09ef9d5edd9a3a8f7e4a05a27edda0423f0ba151a6c843fa5599167af31b0276

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Size

2.8MB
MD5

aa26fe4f41cad4cd4da60958bd7b2b97
SHA1

e3cf645607e9ffc1d9f89ffbd06f485d03cc1329
SHA256

09ef9d5edd9a3a8f7e4a05a27edda0423f0ba151a6c843fa5599167af31b0276
SHA512

3e9814926afb60f761d4e3c2e1c65ed821d5640ad7de308e649a4dc0e8193dccfafcb47d175b6225a408384815b5ff23540b1e6475d0a20e05cfa3ca8f63cbea
SSDEEP

49152:ttbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wTLDmg27RnWGj:rkPbiHW6ZID527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
372	alg.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
1712	fxssvc.exe
3864	elevation_service.exe
2128	elevation_service.exe
784	maintenanceservice.exe
4920	msdtc.exe
4336	OSE.EXE
1860	PerceptionSimulationService.exe
3912	perfhost.exe
2844	locator.exe
3812	SensorDataService.exe
4796	snmptrap.exe
1680	spectrum.exe
3916	ssh-agent.exe
4088	TieringEngineService.exe
1588	AgentService.exe
4356	vds.exe
3988	vssvc.exe
2868	wbengine.exe
4912	WmiApSrv.exe
2688	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\276ad9f6b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000826675c9fe14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000488c9bc9fe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b89b0bcafe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9414fc9fe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c88617cafe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000776856c9fe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e02234cafe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081b3a2c9fe14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055c6b5c9fe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c827d7c9fe14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2268	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeTakeOwnershipPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeAuditPrivilege	1712	fxssvc.exe
Token: SeRestorePrivilege	4088	TieringEngineService.exe
Token: SeManageVolumePrivilege	4088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1588	AgentService.exe
Token: SeBackupPrivilege	3988	vssvc.exe
Token: SeRestorePrivilege	3988	vssvc.exe
Token: SeAuditPrivilege	3988	vssvc.exe
Token: SeBackupPrivilege	2868	wbengine.exe
Token: SeRestorePrivilege	2868	wbengine.exe
Token: SeSecurityPrivilege	2868	wbengine.exe
Token: 33	2688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2688	SearchIndexer.exe
Token: SeDebugPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	2672	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
Token: SeDebugPrivilege	372	alg.exe
Token: SeDebugPrivilege	372	alg.exe
Token: SeDebugPrivilege	372	alg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2672	2268	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe	82
PID 2268 wrote to memory of 2672	2268	2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe	82
PID 2688 wrote to memory of 5060	2688	SearchIndexer.exe	109
PID 2688 wrote to memory of 5060	2688	SearchIndexer.exe	109
PID 2688 wrote to memory of 5104	2688	SearchIndexer.exe	110
PID 2688 wrote to memory of 5104	2688	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe
  C:\Users\Admin\AppData\Local\Temp\2024-10-02_aa26fe4f41cad4cd4da60958bd7b2b97_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x294,0x298,0x29c,0x284,0x2a0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3812

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:568

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c0e58c9fdaf855cb9c9c0b54aeea265c

SHA1
ba291ea2985fa487340a1c85a9fae3d1237de96d

SHA256
2acd09f330ce0c19d4f5ba624dedfe56111d0a61f62ecd66ef6d393af3385e39

SHA512
2fe892d2874648a60dc5ec37152a0db0a345865164d36ad1f5e9b382edd4cfa94cb35a6a68097428e5797f6c3aab0e5b240a455b00f72d56e288fb093820a201

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
f5d7aaeac99ff6d3146549645eed2e38

SHA1
c130f3a674d9cd2adf03998e7c2364763a37eeea

SHA256
7c3f1b8d61cf05a306dbc4a25db5b22116fb4d7aab1d15d115d5d4590a2cf708

SHA512
e65ca7472ec6e08eedc19de55539d2f49008a785c704160b277c93aca928c7727c8a8b4100bae7b3fe3403a5314263ed8c79f07098607a5792fc6366da1cc528

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
074a5a1b4ec9f7e0ac7854fa4f95638c

SHA1
3241770ee39a1e3b3d5bba5c164f46d8e1234b52

SHA256
bbe0321d925363eccd445b2920888616f07420daa925cd3622af1c240d1cc112

SHA512
a6fe689f0bf2fc85337e88723496bb0d8d20928ed8da8e9a87c86cffa23005a84dca9233511735bc8b55138980677ba0ca9e2c6120a27d5ea9f05b6b50d962d2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e369e9a682fb2f8a1224d69a23736a7c

