73d7cc46de18f27683e8574023e49de1bcd882e071e72de22a313a44a7d3b16a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Size

2.8MB
MD5

b05612cb6410d636ff3b8aed4d0cafa3
SHA1

46c3047aeee17107a99eb4beab9d9cf632cb21fa
SHA256

73d7cc46de18f27683e8574023e49de1bcd882e071e72de22a313a44a7d3b16a
SHA512

8d565b044fda9e7dc8196d3aec02abe9738ee462d462cd200e7125b8b93ce8e9e0c1ec0d31b5249cd8ee85a665be13b295822b1be59ce66618d485da85166379
SSDEEP

49152:vtbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wT1Dmg27RnWGj:NkPbiHW6ZWD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4556	alg.exe
232	DiagnosticsHub.StandardCollector.Service.exe
4828	fxssvc.exe
1248	elevation_service.exe
4356	elevation_service.exe
956	maintenanceservice.exe
1208	msdtc.exe
1616	OSE.EXE
4836	PerceptionSimulationService.exe
1660	perfhost.exe
3988	locator.exe
4708	SensorDataService.exe
4264	snmptrap.exe
2184	spectrum.exe
4900	ssh-agent.exe
2684	TieringEngineService.exe
668	AgentService.exe
3432	vds.exe
3952	vssvc.exe
5092	wbengine.exe
2540	WmiApSrv.exe
4968	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46d7dd0ea29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036d73ae13d14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d004a7e03d14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c00688e03d14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018bc3be03d14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031094ae03d14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005653b5e03d14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c1d5de03d14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba76b1e73d14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2972	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	4828	fxssvc.exe
Token: SeRestorePrivilege	2684	TieringEngineService.exe
Token: SeManageVolumePrivilege	2684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	668	AgentService.exe
Token: SeBackupPrivilege	3952	vssvc.exe
Token: SeRestorePrivilege	3952	vssvc.exe
Token: SeAuditPrivilege	3952	vssvc.exe
Token: SeBackupPrivilege	5092	wbengine.exe
Token: SeRestorePrivilege	5092	wbengine.exe
Token: SeSecurityPrivilege	5092	wbengine.exe
Token: 33	4968	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4968	SearchIndexer.exe
Token: SeDebugPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	5040	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	4556	alg.exe
Token: SeDebugPrivilege	4556	alg.exe
Token: SeDebugPrivilege	4556	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 5040	2972	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe	82
PID 2972 wrote to memory of 5040	2972	2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe	82
PID 4968 wrote to memory of 1572	4968	SearchIndexer.exe	109
PID 4968 wrote to memory of 1572	4968	SearchIndexer.exe	109
PID 4968 wrote to memory of 3676	4968	SearchIndexer.exe	110
PID 4968 wrote to memory of 3676	4968	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-01_b05612cb6410d636ff3b8aed4d0cafa3_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1208

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2244

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1572
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e28681e3705ca26c64d8d728e4cbc09e

SHA1
aa48576ca8ce1a717357db6733aece0468452d7e

SHA256
03fcce7f1ba82a0cc30905985bc9438637ca059040d4d38738f31d06d24d0f84

SHA512
277ca83fd27e6ffd123c18096870692fe639e5e8838f025b70f3bf47dc5acc6326e1942ad42dcd5733ea88888dace463723ad7dbd69ba3ea65c4c23d3607a431

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
457e129293338fe0f605a4be0265f7a0

SHA1
a7db9d0f2a90a1bbe333d8cd6547712b5a65f517

SHA256
94c5ca50c5fe96d2447a80b23f0569afa5fb27a22b1233dfd8a7006fb9ec4692

SHA512
80b5a758142e7879a86e35e52ccaee7ae00cc017b407d36391783bba37976c60f8f32c8e041c9fa8700d2fbb15ff694ec7f241bab8e94a6ad604e10d351b9477

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
e0bbf2ba5b00cb0b8d3d4e0c60dcdd8b

