8a670edf0683274ce307c471d6374531b6d4a8f1b269ef3ffff65e4d39201fd7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Size

2.8MB
MD5

4227e618d4466eb8956dd91fb8798029
SHA1

c1235f39fddefde68cd9ca1191419849f0d5a886
SHA256

8a670edf0683274ce307c471d6374531b6d4a8f1b269ef3ffff65e4d39201fd7
SHA512

bead4f1b7fa64d6befa03511d63a2de6b157470ba1bae8ef5c4bb8fabb8cb4b4fa47ad066fb9baf9fe1a2f2b5a6fb6aae8807c40990fac5540e381e2f1165c00
SSDEEP

49152:ytbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wTmDmg27RnWGj:skPbiHW6ZVD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3044	alg.exe
4516	DiagnosticsHub.StandardCollector.Service.exe
5048	fxssvc.exe
4148	elevation_service.exe
4152	elevation_service.exe
3124	maintenanceservice.exe
1040	msdtc.exe
4860	OSE.EXE
4084	PerceptionSimulationService.exe
2304	perfhost.exe
5004	locator.exe
1812	SensorDataService.exe
3500	snmptrap.exe
1536	spectrum.exe
1044	ssh-agent.exe
3668	TieringEngineService.exe
3960	AgentService.exe
3904	vds.exe
728	vssvc.exe
2544	wbengine.exe
4896	WmiApSrv.exe
4656	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9c31020ebb3a4e59.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_88171\java.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{515BD4E8-9094-4D2D-AB4B-89F5EAA7359C}\chrome_installer.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_88171\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5ac75c65005db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ee78fc65005db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000da16dc75005db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc5521c75005db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ff41ec75005db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3952	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	5048	fxssvc.exe
Token: SeRestorePrivilege	3668	TieringEngineService.exe
Token: SeManageVolumePrivilege	3668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3960	AgentService.exe
Token: SeBackupPrivilege	728	vssvc.exe
Token: SeRestorePrivilege	728	vssvc.exe
Token: SeAuditPrivilege	728	vssvc.exe
Token: SeBackupPrivilege	2544	wbengine.exe
Token: SeRestorePrivilege	2544	wbengine.exe
Token: SeSecurityPrivilege	2544	wbengine.exe
Token: 33	4656	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4656	SearchIndexer.exe
Token: SeDebugPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4984	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	3044	alg.exe
Token: SeDebugPrivilege	3044	alg.exe
Token: SeDebugPrivilege	3044	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4984	3952	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe	84
PID 3952 wrote to memory of 4984	3952	2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe	84
PID 4656 wrote to memory of 4164	4656	SearchIndexer.exe	112
PID 4656 wrote to memory of 4164	4656	SearchIndexer.exe	112
PID 4656 wrote to memory of 4512	4656	SearchIndexer.exe	113
PID 4656 wrote to memory of 4512	4656	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-09-12_4227e618d4466eb8956dd91fb8798029_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2316

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1812

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1536

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8e8afd193b166bc8db9f060c2e098ff3

SHA1
79937174af42fdb64bd46036472a1a8e3611c712

SHA256
7c74222c013f2c85a41ec33c56af3dcfb5bf9aeca9f7cdeb43866e252ab36c91

SHA512
4c17aa5a05c853bcfab043473546ce2ca68dab7e3fa2839c42378f8562596dbdfa5a5df659d105aca0c8b4b757529f10eba20c841b365ff8b77e7b6b3eb73f97

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
a856ca244bf922a0f5722cffa102c69a

SHA1
f734fa51cde104d4b4d1ff3fd4cd16401b9c4323

SHA256
8285e5685f22f60c62adb33766da2d457d24e4fe9200e3193ae1fc86e2b7f8e9

SHA512
07571a6da3e88ef62cbae9817689d20589ca1da4df66cd8f9c874cabdca248f0e9c10d5c5a57dca0bb999081b32f35c2cd41cf50d6493e2c8ed855162fccd960

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
ca85926498634d4a4e37a92c41a19170