SHA1
d896a654cf1a90e4a52615777ef30dd94b5b8844

SHA256
5439460490598e68f94d9dc1f9f5237aefaa99a25af97f5f7d44f5437e64ca59

SHA512
021e0334bfbfd10642cf42ce06979f4031f8fefd9c66b640b84e109f8289510846fa6478255559a06537307a0405945074c3d8aaf001edd16f094669a117b7fc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ecd272668462d6ef8678ae8ac05553e

SHA1
6d7df37563c7efb3241610d65fb10295cd7af424

SHA256
f7c2da6155162d175366df2cd1223fd63dfbe1f63afd45b3c7d624c9c4180179

SHA512
175da491eb4cbe9d937467983b15ce5e595fe98089f629e62ca534a387456eb16517610bd86e521256524e9c4f36d39610a6ad45db1c26fa5e46b4cf2e07dac4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
21fd0cae614f1db4ca2d2054566ffaf4

SHA1
d726400b2b95a0bb2d2b9644004c06267eaac7aa

SHA256
7e2f9290651b82566c9b7aafc75cd89ed6cc21e6166644b6770ef021755e1c6e

SHA512
c73fae74dc75bc8a7569aeff4d63bbf71cc59665940339a3e7fe1227abdf32992615d372cc5826e1f4007254875a881141c71314a2caffbd9dc271c95a2d2643

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
abb45a4659c824688060defced1b4e37

SHA1
7b664e0cb4a0281115e59275ba9eb9d18eb1dc2c

SHA256
3b42475da5ae9995046fb2450044bb9e1ec25ab80829f7487ad7452b6201da07

SHA512
2e02935315716e21fa527b6e7007115335135328d67956f5850c2c85f8c6bf4a14f0b7ec380392ebdec6e4ab748daf55cf585e2910b6474e39ac81337d791c65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5f8a4ea37960b912b491ac91c3faa6e5

SHA1
27d91b4a497abec4e3fd5a53f07aff809ad2c3b2

SHA256
909a2c1e1cb228dda05ee7eb7a28881dfd626b6cd6dce2660de93c656e7a36f8

SHA512
b4b2df5fcab831c59b85cd8e086cf50fb3974f56eafa337324c1157d7325a1e777287854f951010448b78858cac3f931bf63ccf18d9c2bb997a73dbe0974d147

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
9a969806de0170943128f2e0541abf31

SHA1
bb44c69481781b449ca505996e98800e3d10d7bc

SHA256
16cf004ad66b2eedf0b899133ec7829d8676d599b453ae4da7db8232129ac39f

SHA512
831bb457fb450698fb9a41789930e3ff4f8dc46fc1ee0f366b6cc107b81d90ba2c6f9a4d7734575597f72960f864cb7757fcc7078ffa66a434bd1d72ca6074e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5cc807113e9772157a39f827138537e3

SHA1
3a383b15c714dec4de5c1b9b7242249e506af6eb

SHA256
8b494ba102ae532e6186e5dd665d85a657c25c89b38d139c5d680d0a26ab775b

SHA512
3db2315dbf94d4eb9b69db8c9ab7b6b2ef8240807b13d5e03af6550e36d8c995f931735aa39999e9c0b86eed4686aba2c1a662f96305080ca2846eedcf69c520

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
78ad3341fd1de6858d6037223b5dc6c3

SHA1
9b69d41f0f225714b23249465ca1119ddd18a03e

SHA256
dfb2c48738c6d3d9b66fb0518f91d3d8d74eaf5e1dca15e01bf1c51dd6c34963

SHA512
50479e9244d207a8bc13f2866b8e09afa716d8f9306209467ea1a9ee198311a7a8050ffbf1c9837d2398ea7d3a085083f3aa0de054986bfe9b33cdf6d3b24c52

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bf2a99a824a9fab1c0df4a216c0567ff

SHA1
a3ddcd326c7d4574d60b1d289f254a468a8a41e3

SHA256
8357ebc9ab391bfe849794843fa80cd75f1c2479182358b698454a0776e1e5c9

SHA512
434753b277682de519c513c50191ae81609019fa0215d9d682a4a30ab516b5d180b50117171a3696b674bcf77ef541f8ed940913436780b22b029107105e6ac3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
f6e2e65ae100c62dd9c46805714324b3