SHA1
89afce2b3ab240bf41ecbbbe260fa0d4c8368ee1

SHA256
e386496e3813767118c9a43d19e7e42c8259fb160b96e4dfcd6a9da23a4d10eb

SHA512
352ab1cac35a65aafff09492c02860c99911705abaa9222ced65cbdc6f5477214b736a0c390f45b96048f91f9c8a5cbc38e96667fefcd770fb9a45b52f582e96

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4e29fd1ced89842bc8b81234a7f3dd5

SHA1
9606aa2aedc091d41384b503d091f0709462d792

SHA256
830c2cfcd880ba3d96ddd54276e3549f70a20042ad1dfed9b753a5d8412201d0

SHA512
f8917e9a082bab0cae2feff105e1107e1ad024e71a05157295b22e06a1a8e768a2310d414b235a124ff6b110c1bd92346e3b8514f234eb67d269924b66e5ed21

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bde9426d9e7b83a7baed3cfc79a35cad

SHA1
fd940947f316f7d1c1f4b2a09a2dc8ac3de202e3

SHA256
016dfbe901de3a03ee07c03c4b06fa238d7537cd3b745f044101670f3676a9bc

SHA512
6ea0f1ce3af6e2a5b8ea2ed5f176c7d8c44466acb6ecc9d59d8fd390692f41fb5fda954aa306b270f691ea1891da602f587796d78ca93bfe9e3582e4b68190e3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
a71a73ecd4882806aa77a87ed411dfaf

SHA1
bf45f98d8f8500e0eade67f9a6d348b28d689a32

SHA256
1cd4c15f49bfd651e8e086629903bb7d848905af0785bb3310a0c042ff56888d

SHA512
191c660992f7790af3ec22ea1eb285ac1667a1fb36bd1f65f9de5cd2e0ae73379f634109369bc429643b846fcd26aec1ab3779951c1755acdd348f8e85292607

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
69de01874424a0d8496289d25e5df441

SHA1
608e8c9c089f79afb743528f6620d4c60a605fba

SHA256
7f9f77f5ae78d2d5c19baaf2e3ca2d82f2993f4f41846bc2a8125300d0395d13

SHA512
9c8fe091dbc4fc73f463333a2b4284a9804cfceb28f12ca7e92b53c8fe9c73a7d63ea6c076078c3767ec6c008f314e6cbe2847f542132d05e4106f866c5f9850

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
399b3a0d227ef9751bbbc135d68b23dd

SHA1
eabd9e2ec8c4e0bbada00dfe750e7b930a27d5ac

SHA256
6b953c2ade48a2c2df96feb06ad82f36a3cacc9da0890869bd83abb68958be65

SHA512
cc7e10923f6108ed532dc5dc4c370c72cd37c7cb9b11e1b7d8e3d9a0fc273415d8f53aaa8c5aca7d1939d06cb8427b60db2aad950341083bbb79fab9d9e2b8d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
d9ff4d57c07e4544466dff479090a252

SHA1
bf5c8b90fa7a947746544734d16d915bfaaf0e94

SHA256
ebe1d1a3891718564d03036fbfbd3835e2c2501144d660ca28e6a23194cc06c3

SHA512
2829dd5cc3a205370f66d7845f122101c46b7d0bf413dd0797f48062f178638157bd796adfc5c13dcb6b1d5b08e4f30baee81f389d3bc541b8e319f039ae676f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
589abf5a81f118dc1a3592110438ea32

SHA1
5f3fbe1b8442694f28b61421e9b3aa623a5d8219

SHA256
b3c85fed29f786f126d6f727838379897349f47415af6108ac1d158d9a17d22b

SHA512
03aa8055bc26a002f56431a3215b0aa2ef4133eb59acb5a918c11530c3c118c142b0cdf1f966e05844e8c97ba41950a8395beb04b295724a2d24564f242453a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7984a5450a32397c16d989678c3098d7

SHA1
c221f7e610acbb599a3a1c55f13cb107aad9a012

SHA256
db827deb4171cfb5f4694bd10e4f1d927c0da712cfa1f1e594a1df101e8285c0

SHA512
773bbd302622981b0f9b0bdac0a485804afc6e5bb1ffb1288b02b0752321594810b506615eb6ac66c3bb5f943de140e0902783b9836a5432ccf16d87dbf80830