SHA1
949ccff90abfeda705a915c552ce9c02fcfed012

SHA256
263046ea98a3b315c181f145537726df180a545a906c6285c1bf7acb2d2bff29

SHA512
881d1602b7e1bcd3205a2e9680c6e0677d6792ea398ae7e895052e19f076d716b74a921afbc50912c6001aebc41c4d6b9b646a1cfb70d0962a914f2fa6ac65e7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3eba8860f5f3833c01bc034df9b8d6ed

SHA1
90ef9017b40656b5dc65e856f62d098d04e97ea9

SHA256
7633c1ac18e23cde10c848a7a0901d82234a93c304d35893515408838e0bc47f

SHA512
46ec7403f0b6d78c8394c3eed4f6dd9a252f9a2cc9c3275c6fe5ca1f6458ff6f0fc9f345ba07a0e577f51692c490c784a2ff1d5e837a30311d0c7ff9be5f0d5c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
321796dc424007e821f8971ec00e0c59

SHA1
272c9cdcdde7fd7bfaa9d2c3ccf8eea3d5541bdb

SHA256
8948c66406d0b76de1bd4c6fbfb2be8d394c0c7814bd75c99adf8c32928f0845

SHA512
da45f529746d46fd3a9c04b4f0c2e72055dd55439aa488a65a90ef236c963375beb651835883791632ba093f1102f252b9cb445e32759d9f314acc1a700d4abb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
34adf211c6d8a238eb7293e2bb429d58

SHA1
2874f4235d363687f812904cc1e7cdb4f753c93e

SHA256
6753a3e138a3619d514fb8bca945398f71d976aa0079c01e4bdc04ed38b24d89

SHA512
2e4328568f5cccb294af38034d6fcae3c3ae8cc93ebfa44731bcead32643c3d146882ccbdc01cfeb4ce2f4ffd33991d11b794d9d7ef67a134e7f44e46b0d55d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
43910e271574104c8bb8545657a751ce

SHA1
de7de62e7ccfca38b7dd19f1eb065a417ae33641

SHA256
e4c8ae97f507db65236921af628b2ca689d58dafcfb5191a7caae1cfb94fb6d0

SHA512
b879b7f04d3cbfb334c5e761207e67be191eb4e6275386b26121384d4d111b3a260d9e22222d42445f56398c3e5612bcd1b025592d6a820cacb0628578086392

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a732fd17b80e14ded7cfd59d1e84077f

SHA1
44926952b0f2ce92cf5c1e22f4a04c322d2d63bb

SHA256
5a2432ec8c453a342ee317078136bcaa37710576cd1db601fcc01b3574713449

SHA512
0ff5ef03cad69142ddf75bd3e1af84117656d892355af80d39a19538004be34cf52ebefc8c4833c9eee00af5354176cd77fc4ed216eb16481beaee077df80d97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
8274c810dc6d0dea8100e520fc4fcd80

SHA1
1dbbb4f467252bc12600e47e8a4f8cf5af05b6a1

SHA256
219df8af7f60cac68c7ab4f2d7d64ec7486cb20b67c41961423c054e23447edc

SHA512
2b82e3c151a1253f476df4c87544ffb39c70b7b1e88bcd66afd6f42db34af7b6c43e2d43ee121e4967a78b77cb7d3ddf39169471a45899cb9241e28c4e628de4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7d0bd079b9ce42aaf809331f585801aa

SHA1
2e194c3828d62d86500b59aaf2a4f9cf58908e11

SHA256
ff9e3b3bc12f2ea642a29f611fc453106b78c061fb4c4d8a677f1868c2c74234

SHA512
7803a1e329a5d61b2c081125b5cc6267de83bac93b44435c957bd6c6001fbefad86627cba7d23813b0014c56603cdc75be3de833fc69f550faae245c68a4ac80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fdba7de50aa64a95f43d09d3eae3df30