SHA1
89cf7b8012ca9873d5b92e791b658ac3ec56a235

SHA256
6ee9716eceac3d8c009e497f3f16711c59370de0c08ec9c5c9a8565545929b58

SHA512
e4f2c820084da84bdd2069699620f3bd196cb3df381f290ce1609aeddd55ac52a4bed1411fe122ae54ba5296b5f3900f1acdf3467ed2027571e5d6f5d163dd2e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
52c57ce0b985e62c6870c999e28e77b8

SHA1
6e5d7eb5c123628c40f184c0a9f6d1ec3e1976b5

SHA256
2e4941c60baf7eac9c0b103eaccecc3e96d8ee2eae4c338aa7bd7bea7eea5b60

SHA512
b2fca802c3932eb92404ffe4ed2bcb737e675ab10e30d69bfc4b6c4e0567002aa303426bb74da197a4d049af1d8bfdcf0374cf9c05dd9bcc35dd6ebe53557ef8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
836d2ac52fec9a9af1fd218cfec4ad09

SHA1
26a1c12547a920a49489ecc720c3289272d1308e

SHA256
8c18493f2123c30fd91224735158a839addd596e94f5485b2f5a996751c9f59d

SHA512
b32532a933a2a3de2ec497b9c72b50fea77491f2dbe8a604f1bd15c1422d6010e1047c2733ac14327a7859af533af930cbf9469374ef021b1149b1297ed05f8e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f17f27a03422cc279ba50a1ac01c0884

SHA1
779daa7e1b37dd84abfbf2ca2fe39b2be542cc78

SHA256
2c1240617753640411c6a78a131941ebe861507a829156b7ed38010ccff2ce06

SHA512
9ff8db1b44b565d2eabd72fa7a9ee5cd6379c530f97ed4b3cd11eacf2f000dbe2e4fce1812c084d398429676aa3b88c0e16bbb53e69769a905d3262869e1fd6c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
da9502984c9afb9c9207251f99c95f17

SHA1
5ec3172c99f15c6360c6b5fa69c6534b05486b55

SHA256
e7cf37f1c00b512c1da9f624bd31f458b4a2cf662322ad17026a8aa4f97e837d

SHA512
b38417170c0918bf414a574756a7e412c911d4cd337f3e30479caaee2fbfcb9ace1fba8ccb42cfcca911aa9aab935c1afca20ae6afbc017ec97a139cea0caae6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
65cd942c3ddb1b85e802c0cac2c4a918

SHA1
d355836fca24b90722ef01a75f3478e56c24abdc

SHA256
efec2676c144dd605ae35ca0bc871a7f30967959f699650a92b120573ea2d0da

SHA512
488fe3f095e15fcb386db175ff170bb34159b80b7643b28872e1b80d7bd215cf0a2c7707d6572172f942057ea1afa9877b1010cc984966711a4ff02a1ad239f3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
11ea5a11c40d7fd017fc7cbaa08bc044

SHA1
69300da310f28ce00ae158826b8e5999af970c45

SHA256
52a2e5de71674d05f1cab1feeaf9613e089d88012d36dd365cb8564fc55eabd1

SHA512
4af03dddc1d9112afe43d02a48b069ce107023b3a2b86a7266e2b83156bedcdc8c7fd5d01748e347e33aa7f29b8c3f9406e547e75424e32f82c548cda17a1a69

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
948cf7daeb242140cd56f0f819c798f8

SHA1
935fad1bef6a26e759a60932308fec92ab7ac841

SHA256
786c91f1f7fec24ced9f5aa13531bd62a9e2142a23260038d9f578b5eb4db311

SHA512
d637b55e585f6d396ed83179943890698f9fb64158c0b40f94102cd33bfb90a4433ddb6d4286ab2b480774a84cfa842cc2b88cec981296966de247a811c85694

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
e090141c73f3f6f92422e0f480dce37e

SHA1
f91ff62bf3e0e0fc1246cc90381edbded8272bd8

SHA256
9c09ce3964bb9b5158022f528a20652b0704cc947adabbef41bbca82f31c0d26

SHA512
3a62a38f477b1b4425b45ccbc8cb7c3f9fad504c87ad65221bbb9968b2436cbf361bd52b2122a1b553bee9f058e7428d703806950234fd4638f32f6b914546e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
393be9b5bf186e1b5400160e67cd67b3