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e367aba5f0c71a06e46c162f7d0aea6e

SHA1
a6c4dd48b94d34cc05493b3d4e1a60a081ddb7c0

SHA256
5cd034574c08b8f8c9936a800daec155edd6584a81bb0031d8c5bb43ff25e699

SHA512
36521c0b97d789036e354de0e7406d283b34eca378b0a99feff65f62cf07296993e04d7732c0c0b1157d4d9366b4466c357e57a54cfeeb309ca5fb08954f80c3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
46251bc3dde129ad5269d1a768fe6f76

SHA1
4edd1a8ee779f1f2b0d78543c38cb6096bca2298

SHA256
708da3c8e38f192df2f1a5502c81abf434831a4ff5622fd2dcbb93ab6b1a89b7

SHA512
d96b1083876cd2666ae16bd6a8f24d37aca9bbf58fc252a6bb1f524ee998b0dd43f718935f6fee5e3d801ce567c4b38e6d6fdbe2afff7b57d2c201606b3d8118

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4c8e9bff25eff273b11f0633b99d7200

SHA1
9cff0a7169a7116c62ff17d55fdf6c8c54547b13

SHA256
fe9c9fc7cd0782cc2b07c31e75fdb563fa090e1f2e642c25c512477f17c49c08

SHA512
e1c03c4a05ff6e2d9e36a3536337783eeaca90e3ecdafc50f1825c627acbd37ea1ff81210593462e97f3a15bd6d7b2ff07c7fbc6d5ef38b894269bfd3df4141a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4e126f7d92e6a9afba403b47888ad519

SHA1
768553952fb493fd7954cc0ac69796d79e1dca07

SHA256
6dd2b99905b0cec74e2ff5f3c2247d5c83106711d788a6da2c0485e61aca3130

SHA512
4cf5bad87ad34ef156c867c11fd097a39fdacda94936de3a746b961b76d2597c3aff669cdd48df24bb389ded9b8544f3c4f8f03de067b73c12246377dae26f52

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
97939321dcf482c66aa4473169f0f19c

SHA1
6079cc71fdfe1c654c65c12dac869212546e5666

SHA256
cc48b1b5eac8f65b4dcd08d0e1560243c7fa0b3aac44eda2096901e5b60e1cdc

SHA512
bbc772acdc74dac60b2ebdf3c373e55d20e0a3fd0d50f9cccc98eadd5b0f095bb6d2165749c79f7a7f0117ee99c7cda0a2b2a707a2040e4a832704770059afa4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a546565def5903b1a8f6a4c2a8b0c18c

SHA1
0e141744a6ef26cd8c15d7ef975dd6dce5688813

SHA256
17234c89bebc31de780aa37d1f6342de634b4f2765bcd7495cc2f14b8ccd72b8

SHA512
77b70a24334cb8dba60d29a6d68fd217f756485da05078178240f35968f8bc87845c7787bd7be9083948adec7bcfdb4c7e2ab7aa6e8b4ba44cc3dcb34cfa96f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
24705f13df05435795f11dc65cd9bb55

SHA1
aa6450f97c36f2846dccf8cc68726729b84c98d0

SHA256
afd5589277396638614b203b23b3b9bbc68d6c5263dcd09bfc7dd5997c27f7b9

SHA512
09e9d29af0f0f3485240717732f378625fd115663070006e353b623dada62574355e979ded312dee6b7b661332e296bc488d40a642a9e78e545580fd2590936e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ba35fd5099889b34f9e4a323b5bb2fef

SHA1
d9b85625ffebbdf183ae9b53049d0f6ea30f0426

SHA256
f2281d1b8591b367e2bcda89b35d919780bf433acbd085fecaecd2eee950425b

SHA512
cabb576cdd830ce6b9dbf5604f597935c497b9845b38d6e9271e1db97ff8444a27c86d68ea969202ad3f188a6c69d2eaac8f91c332880a2cf14d558849193a41