SHA1
acad7a9dbb7ea57156be9fec3a7b33a91f998fa9

SHA256
820f1d63dd13caf52b87445f59b2f7f3a6e32d96c6595ca0734417c8bc66f4ab

SHA512
eff9d0f054ac9126aab065fab1705be58d3986c9874a3530bee9f9215121f6768db798c284a4ad8092a2e6e6ff0d8452c9df931b4f4582003b741cbaa9928c6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7827367d3a2abf70f51bd51ad1878722

SHA1
7db73314b3a3f3a7a1247924d15de10d8df202f0

SHA256
e707ed72b08002cddd5776144b359b4fc9f29ee4cef74e79fedfc456ffff1687

SHA512
ee196510e9afe951ecb02ba0f52ded2f725f7331b8488840c8d2428c958837b823cad9be660f248106637724cbdb4e72bc1a31e65e9f639ba1a1ba4657606287

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
1c3eb0d1c748e1798994741a8a97fb26

SHA1
e8fee6b232ba1cf360c3a884df25c7e4fee72496

SHA256
97f346110994c122fabde79a5dbcde95bb59b51b90a245679edf0a7eba667c14

SHA512
419a60dd5344d3a4c01ff109d20d3bc06f48d3528331a2d8b069840bedb90416acf84bbaa06bec36d9baa3d7c50e25658489dddaafb4db88d1991e5b491afc1f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
09be437eb39b9a84334a104bac9ab8f9

SHA1
bea611797077377d0c20af84869977ccab85032c

SHA256
2f6bdb9489260b8624ff77d9dcb1b63bd4220de757cbf83a810611632f35e46a

SHA512
f846681f5594851d3bc51685d55a56b8e0b4bb9f5355c98e3da664dc4596b6e0f4d15154718896e987a989a1149c51ca18426424d6eef8e5536ca0f638821756

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ecae00348387941e7e1e31830e68259d

SHA1
715f907c150923d48be1a0d69d05bddfb3ba16e2

SHA256
c949eec39150bdb24878bdb120627566d5341d1187024c6cb499b751de39df68

SHA512
9e8ab6e6f96bb4f2d66d2aa794005e7cc8803f2487c326f73ccc00c4104ae10d462b9d3d563f61a359ef120fdeb1fb3e2b8d3bbe53b2844abd65a72ef5c37018

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
9640466308437b185c8afe84e77f9bff

SHA1
e71cb34b236ab6b98ea6d6853aa09516f0cff327

SHA256
7bd01123eff8cbca557b81af116a56f0c1047f6fb8d2d3d0c4472c2a8e0e36b3

SHA512
f1962c0487302e618c1aaa28d7e3d6a192834558d8d8b9c423e6a3cebdc33080ef3efaa80f356b0c61cc54ac153c424c2a5febe99209b66a7cd3d5298495abe0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9e7bc8a76ebcb8d885c9192e1c4adc91

SHA1
05468b08b0b752c3c55b49c48f25ff0cf2ae07cf

SHA256
e3c28fdb9380c9713025ade1bcada2372c7b08ff4497a094d33127dc671f679e

SHA512
1ccd24ce528423d2b5d99bc5d0c7b28f60fba0d4d042769fc57c0b8a1b9b437e6daf521870404ce96a0ed97997ed7aef73e472c515d1f69158fb6caa2dc77b9c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
45e2e0d585461e5a7434580dcaa84a2e

SHA1
ec60d08bbee60c28f01780d6024b20978d59b239

SHA256
77e0fc9baf7cf39d00eb0fc8a394f2f50058035fb3d0e954ee491c864c08cb9d

SHA512
cbef322041fe4bdbe3f6662b552e5b50a9060f906a18e7c6107d1ae9559e6a2d0a39d35c103fc955b0968ebd4723391479a075b8db2bb75a77bcf692db19e638

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
25ba416ea4a51afde2c90e30af30637a

SHA1
3894b99194b7027251d07661ab4ca93411499053

SHA256
68d6d2a012aefc912c833475ea94c07db1db84d8906481c0b17022621735c599

SHA512
f9d5c13f4e80fd20f1cebb025e403e0793ccd139d00b8812b486a7135f62d5db656775f1a7eabeb6a0bf27eea7069ace0801e3a5317e52fdab3a8b2ff1dc3c64