SHA1
71b343b8bea5dff97550a90cdff6afad8db310e1

SHA256
8a6b80d1d33ec328cc7d8f17a8af8ebe354adb32f6f75ee4618cd5aab0245643

SHA512
f6e5d848ff4712303153bfac515860a3ba3cb9818c58cee01e03b927842441835a1fd04f13982baa4b0db1fe38be0a66f06a72a9cd09c13384cb7ffb560572f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
71b99e58cbb812e8b1d3c20d125689f1

SHA1
de64bf008552e91ae2e86cb85d26b326a1586ddc

SHA256
15c7fef860a8c21bbe882628f0933c98cf5264cbe015fdbace78db97188cab75

SHA512
720c59d300aee40e317b2b0091cbc207eb065d01767cc6babd150ae85bd8050da452439a149daa0c805cc5faea702c5c235f203f76259074de5d122eb83a078d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
cf4f82642d5cafb47bc3d5f271a63eb4

SHA1
130c5217f1d93a138e40097d58b634215663e7ac

SHA256
e374c63fddeb60b95188ff516487c8e376fa2f0ea33055fa3076a52cdc8058ad

SHA512
90ffb8a6e8754ed577ba3cc7359be6c5b4488012bfba19c4ca5722ee522ae92ef6b2849dd0747e4d67a2526a850b89ef84a22d01223119c817c0f68d322115f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
11ac87d75964373d8a5d2f0f49e2142d

SHA1
40119ce8e831e7e1ca75d8d49c0074a48096e237

SHA256
2518b21140400f11e5535ee8b3d4b45f6f3c0f6d726aec1870955d158d8416e7

SHA512
bee0c918949a742ee3179f10abb00b5e4824a690dc4b456e2ad77e63aba8c80238060c9d5fe264dba60c8d34260fe074943a47a2c7a6795053d17d4b4d45ec98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
4ddc362f47734436c43e0181d76697f6

SHA1
8b3e782c20eb1c8db0c0414fe83fb97a3a8dec7e

SHA256
f5abe55302ee5e9b9a806b265ad2071539abdd86fd227313cf5a4e5981151d97

SHA512
9a55793c4f7833e50cd619314a171d02c2816c991afd108c3e6baa324760d0107a0029979080e9249bb2bda24662dae715d836c5e4b358ef1344a8b2ec223d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
a85633ed325a8ba28bbe3c2573ec5f48

SHA1
abfc8bd089d3665bfbe7e439d0489b878b9d0dbf

SHA256
3253d62da01bc9cd45cb953f4a47e61766420d5461d472914a4835118f4fd939

SHA512
966a4f3d45325e6593fa15667f60e6b73e915bf91ba7eae5658810775e8fc3998d68d32c060d23c4d2982d1003663f3470ec3fae49718fac95e4cc1f8a5a393f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
0388309ad38145c0ebe5253de6b0aba4

SHA1
0efc221b93413ce9c5326fc0ffa2f891cd955fd2

SHA256
b05903a9a96d716e13a872a51ae23d342b99646fe828401bc79b4277f737977b

SHA512
f4e8e20d7c9cbc1896bf873cc0367622903c9783c37e0cb1e09745c22568a9029279a9da7dedcb65b290c436aacb525fdf654bcae8c0b3baca92df04547c0bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
a15581901d2a32f82aece2ecd4f3fdd6

SHA1
d2061f50d6c26a088397e6f0a7d09a07b5919565

SHA256
aa0a0e33d6446bbdc51fcf94c397b3e4b1515a7e5ae57ce1566f63342997ebfd

SHA512
b5bfaca363e5cc4feb4af0bc0ea1958e5cd65cd295f329663676c5202ef2c638401a0bfcb122d2f9fd31c6bb0908d480c1cd86738910cef0d3f7fb3eb1dce85a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
1b251e8f0d1fdc50583e4fcb6d4a8398

SHA1
f374033157449682aaed143e6c2c1b0b5a06a627

SHA256
1cb4d2f81228c567d7aa471e71f01eb5ee33f48d0c72c0dd16e98e049f0ad8c5

SHA512
8346bb40203df96f10406996114b9161c15880002edbdfb13ebdb7f148eca40082eca8786207089ae3eecab1cfed3945860600a35bd790a2bee5766a4a00d071

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
ab088d9951edbcfd4edbf73535068809