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b44475af5e42083b746bbe196079071e

SHA1
eaa37492baa73f67cbf12fa65c4d0e0d71c4eb54

SHA256
e3defad9d206f81df6aac58be61409d927bffdf7ac9a8320a01642d297c64ef0

SHA512
0ab2e97d9fb0332b882cedb5c362fc45fbae4390a207a80ac6ee65d808222d5c91358a192850e3d9d362d205de4c4e84dc1c68abf526f098fe92df1c86eea476

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
2df3087746e61f5696d0993ff1b0ecbd

SHA1
60745f0932fbe45122e54337e59962f6cfdd5762

SHA256
d4c6e758c1030f50f2a89b2f0f710dd9785dc4811fbba9557f614965145dead6

SHA512
9ae7c106f7ec28a79e2e7f1b9ac7a61fc4b45aaea30c5e3e3aaca4da8c7677c335fb5f4457306be662f8d394677f60d04a0e0fd0a43b207731b0420a8ac66ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
336d2d0456b8bc314a4dd347186a04ba

SHA1
c61bc60f8839a8683721afe3ef33fc5ed636cc01

SHA256
fb57ba03fea0ff4bf052dba48a6755edefe0408715d11db4db677552d83e0999

SHA512
84b1bd02b0457e92d641f5e9e1e708df7a1609c456c28ad9db4c14c5cda024c6defec317c5e545a5850032de7494ad0bfd0ce81a9028251619dfc8ab76301bab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
fe751dda81fecf1317fcf17a2e403f51

SHA1
95e7744510430919df2778ef2a68bfda0490f8c0

SHA256
86132dae032f04f40be06e731156411d6286ef5f171b505d1f2ba43eb3bf049f

SHA512
86a00091f40989ea56336045b8af8932de9f72f91364cead091e8beb83fd669428356c8a407f1239e8dbc8ae714eb98adc822c8970ccf93865ca18cd34341ee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
c48c451602b8a4ad9a0e895487a6869f

SHA1
baaf226120848af20ed0031efa2d9a75a4268a37

SHA256
2370780cd6a20042822ba854e9d33be248993da805cd3c2ee2d716beccead2fc

SHA512
9c7c0f0ea2079ed49e15940ddb2c78d0f6b8dbd22967e6f5e97abf49cd5036918e46b396a5f3f961db4511aa4a1c710f4a565892f7001b62b42ffde188744134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
6eac588f6958079d6e4f3350be21a799

SHA1
f6c326493fd30501372d3128b7e7eaf7da3c0658

SHA256
9d9dbee00252d1bfd48414245e7e9d19562e6893235ff80d92517cf0365952a0

SHA512
6eb81f337a88b2abbe6e183742f94024cb639cf01bc4fd2520884dd5993207c08f5a1cf84373561b42abef266732531d1e8f7c85a405fb1c6ab9531e39fc4bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
5a14fb2da210c0cab4f798a09c69bb35

SHA1
9de5e5ce182e258bd95421520d18791c1505dd6a

SHA256
2b555eaf7cb40a84c12cb54320dfa81c4be5f9ecd1dba878ad91119999347c77

SHA512
130c5dece3a9f45325e245a4f1a3e6b222e4899f47c20031f70b595d8ed2c9f653fe62f5ecb2c09e9c4ee984367b055375da1057a867146743f860c28e651513

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
b4d158136c4b95d4c054bed7e1c432e4

SHA1
124f4941d606d18f8b254dae10518096f37ca625

SHA256
c9c2715c55c0badee40897e8e4e3579d81898199aab08630e6e25bd61c4a113f

SHA512
760923f811365c6d9a44ac135ee84b6b6dc9c69af26ce37fe24eb3d63c909b8dbe98302042ccb2c62f44f40c7dfadf14171fde9086c895e3953627dc6f2c3049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
e62106b22470a7f569915bc5a3dbc3d5

