SHA256
8613a6a2f946a0dfe6b730126541dbd59dc37f3a92cd4e7bb5a395650e76bf06

SHA512
0469734c1d2ac6edb6ed69a5ad08a0e45228e8094f6542ff292dc1b42b43422419636b5326c896a00b3435ba760ca4e41b38e39b9345ec3634591815dd5ea3fc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f51d6a58b883ae698dd100dadcacc048

SHA1
114f6a653d9644cc1e61fe8f481a0cf39e8b76fe

SHA256
685849bfd77bfbe725c7070349c862f1759cf298e9e363336866c3f2cffc6975

SHA512
0795e4bed1c5e8edeacbf9aaaebc14ddb58f6e701d3d10e32db1d1e7007bbd091875c53253e45ad2c3ba17a4972eeb78f62411021a95f98c02b305eb11dbb656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
4a5479bab0cc54b114edbe0419d393da

SHA1
29f8d9ab3fe7f5d9db7d789dd36c44a9813b3cde

SHA256
42d0af3604a8d1186ad2b4b6fed20bfcd991f9ba0f9b00262cd94f6ef3071e86

SHA512
7d9b66c1ed749870165d1619fede5307ceeeb393acdd3358a27af800530784941aebb7ac3506815ac8c900902dc67dea7a516a98fadd8580ebcad7e8c9386107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9fcdb574e222415d2cb3554586f9489d

SHA1
868efda02d6f85504e5aa3c5c510c0f428bf6832

SHA256
e2099da2ec35f75954bed116bf6c72634fd5312cfc71fdc052946b7844c8786c

SHA512
6bd7b3d71b44a9cabc370fd29b750b30a71fc5c9252cc6344daa6f97ab670bfba7d260952d1eac764dafe7421f01d2d8fdfbad14f5f5f89b9fffcab9b3f544e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5249af3301cbf6e895fc4cf468d052dc

SHA1
440f5663a0f9bd6052e2c9e1e98fd6b03b7e0913

SHA256
76d3e9f8e5fc53b9d32b8f30fe657b8bd6b80c5940e204a3cfd23d857c4c16fc

SHA512
16261afbad1f37a8dd832f20bb68faf1e9de89bd3d4678674a2ed0ca4da1bf20ffa5eb6336313d476d767e94686b010c79483b6845c1ea1adef47d41093e0038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c668ded7e25af0bbed1e922f5a968cb2

SHA1
1ea5dd88c72215c2ab9a8f2f28a4895c96ec7e2d

SHA256
7faf6ff354976d9dccff00025b654c15d820fb2118459f1a41aecfd7356b79a2

SHA512
ce18eccbfb559fbe927ee4c924daf46b79ed8398c8313d4aac443dfffe9bb73490ddf3b41092c28a9bce152444978ea27208296b094773f639dda0f0b2ec3d35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7a9892012fdfabfc09a3033874298b2e

SHA1
d639ce72bff8dd5af39c6d6e42fe08725668aaa4

SHA256
7d47a6c981691caed17c00214e4567d5f12e5b1c2e64c9a7db77a13b99f519dd

SHA512
38d827af3bbc8fdc4492732c455c86b0201b97611a4a439b21c1dc7247dfaa745109c4d1ff23d8ba6854bccdb2b3f314d91a9e7df46391691f0903c06c6222df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e6de0434537944f263310f12c67ed641

SHA1
8acdb09e0a6f368b47c654b7d8448b0443f4c305

SHA256
91b97aabf4d197f89825f33dbbd5823f50f8d26d54db78af434ac228c66f872f

SHA512
a5b71c9bf6602111b591744d53a58cd9ac1c03b06846ebdb84cf09d266e3885c93e435333e835c21fbe4b4e0d05017a1832f20d44a8c72fc94d138fb249992bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4661a52973114b93a460b999f4191055

SHA1
0073eaf21cb774e9e7c619084dda7b06614a8a49

SHA256
da79d0c19eda7e03b189206c69477d3de95b58c77cb83ec09b12b387d7cdfd03

SHA512
27d9f561f0fb695418e22c63ec78d4f2706bdb4b4d86f3373ed19eb942882ebd60c2e646a4c1d63516cb79b7217c2fcfc3d5b0663e306fdf47e8ba29fbb9a56c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7c25171a2c8d21d1e97757b9d3a2fdce