SHA1
307474157fac692778ab14caf447b25a8c1513bb

SHA256
62058dbea59c10511ffdaeffc6d1359f04497eef40097e5b6fbbbc1d8c71bbb5

SHA512
b107cfe46d51b73715908b5dc85a41eaae3659bc35311e481c93e5369da967161172ffcd515029acd5a7bbc0b4c6f5a52dd8f6c74a36fe62d2aba7190e8924f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
a82b662f2fb0afdfbe35463336f55efe

SHA1
a48093ef33bacc01586c2600da54a8c208e4d582

SHA256
0092ea8724fa3241c0dd2c54c2dbde83162466ede9ee56ff132472534af5369d

SHA512
0a90e84ca8763b0a3fa808b059bdd2df9a876040bb92fe80894403e8ac5ddbd1c32e07d8743315fb15a7cb6b79e6c7bfac918c60264f215cc233d333cf940b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
1cd37b87efe02e95c44b75fa22933f59

SHA1
7b41fecaba590615fec97ead2010136214a98dd7

SHA256
44d1697f5be5f4693e67c47ce1603b35a582a5a911da89bb0250e9f8933e5ba2

SHA512
3f14a2a60ee85b5195baa5d9af6e0c69c470f6d0906517732847dda53dfbedefde77e1a5462255359c016a7f02ac0052784ddec6cafc8edcf682458eded87e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
72182cae2020f4667ccfae54e58940ae

SHA1
edaf1bd23cdae6e4eaa5a6d3c7268f8fc0f4371b

SHA256
4ad619dd57c9bac1683beaa9ba33e7c25fadd44d02371d3b40fb82a7390cfb2b

SHA512
859e8affd97487e6bdc743266f10e79a18579fc4cea532466ed682a8a07363485601212ebee4ffbdc1404823097321a3364af27546a9282a7914d642f4f5b27b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
3d1bf083afbd095b649d56113f7e725b

SHA1
d15cfd5fa206da8b1ce4ae18de03453745e9bbc7

SHA256
e3c991f79fda4d15ee1b9d2eab7b167c4bce9f5e698e418450e7aaaff3396ea6

SHA512
7154b4d17032c61ac1a7a9d13db9862042d56f3eb8bd3324297967c3eecaba79daf61f40832b24a1275d2cb271e44f0e467ebba23f13cd1a9399dc297ef7a473

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6c7a3da36ddef3befb4cc7fce679c5d0

SHA1
2865464d00c6556a0691b981b5ec5c09b2a4c11f

SHA256
2f1feb98cd1ed3b7145ba0b3dcdbac70fabf00d9da86274af5dac1858a6f6fae

SHA512
e001a1a2c4ed76d5288f3f9d55fc191ebeec1d0c32dfdfc0a12cacde8ef05b51df23a468d48297d664481b88a107bf5c5cd88bcd7d8b36a470751e72f8d07a1a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
634a50882ab2cca10e5d16c1fcd8755a

SHA1
11c1e3673e20e675277995f420335fc47a9b8880

SHA256
d370acc1aeb62d4f030c343963eedc066f5e9a3e80230a0c9d7ed71714a5f153

SHA512
6fbe305f0fcb33d491e2ebc3395d7f3759c5c7e84ccf2379111094f3bf50f9886feeb7b44f3f3117443d080a2a735e6288860b6107b640e1105ec128380a480f

Download Submit
C:\Users\Admin\AppData\Roaming\276ad9f6b36a5b05.bin

Filesize
12KB

MD5
8b21719a840ffb325bf4fe1a82d0ce5e

SHA1
ffc474f428e584ff800c2d130cfc471df7d002dc

SHA256
b2474cb4dac85b410b25e833cec1709b1ad66ce8a4040bd843d95140658cc6b7

SHA512
a737e718dd7b236db6c7f61dc46198c62e22766e0f04bc3806c4824b4c575135419e72f420018c27c8e04bdc0a2678d18158f833f78c7baf6118f6ba75357aac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
05b627d48663ecf6b80a2a6a8aaca2b0

SHA1
e66eec6e0243265846d408999e4364987600e86b

SHA256
3992ca83ba123038df4c0dbe50cabecc51637fc29cc82320c411326b23e96f26

SHA512
95e4a18153e2ba18a518156e291b4a6afa2f60adf56a0868c4cc38e49d7b7186f45d02da4fe7cad43f7004aa8c9ef6ee3d105f2def7f264ea5bacb1a592b1945

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b895060bf9f03a0adfa7c48e63e336db