SHA1
4ff3b58a31cf677ee53e4684a115f762e397ce58

SHA256
802628245ae4e86d9e2eb8a59e22a98a6d417e9d697456de443770a61edd17b7

SHA512
c2f53830a77a142ee6af4fb4a26ddfbfa4d4619a3659b5fef5d8b58494f8fa006828dd91679fe965e6b2f304eb93d7950ac618ed6113eea05a054c63d234fd58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
65934403743629de4c12c5798f5bd739

SHA1
cb812b8ab2d6188095c6c47a76777ceaa45a7d8b

SHA256
63609cd3729a6caca9d9a870a414f3f38366cf5dfa6d1ad7746f659d3712a759

SHA512
bd656f600cda7f9aba75c0ad7bf11146cf4ac7644c127812e47b037df7baeae97e516b489f4eb1c6b3d63ef1c532da388cb6cadc43c04ecdb395d0b0fd53887d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2dc582c29895eea868cecaf0538652fa

SHA1
bbbf2753367f8cef46759dd41c9a0a7dd6fc83e4

SHA256
96646772ef26873c26e1b4e6a60d3ca2619bb335e2c154228bd78a9573a6309a

SHA512
dc7fdead58c9a93cbd3454ce317a901c6dd2b17e78a93d4756740b00ea7d6385e35d9001b49e14245d28fa15160872e4fcf090e0c24d28d7478eca0b9f5ff9fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
9cb705ffef34e0e92b92a9c90a6b0c3c

SHA1
06f0f8663c519af251c7b4805f2aedb0f5140b79

SHA256
ce6a0215527a3aa6d9533323aea8de42336acb4815af739751d761c8bd23ddd0

SHA512
a4883dd91b79f2a36a733d830077ad2a47528cef28277af923935945fbb7bd6ff566086175fc4af6eb707b57b6c24df62497747c351994b0c71542d0a64e06a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
2efc39dc7258aee4f2572b6d2564493c

SHA1
1a0fecf058ae9683cbfb5669f0881bfb7c7c9b88

SHA256
cc09b55af0f75a3041983e1e43b5ff90d88308a3b4664d4695f90847f041ed9b

SHA512
4cf660bd8a2e531ed52ee5ef0a74f5f95cd7311711ead87ffeb8c6c8d1153bbbb2c5db969711c5db3a040bb19cc14b2ed3381651c65f321637f1257f6386b6ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
bed89fe1bc6782cc98500f703ea4b26f

SHA1
e27d972e2d89ee5a14889af0ef4e642d43def17f

SHA256
b4317daed2d40b726562de83638218bc5e1b90791c99098620073d6a530c06c5

SHA512
f089f356220659aaf953bd4387ad099be3688beac5a0c14f03eb6f21ae90aaa210cff7575173b6717e0d9b8d447eb3129f70ed3b47926684ca982a055e4c2026

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
9071ff7db6fd0825892447fb34c979e1

SHA1
f6635bb2719f6d55e5305cf0f69ed754d49b9bcd

SHA256
568c1529fdc8374def0875c7c4efdfff0200eb50a73722ebd5c3a40118c7e994

SHA512
fc24d1ba316a42d8ccc9d17db91fbeb16c860906e55241d903c49198433f2345372a6fe22d3aee5978aa9d76234db81703ae0762a97e7e77bfb21f1874b21f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
6bb967e859bad42a1eed9e48cf2f662d

SHA1
bb4087fc621003be6a3687de43d6e7fd54dec567

SHA256
c725a193a8824161bfd77fcdb55e12771f69867450d5338867845092f028a7ae

SHA512
9fd911a5d60c6dee45a9d41858eb3e7bfb26dc4b3b58097c138d86d9a2561b11de1a9b6eb4be075d5a3ecdab9e9ccff41f76b587d3473e41a7c34a3d38da159f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d3ba2a9512ff01654d15c6ce5f5d67cc

SHA1
4963de73ac06e0cba19e3e477bdc9a373fdfe588

SHA256
e2d014deeaac9c1e3a1279852b527d282bdb52255c16dfdf57ef4ccbeab352b7

SHA512
469eb36058f24f59af2c323163e034d9445b433b0b48c7a6bddf14499f5ce5afd2d64a0dabc5c3e9fa5d5a95a78108cfb95dc88a2dd9467e7a015f48573931ec