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3d1ff2d702e59852fadce57a1e41b373

SHA1
2c53abdd4f7e4618bd2493cbb6c7b3d6cec8fa3d

SHA256
897484371929e22b94095ced17b7a807051b9a3cddbe66ef9e61180e124c9a48

SHA512
15b8d20775651e464c71c404fbab5ea4570d5ff313c16612b76611baf91f08626cc2c99ad9e50fa7f5039fa0e8c784d6f1ec2875c8f49174595245c5e7ad5fba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
4b7a43f8a4d071eab941a2347bd09423

SHA1
96b820e836dcf1a4feff3e914de5a2b414262368

SHA256
2a68107a2777dfc72d9d93051fa566f77919098876a5c6f0978810babe5313fd

SHA512
49c3bc4ad0dbb251e920a4087e27134235ab98f4f473a1952f7402fb4a1a8220161b8c4e5e4d97a2f8b4558675d753cb6a3c93338f675d7bf64dd127162dc35a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
4121913b91a2df8633f02a509e0430c5

SHA1
aaa1c7bf9d5f8bcffb64f009050c33324e447d0c

SHA256
f837d3acb8e54549335b0346e0c28e280800e2c7e9d272ebd8d0d7921e9bbcb5

SHA512
23caecdef36051131c4b0ab252c2febed98619d1c45f9999b8122d88214fb791392734f289bec03143e650b4e5d3836675c5522d1b817e835be2a670f300bf4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
4354b0b5f537c5046c13978f83369767

SHA1
f68616cb2e780a29425a0711ba0e368be07f20b5

SHA256
37a99a6dadea2d7d602f59cff5747082144c4fb64a693247b402c75eb60797ab

SHA512
dd14279ac88a4ac219f4664c7ce0947c5ee23553da7871f371d6cdc823df81b0579f4217d3be60fba5d37d70b520ad1603d903cb26876d07341823b27a9d0696

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
87093706b81cc533dc2c7d5d6be0fa27

SHA1
783098cfb32b283cfd6fdc0ae6215a928d5c6f0c

SHA256
81969b248511f4eb276519ea2019e5349391faecbf4e51fd5ab244f821ecc8df

SHA512
b8536342ed094e69d556f47ea789f0bd5c549d6b44f19fd81d713fa642b5d72e706bf5fd1de6acf991129357df6760a498c480325c14c9c35d8475b029901f3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
0e621d7496b76d2511bdc629e1e261ff

SHA1
a2247ea24f7a209d322434ec9f796a106961bf20

SHA256
9aab90b8f76636bd6cb0b0144c30bcc6dd9ab83665eff85f7f3762151c3d3e93

SHA512
8ec3b2a9067ad263edd8145f92c4aadb1ccb520a9738a5b87ca40dc200d1164adc8e6417e16c0cc87dc8fa17409808cc1823d799be4abd6b0d7af4955078a10f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
a135a9a6391455db3a274006c74af5bd

SHA1
0755a9ff7a168a924cfe3502bbed177519c0ac73

SHA256
e8d6e2505ea65c20c7834f1be9300af6c80e2873e2830da1816da5e996bd869c

SHA512
345ca20181a2323d8dec0feaf5e5e5e324a8f956c9682fceff107a806063ed6308282a505a6cc9cb0c2dbcf45603163e3d8e8d138cb21a03c72064a5f90eb411

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
64c1b020f243a450d326b9537ce4cb07

SHA1
33d9d06b181451486bc3f3a451fab941a42602f0

SHA256
51fe903372b2f761a0c774ecb5d7ae51db8374275f9328b4aea6d4817c51ae36

SHA512
3b197b50c5b551ed87d561e0644fa16df05633bd92659dc7a75891bdb13d426ad9bd1626434f39a601db9b23a0108e25339ca7fcd09e9c703d1b4b38ca4f1ab6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
20f69b92c944a15f93132ed83ff44242