SHA1
a4308d899468b2353f87e159658464b470320828

SHA256
8d9545e63990fdb1c5892e3074f147464f373706220810c5d2d2676afad5a740

SHA512
fbfd7ca88b326101a737b7813ff209cf0b8ac0e48a8640dbdfd4a7489f28ed7d5018ba87795d27eebf596ba4a5a6d2d3143cd0fe102fecd28ffec3a07a469fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f0fd7b15821eacf6591f7ff74c5b2cf8

SHA1
00cebc642bb23b129bd7824502380d5a7f12795d

SHA256
70d957b523089fd4f200f65c580850065b08d52de4c707c45ba80680b6fc4c5c

SHA512
64c7344146150eaadcea1d1c95823b455669539980c06796d1680842c7cdea3f4c9ee370dffdd2ef03c99f5ffe0668233ec583ed29e194719b7a107c2c9d529a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
47e2db657cc5c407c3793b0bf5b3ce33

SHA1
9709de404683dff7193bfa9ddbe74ed22049e510

SHA256
7d609e1d906c6789f50ea8816a3394845fbea148d6cd0371aaecefe4cbf0618b

SHA512
0efe0d403b8175920dffcb9329aff549f6b48e2ebfb178e0c24313c05c4ed3f01e652c8027b9dc30b12b37b29118f126d859a3fbf23cdc0cd420c233537f7f8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
da16449f690403a90207aacea9f1dbce

SHA1
71c580c7c694adb49c472b5bebb7eae7bc7f1bc7

SHA256
722d87cf1dc8bcbfff25cc593311019e258e38e1a9b886cdb61caeca091a1399

SHA512
fa5e7c1e819b754d46c188f20b9f5d50fa0af21de6b56274d3267aadad0401b4a60c57ecbab4db0db519421310c70084be81251dd6f918c9441f421528c462de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
069c041efec7584864668e1e4d65dede

SHA1
5fa864b7d435308c58c1a38d27f51b3c9e9d07c3

SHA256
1cb432163bd246fa985d1fd73371bf36835ce815ef1435ee249d8bfdb32a53f5

SHA512
4759a78072118859fa50e9c9b214772606cf088897e454faa774443e10dd839e41e099317e056e497234dc1aa7062740fe2c27ec83d9f2637e845c6560ee7a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2d767175d6a8816edb0c757f4f3af90a

SHA1
5c313c88cd83c6113a4e418909545bc000c5162a

SHA256
c3109d0b527da12689cbfa42c113e4b35839dad34e61efded9294aae787b8922

SHA512
75b8ba3038701f389f52aefe0da2204e5c6d14b3b610a627dd067f1228154b7866a0e6854860e778f12ceb3c5285cd7b9f36243156829aaee3710e0baa997b8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e320de70f7b647068b79a21a6e467809

SHA1
ab603406b6eacc7cc7afc2a4be1041b6b60c258c

SHA256
0d600f512a22481a3f341c313b66597b3fa0674ec31c4b68697b834648c06a50

SHA512
10dd58ebd4faf39303dd158a20ee8e0aaade6cbc88253d66acfeece7106d15591b55b9b2a8e2f68c334f76e8992adcae7167387050ea070ca796b0b82d20c99c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f9ab15a8dbfa40962e3d54aadd616cb9

SHA1
3243b7c304d5cd86de442e0072feee48118f9ec7

SHA256
ce9d939d17c0099625fa2d034ce8ace344dc13395fc5349e79932de093fe1df7

SHA512
4e4e991ccf3139d39eafd25dd70e10b5956117caa0d3935f1ac07e3b121f9058bd9a71ac3d9883e3d73c8d0897433404e5f01525fdefd0758cab8bff9ac2965f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6cde20ae7bb5c6e1e0dbd5aeab0d5f25

SHA1
bd87b719d05c880628a953b48b4d556bc8a9be55

SHA256
1766e07b9674e05b2fd7d5c6007801dffab435f9764cf3d37c52eccbb8406e8b

SHA512
7341aeaebb284199565bc9394cffa3cf0f5c8b32fd7743546f8c4d9b1ad95a273020f378aa5ea87345719014c751d1543ac26fe854fbd711751d08bd24426b0e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
11a96a91b80b71ffeb95dfedfc5effd9