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
bb510d8f2e618f6a929b8901016282fe

SHA1
3da41647277eeef15dfcc0501d5bc19ad1f6e0ae

SHA256
c1a08042e3ef2cbd673eec8b37c747e8be0e92a6add539ec5eb397514865b346

SHA512
50b011a4057980cf866e1e0fa5522402a86ff3dc30c571f5b15aa166a6abe12815a6139bcc979402f1caa72f3526c41c14b92793f0762f4446c3ec48a8e86752

Download Submit
C:\Users\Admin\AppData\Roaming\46d7dd0ea29f13f8.bin

Filesize
12KB

MD5
0d8b7b064a4534527b8fe4debe7d24f3

SHA1
79b9fe12f90a58947f92b5d67b58a6d06fc4b2fe

SHA256
7356700c1df6561dc3faf91a49d8c0571b14a8662fcac226715efcf72bb00139

SHA512
2a8f64d5adae2a59792ff989c4d793926afd3045f314a43acbf7f5a08444003e26f87d4f880a89c1594c779c9963426bf0822f3383e226476b8b86da165b3157

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
31cb84a58de607d52fff5b56117bb793

SHA1
c45f703ddb176bf0ca85d739fbc1d04b6073e3e9

SHA256
4ac3dfa042b39112594e806812bd2a94270472d436ddb6d28f8bb908a95daf5d

SHA512
46f7a68eb3e0f2a4edb37ba55b035d234b75713cb2eb8a48cba73e0572f2a3f17fe51f7f59d7dabe995d2df084fb5ef3be29e66ccb217de5bb8c1c054b7350b8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4eb38ad8f8c163b5394f52356dc67289

SHA1
835fc92817a1717942c55f5093826a485bda0b40

SHA256
f138321600ccf81e2f9a5d4c00019b63b010d5c864572388b24d57cfb69e6de4

SHA512
e6d1f7caf614c16793dd14045ac57673d996a5d81b20ef5b14ef97d01c00610fe1e1d2ef33482500b7d020465c84586cff744e3303547ff30f1b46d9ebbdfe2f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
531164e348e000540564578d8d6dae97

SHA1
420a59cbe64ca04493449298e49e8bdee0127eec

SHA256
f87a42a2945dd7c0c304620c66a27c0ad43285ec7dfccf7e3bb9783ed12609b1

SHA512
b57d7c0cab4d653381c6aa214643043cb298d6ebcdeb8470a5d04e2b3a14cac8f959114856c821a6d47d6a5a63d38ee7ad5c3f731d589bdebe96b11e4cdc5a6a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f8f41dd4d3955fa33dbab0d6c5e67940

SHA1
d444f90126d1654a50441161071d254871550341

SHA256
4973c7efc2506e7585fbf2d6dcef606d1ce969a2e06a3ccaf084b5903f16ef0e

SHA512
827cd1ac7da4e8d085a2d8229a8bb66d7496e0423d6dbd5e638853717f0189b3c363da114463e258f246a70428d7d524346df2a6b4ed5401e1d91856002d0e79

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
acd1937970f1739068cc9db830f8d642

SHA1
cf82fbf30a9ac4da5722030fbde4ff9cefe76047

SHA256
6126054adfe3d0ae49e8c468668de482ff37148999e370a0189471f361ced16a

SHA512
779aacecb0bc197ab2066dfac6d5c100c5304f1e97fcb347021fb700e241db6a635d1e00c1811752570754b2092ad8d0c70c11d6160bfb79129dc62217b12b73

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
2832ca4c42feba0f634ca42c4f109ed8

SHA1
d66ffe0c2cd358f9bd62f3d9eac3b7b229b4f639

SHA256
1b352afb1b0271d5ce0550261ee07fc8c188b499149a2c00d00653fd246beb48

SHA512
9c63c9024173d72b556ea88d56c4153cd98acd6c6d68cf226358e7e1d7634c21e669e890f1a7dd0772c3a7971eb497ea54454c8d89850eeef40bd021b36a0ea5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
8dd957c6864987f33f7e2f5b3c272efb