SHA1
07cfe5a6852d3fb73684919f0fbfb90182d75b99

SHA256
92e1cd96318039019d8a8b6bd9bea302292e0cdf523157f585452949c6f433b7

SHA512
55810cb133d82dfe47d329bae50d072e18ffbdceb126023445c5e142400078709d5b54ac1d8a4608332a47b2eb4b4d03204db68ce1a4c47efa9998fc8f77da9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
3a999c657e5722600ce7fbf599d7445f

SHA1
292af3d3e507363e16177acb5c717e21ceea974c

SHA256
017b5c8e7f835fb2f90d73bf36d5329f385b96b64eeedafd97410acde08d90e1

SHA512
a45c528ee813ebf30d834f0dc70b242c0fcb1c67410a95f8df16dcbca723745f53de8726ed21e0b63cc5e17ab84e8e1299b4411d8bb6a89f8e5126d66d482ecd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2869fff8015ab7d4fa4719c292169fab

SHA1
5e8eb6824906288a8272ad6219e638c2db9e9adb

SHA256
4d991a1ea197c1e514b7431e120253e1d3972ca243bc347b67fe57d645a3eb08

SHA512
9ba48344475e22dfc38a764f61267bd2626d8cd2b1cd9800920de04a8ce9668c9f8216890644e5f990fbeefd62aa910c30b8a34e424dc5813cc8627facf1d691

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
edd009c9da6007884959f2679a1d444d

SHA1
60ad0c5096696b2b517c7c47124c74b005ad6829

SHA256
e99877c1108421f401d0e91068c47d8d39b4605b91ab712e79daa7378870f7c6

SHA512
e5b18a07e56311332ce1017909d28b85ffc2e5b20800c0d2385f94331040c527bea51e76ef39c5fc3bb50c470df56bdce93dc5158b944b551bddbeca30c98304

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
09086da2ee5e1efdd2c87629d9cfb5cb

SHA1
4d0551c05ca1e44cac1c2a42ecd27190fc663f23

SHA256
75ff840900402d58f60d3df0d89def33950da28e82236f0c7acfb3525379a82e

SHA512
ffffe22cc276dd7d1722de0483bf2324d5ded17a4e9f15b049bf5be402c97bb6db26dfe86c9aa18eae43b22749102089d83091e0c3adcf02b0def2618e85b153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
4ca93f41bbb9972f3149c25ba34912bd

SHA1
487ec7e4759ebe766657cfca76d630137454e4cb

SHA256
ca7e4f6f6efb08560278077817504315fa69557a3ab774cc5576ef21468b7025

SHA512
1231cf26570aaf9f2a9b0e57725c71197f01fddfb5a7535b6b4fceab8825f23e84bf0e483dcbdea10bedc83cfec57e529fb8b4cbeed04c63be410328dc895f66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
c3fc35eebdfcd43c171746bd1f139884

SHA1
5d966bdc12ce2eb8028ae9bc065fd253ccfda37d

SHA256
aaeb65f1d5c8f476b0144919309c77793ce686c23c75346b5723039a5a83658a

SHA512
f9a4c669e855300bcb119c8d5bf95a2c14e51b59e93ab966bb9ea227ad95df74b26f6f3f12c9eaf56e1a47790f2f413e2f18e554b94d06874ec84a91cdc3c878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
4bd6e124d5dcdd9c2c116877eabeaf55

SHA1
383da93606316e60744727ca9753c130a51f3751

SHA256
59096e29bebcc87775ccdc9178451369201ad38d452de02c83f284026c0938b8

SHA512
31027676fc5f509335ffc135caf43f0997e8b73ec0554a85934d8a231320f89ebb09a2560f1dd88eb8d4ed1cd002838f0fa7c1bf69db38989dc208ad74be15c3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8a271072824075b873521aa37a9aacc6

SHA1
01cd42d576468f46048f5d8e93ff01a4a90a9daf

SHA256
a21f9f130951e83ad0c37d23a748764fcb70151302d984ad61580ec6b42cf6be

SHA512
965fdd98b6344d7dd78c15bb19b5a8e8ae61f84f823bc26e5f1478062b1971b617cf4036e94163502e5dc334c50146fb3b3c1ebdb8ca96d6ef9924526e256bcd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
0c4cd10ad91a8b2eebee5f096dba4a1d