SHA1
6c4ec82f1c11266f784b74e606cfdf155a6f9961

SHA256
c445ce0febed9e98d25c03699cc84163dc2d84b49a65e80fcf9141316a6f17e8

SHA512
d97aac7698bef90b9271725437012ea56a3a49b34ad4a17745bab76b5f2d77605071b09f4722062c9eeeb8a7e9cc2955801cb9f4af499e2b17bca3c76786f115

Download Submit
C:\Users\Admin\AppData\Roaming\a5095ad7d1b02b8.bin

Filesize
12KB

MD5
138c500489e5fa240db868c86261a204

SHA1
ece07e481409de8fbeb80e3623d25faf2964961a

SHA256
0ca467515ada646be5298ea3ad86dd662e59e168eac989fa3da5177c76aacb2f

SHA512
3c979f354404bac70dc2b86d0971b10e46161191b78ec35165eb5e0e355874b4e48027ff18a50543d3420404019598aa5960cc21b319a00840659b89c20b1e3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ad5f20c038462e74c3ec5375a3738c70

SHA1
34a2eb56ae4b084ce9383521aabae2ef782940fe

SHA256
cec4ef5b69f3f1c340e0cbef5567ada8dfbc064c4d46c08f30d7b6b982da02dc

SHA512
4b4a7986bc474deb8846b0083df3bc8317aa62112b634e9129590ec973d26a7b44fa7b83ac8e9c11b8ec77b3e94ff8894690169c1d9200441d19c062a2547dfd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
42bb4ee0608139108a87314d3339f5dc

SHA1
5744d2eb3cba06f5483d437ad3f7a4ef880b0074

SHA256
1ddb5d6380776706bd752a7291e6a5232ff56c4bea65a0cf2eaf299171e9905f

SHA512
e1d0fd99f88c7b2beeac827f10fb9805cfcb11f7a4e929e16f275cbfe8b652de4768f3a84f4c295083cbae045c0c3f6f534482a79c5cf1ccff35d6fc8da34bcf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e0e2d2ecd24e928b379b0701308c995a

SHA1
a7700f42c86138af7d32379f3638c4382196e74a

SHA256
6b14530ba2a7ac987f3b8bca85ce832eea8c8798f8cef91cd578b285dd51d5c1

SHA512
f3cee6a35bf3d790003ddb0625e7aaee2caf66fad89d5bbb3fb6ec601bd84930d4bcbcb419a91b0c7bdb4ba98b4399b4fc2cd19e4795feedaaf6718368630d2f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ffb593b88ee03e6060c347fb78a876bf

SHA1
2db1198a9993fa744844f4bac0f01b444ecf6135

SHA256
115b898e25a3e20002157c775935779af7d8674f7e6bc57739db4518a96ac001

SHA512
5c50ab795e1587a0bc4701d38e4e85966c7bb53f6bd01ae131158445c6cf9e848543ec73775aef68283d30ffa1a878656373f948b1027121a08b8112237b49a1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
56c7173e359226dd3060197198385ac6

SHA1
4fa888d8f4c133c01d8f89e756a5b710fd8bbf81

SHA256
1e85be66063c3fa3903da1ee4e9d7e225ebedada871f52502a7853c790f0670a

SHA512
194ea09a43fa75c342ac61ebf00b2745d72a9da5199de9b6c92f32cdd9d11710963105c3069ac63de85851ca0dc9242ba39ee5323ea35a921f11caa76fadeaa3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6a3827ddb35bf814f37e3d7f51168f1a

SHA1
cc414ae209a66b918a5295d3fa8fcd25f09859bb

SHA256
ea3f637f4eb207fdaa59cbd9d04c7b037578b191f207c74eb79834cec4cfc07b

SHA512
c676d75e4dded9acaaec61b17438a9bdc7e3cb0238e6d4996699dbaa0d2bbe6d01a5753911949483c82a45adbf537226d278e35256471a6e31ffd62f1f1639f9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e866fcf32c0cfed90a1d8fd7d780cc9a