SHA1
a925715afe258e1c4ad8558ff72c4cb98ef8ff3b

SHA256
bc0446a7f5f821ed1103caf6d2a5c14eee673b4ba0e58476461b293bb11c3caf

SHA512
343c922b8b8f1f09c14784ebc0dd769de392e6e0ff8ac822fd17c7916843df463635076b8e69736e1d86e09cb751aa5c81666975d4def8ac0db36312035b1527

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
86ee6757569198fda8eb8a0dab3fc79d

SHA1
3bb05e80aa1de576297a4739323077d793eed43f

SHA256
36db419365448a1ee94d1b75466a2012f7491fa2206e6610445f594e9a22b8e0

SHA512
1eb2b505f034a26052f923011be3372dee9ae489454c3c5c47b1d3b6d3b531021deb9374a4a2808e4abe7cae7520138cced7bd1462a5ff97b7f5e7c9623c6f34

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eca87444e9771cbfe9faffbb29aecba0

SHA1
44cdfc6895bfe3a1fb1ca6d09f29eb8f7365016e

SHA256
b7c49081122461a08dff199340f8b65b8cb60ae01c2da1bf173779743e2cd8ad

SHA512
c28436e675574193f14862279831a96d91388c33776453e675bdbdc921939b2f4b11f5b78cbc6a5542b95e7327da1635699c6ea5401453b057f2375ae696bf96

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e6f25fd4cbb2927dcd94510fe4c78082

SHA1
48e2d5e24df215110e859706974ef90318a4707e

SHA256
3d7ca102d4e273fec28d6009893f2a944ff605b933b3b9643579fa481dfcfbb8

SHA512
f604ee4722e1cdeb3b9b9b2fae81d8c711366c6312f7c70cd3c34f44e900c9ad0ce78f78d108dad27db11d1ac526f726d9c50d9892778ee3c69a4f403586cb6e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
5f7f261946fd5a51b4bd413944b27922

SHA1
3d515edbd85a1c08b5e0ed2539d4a0cb5b3221a1

SHA256
f1ef799c3071f1c323f439eb868a1a5cfa3b3eacc7c93831204b7e374ebba9af

SHA512
1881724bb300d3d8e29ea525253fcb755e66ccf46344ca08b8f7b5ea74e91e95bc03fcfe9855b49937d61483be596e248aeb3fd5fca41349ff46cccdbe68aa40

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c047a2a29ad6bc9ae000d7172ebc0fb5

SHA1
f36ed1a1a97c8a139dcd9145870c84830ea89362

SHA256
e6f60f094e90ab05768baa8f1d4b7e62f96a49f6b8af243681c4676349bc17e8

SHA512
bc34586c48cc2a42381084df6f5c03ce737e4ac9f7bb97f7dd7f14a4fcae5e423d94eceb71c5f27d36ea7993d20dbaa4b43bbfb5f06cf8c6ee457df4569dd473

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
98dd3406e73a305d7a5ac4a95b8925bc

SHA1
86d3f71a836e907a319a217554676cb7ce74d867

SHA256
28f71d42e971772f31a28a8a43b84ab80a1f8726304dcd823c7ee168ab00d29e

SHA512
aac4fc8cf27d2974e8eb3536b0e594a276a8eb7da09c46f44b65d95bc07bf79a47f794c5463fdd18ac84e84437d1a0bf46447618a4c119eda23c709cf98c2d59

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
e96e0108d5ddc08a2dd7622710187c52

SHA1
9897ac0c9026f29b583a8f5267c16928b608ee40

SHA256
871519c44b9544ba4d1b82016520aaf5d48c360239612d3401b1e179287e9dc8

SHA512
b3774ec5a00c8813160126d9b0354bea6187535504c65b92fbe33c06a300eed928ba65dc9014fd005b51ee1aa3b3b2865d70e48e27c2fbd742fd442d11528726

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
a7ba573c812ca4e17c8c681460924cb7