SHA1
0daaa868c95847bdc8327b9bef15bb5413d53ec6

SHA256
517deeee479ae6e5e1ff293fa2e14b059cc4317b024308cf3af155aa890e6448

SHA512
eecd408b071ea926676ed1d36ea1edb02f469de931d0d17eb3a4fd1a77f9993d4b9f0ae786e7bcac1db9261c5a62bbb8c49c8dacde2e0aa57ee20603eb990b9a

Download Submit
C:\Users\Admin\AppData\Roaming\9c31020ebb3a4e59.bin

Filesize
12KB

MD5
2bff7e755135aff60fdee286294a72c2

SHA1
74634be89ce764e01ef552edbec4dd8896d2e6d3

SHA256
32d8c3f40cf8e2f8fe5051bcfb1bfcd643b73144d3db81141609d67bf4618672

SHA512
144645136e328a7346dde120644fa09edb7f59a40b399b1d44b360f4e1b8bf3b66a21f92f72127c7a6d5cba0e751b3f5a0968f304a3454b0adbe0411cbc5465e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
00faaf6cea167d7b9bbdcef5e965a22f

SHA1
186cce22036042677e3e6471d9790216e8f85658

SHA256
55afaa4a4718b89091077955cb3c59a431b033ca5e27e0993e6973dcc6c96707

SHA512
781802c3100d96a93c224e80a3c5206d32b9725012eaecb19cc1b3cfbcc2b0650c5715cf829a3cc21b81901fff188bd3ee77233c1f8a63c3d225866ed120a222

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
45e9b2ff157bb280ec5d8a67b8cf37a6

SHA1
20923532b7b28e0f4ca9dccd945a896727734037

SHA256
1810e4bde9e368fe860e88bce4797b0414cb0b52bee79e8fbd2024765ffc9ea0

SHA512
5f8077ca37dfa9df428785779e3b9c16aeece3ec0a6c6e3533d5c8308732fb134e0fb3dd9d7c11eedc49df2f6794f3e306a4308f7d93f392faa1cd20e7ef9e0d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
6e60cc007be8b49a6b6c65ba647b6a23

SHA1
32a1c3648a649df1798e098c6ffbbc4149da056d

SHA256
3295a4e94380af62621af53c3bffffe729cc98832cc0c4a2168289e2caa1223f

SHA512
d82255733edfba64f564f0f7f895c05a7c9de415ab66eb0c9ab008af0755bcf4236d85b81de8055d18e4dc438afd8fc55b8386a230a946f2f0e974a5560b3de2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3a51d715812ef0f8c51b43ae86233c4f

SHA1
ed48c69d511c47f272038c58fe28ac98a42d78e0

SHA256
2085808a992fa0fc664d17fded890d8c5b8a432f9c659d279c86ac0d3f8a4b24

SHA512
3998608ee0375025fa8555d6d53c5d821c9d61f263f4e6e1a62d10315c5225627e89332715b1c0499438b02ad05bd5f66948313fd08675573c7bafa9fae14639

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c919daa88cfd60c54e056f0e0660f87a

SHA1
80eb9ce8f3b9420b9848f27e66e82eddec440423

SHA256
80547d920030028f6dbf0164ae2889faba8307bf0f7e5ebcf75267288d43484f

SHA512
07ba0eba76b7a40b13654977d99a729c39999fe1a2a009a1e614cd1314d1972b08be8bbdc8f4468d4b251ffab2095155c708636a2418fc24c12e08f933a46454

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
f3102c9e536263395506f4cc4b5937a0

SHA1
e87469beaf4c6b6e5f7a69b68f5016996f06cb14

SHA256
d3aa4c68039474d5cae835cec92160c33675b14c5e699c9e91eb2f98f792b11a

SHA512
68592d19fe7595047444506b7c7a51b3cef7a40dcc32310ca0a592c369b37e1dd477d558d79c44722a79d85eb984d02dd928efe4f53c2629930e856d0f94fb84