SHA1
8d61a9f22e7bd19348b1bac843f8410296d685c2

SHA256
9d6622eaaeffe74af14734cc6e79ce4ae607ac5e190eebda5b02d508797d0d0f

SHA512
05e5c700f560e8e9ff207e7c5d39797a71b44d1a00eb91769923558dfe28c5fb0bf5a2ca250f3b4e8fce65224b63db90fee8b430f5b8be3b1dfed4f5d47c64b7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bdd11b7b64b9312fd3d556847a4c7080

SHA1
df62bffd55feca7f5cd6b209fdb1ea7ab95f0efa

SHA256
157c7cfe9b9015a41dca332aca7d136184f18cd6fcb069fe1b428a3c497d69a2

SHA512
b226a73096300bb85341e02c072876b62d7d09b5677107719cbeb1f3d2bf41f01c24d3260866b64d81a0ad23ac8dcd4b579d1b725f5535048dc05ceb0e8451ff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
545b29a772e43914dd5c3e8cb538c786

SHA1
1c963133af346e23aed7b33a7e641f77be6e15bd

SHA256
0f6370d76b78421e02ae2385f30169978640421f7ff6db107e8fe4f734b3f067

SHA512
9548f62476a5f7edee5b868141c08569a6e1eccc04c8c39ae6469326c5336bb49587e50e66f3535e71c551b6ac41b2d8c6cf75c7914e6e5071e1aa25e5a0cf05

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2fd31d6113128338eb3b35b6be93510d

SHA1
1dc86506f5422cbbd141b8f096f007527aa98d11

SHA256
56aff17ce6140485b1ca027e8b463aa1da15fc32e2aa2b0ccc630cb1e129dffe

SHA512
64c9f4d2027bef545e8f9de101a6224b5ef8040f2edb4f890631ef6bf9292fa55a959df4ff01ac2f291c6e1a0d30c18ad8b3f458022cf6a10fa64602ee0811ae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
da5ce8aaf5b91413dd2fda7c600d9803

SHA1
278551a475231b8d762da6cec30b00c70a3bc0e1

SHA256
be6528ca586e2073cd6de559b86ed010109edf4ad8d5cc5001bda1ebacef4790

SHA512
ee225fe4da48841cf1071472690dcd29d93e7f46b713cbc502c6c12e85820c7aefa7c377fa33922f731bea9690add64d93ecf3ddab98df9075ff13777ea7c0b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
903d1185d70a0995b6902e28e0734652

SHA1
c219114ffa955c8243c8e61f78c44f7b8c7bc9b3

SHA256
6833c54e99576ef9a4aee7be6edff74d4ad04022644a36cb36d6aa29ba927f09

SHA512
e65041b2292f9c227d76e649c0396c2531be2e741d0dbac43ed57e32df14ed1a13f548c1be7cf36ad2bcde98d44f095955e7f0af07de0a28ef80eaa16ce6e92e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
79b6a7f121596a520c52eb370348b559

SHA1
216e5805c4efc22269e8ae65528563eb7b264f94

SHA256
1faebdc4eae1bb01d74909240d4091c3a8e334086d8aba3efda8384604130e22

SHA512
6e8a45f935959741c3907aaf0ac53da83f87a0d5ca0306fab065a4b829446e2da91737e2e9506b327c6c901e45c6d17c9846301461229a01b30a7bf2e0ae8300

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cad0547c7cbeb83b0f7517fa41ee1ce1

SHA1
488587b3401ee30e5dacd41ecf57c938bf7fa3bb

SHA256
0490c1a2f4ff9c8e30467b02f67c6d6ddb57a725b163d3807c2608512f8bfb55

SHA512
82c94b37ecfde63c5c23f28f339edf65c3218b73ac68b796b8458ddf58a0551dbf2d9b49aa6743580ae90407ec3a90e5b002eccc051848f3328cc04daad49d9e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fe9c7787b284faa9db5860bcd337b339

SHA1
497a538639fe5838b25e276e3c59cace47da7982

SHA256
3748427a3cf68ba19ddd8e6af659d9249d2303f553788b5344e973742dd2b13d

SHA512
d88699f102700316120bfa324c84b0b4086940e2184819b87c666b4a814bef42bbf112f393e90b091d84402812c4fa046a7fc511f827fc8f40d771d969d0e8de