SHA1
8973662864f0867a20b138ddaeab85a556ac009d

SHA256
b2192c3cbe12e9d4aef25b818e93ba44da20c57963023fd7c5ea9ec2e43a1bc2

SHA512
7e109e3f317a6d298fcd424b5532968f4b8414d18d904c6dec812d038d49ebb2d6a882f53391c8c10642b4200ad3946a7dc25b0dd66ab5c955c7b11151b4cdaf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ebb6bfba627884c78c0ff73a2fe46801

SHA1
b01732f316f12cd65af30c82c9b6875aed288ffc

SHA256
198ee7a061933660f6f0fa1b2fe2cf2f8e710486d284d5161a553378a900fce3

SHA512
fd841224e7f61c619d9defbd95618cdf78a4baad8c4909723fbed47af44c00d87564655d7c3ce30afd09f51eac13a32ed0ed437262bef2813ecee030816b7a32

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a1735bf5e1fb6c81962de9c5d3e82244

SHA1
b43d3c75ffd439e10b4b31a9f7d37e8a6bd4bccd

SHA256
2472f87347f9c75fca41c485e9a379bd9c04d3b87ac946b36bd36aaa13b95a08

SHA512
b265ff614d08aed07054a9895e6ba4119941ad845d3cf53583ca634f964e8c15822039af2b43c6183789c6da361f1d9c7a9b3fc758407e717c34f2174fa12633

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d9cb55fa790572129b2689169f094cbe

SHA1
9f09c6846371520779135cf5c7d627dd64bf15ca

SHA256
8ab98ebeb4235a745a35c2ee3ce06c6f3d40c832bd9049d29d50c8d49a604aff

SHA512
d9328ab4b99900de0e11fac0599e7c71a55ff8c572b30b13fc1882d3575b568912229f7be3eda222e34d3922bc1df43d5d33acec18e82da257d211fda20707e8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8065c137237c39252b7abba5184fc65e

SHA1
82df694955d93b0fbbf7d09b3f3ad9f6be0da2eb

SHA256
98b08cfda21ff862bc1bd5300ecbdd5f4dde92c05ded31e9af6ed82403b6429e

SHA512
2d88272eb1cd0d1d91b109e4c68e3f3631bf36f0a89936cc53f0db052e8e31205c391dcefdc7deeb57ec2f097deaa2d8fe65f061c0aaa19a6dba29eaefd254c5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
bdccbcc2b2dad9bc7fff059a1a65176d

SHA1
cc195731df262f622a877e19da8e5f6987269f86

SHA256
5798547e671e66d222f92c57f8384f520e3435097d3874d769ccba51ce845e71

SHA512
441759ddc8f6ec111fec33ec65ba7596882d53ef4f7ccb8405ccc0499a9941009824fd9c31dab619f8526700ed50c8340e0cc7af3667e0fedd1310178d3dfa6a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
763230d5ead2c0fc2a7b1ed363c9c9dd

SHA1
5c319e22fd267957e4a7732657c8663424cf8f67

SHA256
076c96a853be9da06cbcc0819b897df0a280e4c82012626aabcbca01daabd624

SHA512
3acace5e108aa75372fc227728b78d08d5296651f57ff624c237e6d603b4af045095570ec1cb5e548a8cb1604e98897a4092645f700866fdacf7f8ac96cccfc9

Download Submit
memory/232-50-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/232-42-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/232-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/668-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/956-303-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/956-90-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1208-380-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1248-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1248-73-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1248-552-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1248-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1616-304-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1660-306-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2184-310-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2540-377-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2540-557-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2684-312-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2972-8-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2972-6-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2972-0-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2972-21-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2972-37-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/3432-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3952-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3988-307-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4264-309-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4356-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4356-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4356-88-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4356-556-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4556-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4556-35-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4556-467-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4556-36-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4708-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4708-555-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4828-61-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4828-75-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4828-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-55-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4836-305-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4900-311-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4968-558-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4968-378-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5040-379-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/5040-17-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5040-11-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/5040-19-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/5092-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download