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
d74f4b4124d6adb3d812bdcc0485d07e

SHA1
28b12403ec2d5fecf634e99359688fc4b6720d12

SHA256
76e978ef4597893493a0494dd0af199e4202fec33e5c36bbb8fd5f94978257f2

SHA512
f3993e3ec1ab151505b15743a4195b39d874b04967c75decbe8d770eba0b455b014366f708a1fb37d1e45ab607875c1209d98b2c5951caabd97b4f58c03fd2d5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4485fc53dad7da2b771435057bbf9ee1

SHA1
5cf69dafcf436a8237dec5ba4004cafe404604fa

SHA256
d993951ae22636e7ad0180391d59c0b5f7e7840171929e5723edbbbfc6fbcf0c

SHA512
cdf32f409859e6212f945aa1c22e9e0f37b88841879a65d8abedcd8193c94aa63d2690d33ef18a58dba2d0bfdd27c92126b306b752ca3594014c07107e6ca75f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
28cc8fe539d2f4fd32bc5562e3df491d

SHA1
27dc4cd29b022d2c2632d54c5d5f471e49abe825

SHA256
2ce292896383850255e60c2c9891228fabac2a34028f2a0dfd47d749ced5698e

SHA512
f1f290bc1f3c6fe8a7f72cc7be93100df53e56aa1cd35640a15e8f1906584ebfd4b01c94e3eb6c7634cef482892bf2d64d3df353c063283ac51a320d8ec90762

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b42827b5ee21a31b6902e7867707186a

SHA1
86f429e5cf5c96fe38cbccb30a51ff796660a690

SHA256
28cdddc333f253e2695d6a8c0ce57f799758c5fdac5335e98507828f31cebd12

SHA512
ba3028b109d62a82bdef884d0bd9be86ac84d8537dbea932a093537b3cc6b14fe498f6f49f3363baf88666992bc84e70ffd8b675af46f66e6c6c19a706898c18

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
0aa2565a4ad04f86dab54bcfe45b802b

SHA1
3625eb140b686f30d54366e54bfa3667872af836

SHA256
ab254af620461263aa1900f728a202079f438b13c73e7671a0283711deb2cd12

SHA512
78ccb784775d34b64bb68f26ccc189902854fc4cd1e78b57c21cd4801cb440a41cfbb8a0cd82e42cb080be0ff232a5ccba9faf001aac24ff698aa2aa7f4df5d0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d0a37e880ad0973b2d0a2f0a755a1ed7

SHA1
6b09629a8d965c9026f73ac8c87a7ecba52fb54f

SHA256
b5c8bc6a9696c6194e71792105ff0ae02fd808d6c21333ff5b83ca90b3c80d8a

SHA512
a86ef4bead944dbec8b3148b21de48ddb40e379a6caa9bc46abb9d499437e889da7b3ecc5b69fc237742caeb350d1c9937d4b81bba7cea620deca725c752215f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0e9daddc6259d3ba68de4bb832d652bb

SHA1
858db7d987ea41c5e9062b158f5525860a9976f3

SHA256
a369bc27d4d21d70a355db39729ea180020db35a6de256b76e79f561b3bf19d5

SHA512
1eacc6ba35cbbffe220c2dcff3d4df41a6836f149741e5bc9151f1939afe78d84c7344f600935e4b3b731b93854ea24850b041754070e83dbdf926c49f9ee15d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
0ce5a2a118abeca7cae830558503570b

SHA1
d3528b719da74aa81393b5a2439a2554a4c192d4

SHA256
e1647d73a84eeb074ab3276bd7fbf2b5417a34077724a722984513aca1f9542f

SHA512
5c6299457977c03304a26cc77f47be48d92143ec00554f9a91f0a7f995b918338733fabf96548e33c797f106e25f288d569747a0f73a14964042bc8e29824cae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
6eac786651bbd741dfab2c109f762ec7