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ea7c22420c8d13886054d68f5fad6ad

SHA1
8d96750f2b009d9bb40843fd26d7b1b1de8bee7b

SHA256
d30853113a385ecbe58e5789a0b6292152ca1e36739d29b04509938ef7a144fb

SHA512
c3bdd5d1a5d913e4bf863efe3d671a531bdafad58c10133b46102313af569ddb83db01b1a09664b9ade9142ba8a2c8e5ad8dcefd03b46e78090d1afc353e8251

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fb8644a93f743a136ad84d9c6796ba18

SHA1
9fad3b7c48f80db4ed53d1ee384abbf984aee82f

SHA256
b68184b3dfe704dd70a56c0233835ae7f962294bedc359b4212f2e6abd4035f2

SHA512
79db8b89c8d94518485d2720f3beca333035336350fe68093d903cd01efab749e987e3a7e890667d97db81af0110408559224f78fd3fedfb4675892c7555d2be

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b48a63688506f5f2873ca1b756c5e2ff

SHA1
d529299a6465805272d2ca7f194fb8d352658a0b

SHA256
859a877a43f7884e7e444c51eeda77df197af37968f1063760899cd1b8b6b78b

SHA512
eed76d504edf5928c9f18a5f4e27d050e5657328d1bbf72400c0a5e0b5c74a05404ab6410e2292b37c3d2403b7734ba1ea082d3bdef09fd045d3068928293f6b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
98f0776f471dcc3e6ce12d467e6b525b

SHA1
0734cc67e6a9b028e8fc7370eba1c3db65ceeb57

SHA256
38a5dce6d7657a1f15f38efa9c2db05feab5fcf5eeb1a2df4379debb7ff68f6a

SHA512
f0e6dede02a72b3372bbe8c64441e508af05aa129d851b64cb17a9f7a77ba61788f8cdc0d0f09463d6b45fffe284ee23931befa77e050d43eb4f15c36c5d649e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
aab4dc7b560974fe593867f995990750

SHA1
ae37c67dcdef211f21ff22a744bc51c63a5d7819

SHA256
6d35fd2c95553f59d9dc727a2733105db9e294c82f36290da059c57e76e77c9d

SHA512
39fd18de06254594573b4d1a7bedb5799efb986429a32be60f35e417d534903dfe0c799e5531e177ed2ffbae662efc10980ef4f4255b6eb7206491000e236a89

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
06c66807a5abcecbbbce6ba1cc202ffa

SHA1
9275a92c5fb67049c09e017b840cc7b423f5781f

SHA256
1643b683e073df8b65d7d0bad44daf6394946f955091bb40380a00cceb7ba716

SHA512
d9844067814715eaf5736d39685cf2c2832f1086c5fca238877ae0e4c1297b798dbcff1e08fdb374b2f416ffd55a47dd0ad584aa6a2514cdb6213960b07f4c29

Download Submit
memory/464-193-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/524-496-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/524-281-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1124-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1124-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1124-25-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1124-199-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1276-192-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1276-494-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1600-194-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-396-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1860-259-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1860-71-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1860-73-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2156-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2176-495-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2176-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2564-191-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3200-189-0x0000000140000000-0x000000014043A000-memory.dmp

Filesize
4.2MB

Download
memory/3200-12-0x0000000140000000-0x000000014043A000-memory.dmp

Filesize
4.2MB

Download
memory/3200-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3200-13-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3440-80-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3440-260-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3440-86-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3440-123-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3664-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-51-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3664-230-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-45-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3668-256-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3668-491-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3672-490-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3672-245-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3948-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4044-219-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4044-487-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4100-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4100-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4232-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4244-40-0x0000000140000000-0x000000014043A000-memory.dmp

Filesize
4.2MB

Download
memory/4244-9-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4244-8-0x0000000140000000-0x000000014043A000-memory.dmp

Filesize
4.2MB

Download
memory/4244-0-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4284-482-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4284-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4872-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4872-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4984-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4984-62-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4984-75-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4984-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4984-56-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5084-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5084-280-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-126-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download