SHA1
2d385bdd3268bc2cad191f64524a98dbfee2058f

SHA256
4331809171b960e218d712691450c21ac6632bde4a08063316ac4dacae6a158c

SHA512
2a3394b210e728c53d343f06189b0c3b129c97c6c84a37bf3d5383d2125d0b3e5daa27978b224b87e72c5245316dbde378672611cbe5afffa33f308f0810debc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61a52ddf436a36eb579b644df4c33d0a

SHA1
bdad7388484ea26decbe3f84e68893dd0c1a2153

SHA256
82b2ff3da8d8f33259f540498eaac8298b822322ab184eb1546efe607b201f62

SHA512
497e1009d2101e62a5d337a9bbf6e9ade3cb8879073dd4d2912724c3f0c4e99d988fec8b4bb36667eedb0c55b00fc3b8a06a02f6c540816f752a03e709cc9e9f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
51be9ac4e0534a621a0bd6fa1d94e83b

SHA1
e4c52e9e13de8b6f460919da9f5cc00c3ac51e38

SHA256
1cea410be7f3c225e347899a8df1bc4e554f189f884fdc2d5096f4a563d72b67

SHA512
6c8f188e5a61c66b9c0ec92e9b2530ccff003d1a21eb61f7a8b2455688ccc653c9e765d68af85a6a29d89fc440095be81d5bfe97d428ac57237653080674011d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e34502157af5d6d5f5f064491bf2a945

SHA1
15ecc99346afa2457d83d891f2d21fedf9a5391e

SHA256
1286348ecdf2a0ba68a4af1bf68b631f1b52f09ca33575f451ff8c008144f726

SHA512
b30333f4ad3ed51f734c0a1492a3eb3e94cce75da1b07a9eec81b20f03171ccecbb8b743313eb766258029bfdbafc9cdc48ecca14231bce1da2c0bdcce446628

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dfd9b383ed4015edc80d62478922612a

SHA1
f2ef69331cdd8c84c9d05ca66e544e1d79447d18

SHA256
ae6c6b5379a65eae9678c85420d5b22a20a5d087685ea16279f9f79b29381dc3

SHA512
f37b001e09528a9625690c267efc5f7aeba3a8d00c5c5cadf2b7a646792e1b38275d6f7b14ac15a6d4caa2d9d20fef01d391a8485aeee555e5101abc85682648

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
adb8baf7955f8eed162787520382d10b

SHA1
cfb5ea0bd54342346f2787a9f6b475be3c7da40d

SHA256
40040668c7cfb4415253a6a0745a07c4f861b49b4b5c3ec72cfcb49ac76e2561

SHA512
72374ddbc65f4d9fe53495b0932a46117bab4af6ad701aac169a20f324afe0a0e5dbf51df2b1c7e471ce174d8c45eee7baed4a639e14cb6034f4af07de2b38eb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
4c8d43ca4ae51d54edf939abb7012c38

SHA1
a5b183d7530f4f642e9acdf6b88dcbca813829bc

SHA256
1851b1fad0b6b45ff8b59e843a3e6737993bfea0ecbc10214acf2b829a977811

SHA512
83ece7e3ebd9ff33777fd7d2625f8e3763fa72c6af285bd632b9bd54d47ce69cc75cc583598de6017b86f7b7c7a01d007c3852fdb6bc9202abe4755e9c2168fe

Download Submit
memory/728-669-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/728-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1040-219-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1040-108-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1044-517-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1044-205-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1536-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1536-465-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1812-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1812-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1812-673-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2304-146-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2304-258-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2544-259-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2544-670-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3044-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3044-32-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3044-134-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3044-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3124-100-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3124-105-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3124-92-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/3500-384-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3500-180-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3668-585-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3668-208-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3904-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3904-666-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3952-0-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3952-9-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3952-51-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/3952-35-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3952-8-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/3960-232-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3960-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4084-246-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4084-135-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4148-76-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4148-70-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4148-183-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4148-78-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4152-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4152-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4152-90-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-49-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4516-42-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4516-50-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4656-292-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4656-675-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-120-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4860-234-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4896-271-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4896-674-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4984-13-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4984-21-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4984-12-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/4984-107-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/5004-155-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5004-270-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/5048-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5048-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5048-66-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download