SHA1
471135b3c17c94b807c42e20881c270602007355

SHA256
a1bdb987e716fecae542bdbdef43db6f54afa08764e8cef5572d888ade0770ea

SHA512
84bebeaa692d156de82935c3f4eeaaae4934553db3b744d18c1123117eda2357392613891b6331cda81ae2fb5fe9d9e14de5d4f58ef21f4cc32c7bb88639a1fa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
3fa80cfd0e78f45ff1344119a40502b8

SHA1
9e6ede9dcff88bdbcaa0dee4d877d7beb3c50e4c

SHA256
d4d0f60c452c788f4c475ef5f47102445a5cc254d82ac4b90e856ed821e09f1d

SHA512
010c9a408c861e7603a6a3c3987a8dae48cc366d35b51795f1fd86c55f54b212df76428e520396e5cdce603e8989d1faa065a80b4b5db8be5b29e672b9bef45c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
01ae589f1fbd322ff357ff3df0abe0d1

SHA1
100359db08b08bf19f925bbcb7eabcb657f20712

SHA256
32d608ca9d5e3ed02d456095d9a25e0fcebdf2dbac8ffe5737146130fbc8a2a4

SHA512
fdf47d452021196a2d5bb704e2018781618f60418b8b5d5c9989e68390841a11bbffeb4af38820b426f25e252d633628b779ce14dab26835f6118d45c7ce79ac

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
2055c2f0208215e9bea1ffdde0540908

SHA1
e4bcf4b411ad1e0c9387579cb6737944f750fd4b

SHA256
95036c194274c413c259b28c72941d4c1d8964910b481127a9568505ebf1587a

SHA512
a31ef0e2224aec4f19240bc24b9725c0c35dc292f2d177946ce2bba1a4abb7f006e9dab403c88af1dc3a31256e98077cdacc1ecfe643494f45099d9276f647ba

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
3121a6005d11d8131b34276ca446910f

SHA1
6d867574c8067a73fdfec4c2242a20da47834fd6

SHA256
362e76308691bd30d04e6e087ba2e5b19cffbb09f25977e505c1bf98967a03df

SHA512
db4cf388507ebf32157bd5846be9e7d1cc743516c51d2116b487a474479dd2fdc21d2a35f75a22db45d3c7fcb2b4695dc47892abd823c10131515d61abd25d79

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
aa4d2397a171af16b92e7b2f86ed9770

SHA1
f995ba12743d00e63d527c28f99c4f3f48421fc2

SHA256
46c8514a18a71f5073d6616923e7640cff61bf2a11dd7a1e44a3f441b1a6041b

SHA512
8a266f03cbf3ccb4f27c9c90097502e197413b815fb7571e0c00599adc098842f0a3edf2ad73611cc4a1a1acd6f4c0440f3fac5b97327ebbf2eadf8019c56e87

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9c14bd524524276b2b17d6d3595639df

SHA1
6704555d0f9cb579fa9a2193cbf93ef27dcbba38

SHA256
10b43b6d3ca6f1bac40f4a4babf007aa5904589c8cb367787dbe02b2c8742403

SHA512
673ceec71c80f9ee60ca28acdbbc37a08cbfee8f84af1f96933a4fb8f1576f184b99fd9b08d78d8df88a17fe84a8c3c900890cc9458522a58191b8f36d770ee9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3c1d167aeddf82a29ca168f5b9dfeaa3

SHA1
41e009104ec427091249b6714ee6ced210fca573

SHA256
1e0b42e29e239f6dae33dde571f41a14db27a442fe758ad5505b12b86a136e82

SHA512
46bdcb5e4cbc65598a4f9cdae4d785de35dbe8f61ddc6d29225046a2c4b3b42841d6919dcb8845a835302eb7cd08fbc414d2c78e4dd21ba0af6c0e340563f06c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
259d655424afae3ff0d985a1aebbb433

SHA1
a51a4f8cb5a3b6e6a41d61d76fe3b868fd10b5e9

SHA256
5175298e7885be29b66d4ff54e11b8944e2e9759fcca6aa8f34d5cb71e7add67

SHA512
99e2098cd76e51b5257ffb7553510a322874e416d1397f739dd65a46d06d3b811aa0c21ae5934dc3329d05016ec569d908ee9046b246bce0f3bdd8107cda64d3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
2f3224d85b717ab048dbc76f80e07552

SHA1
e0c69e5183b916b864915a58d57c047320a66456

SHA256
c55b841d18630e9c225b8881baf086081cb64b64476447d885e83c54dff592de

SHA512
3cdcb6f5c05935c30788cae3b6022c276ccc05b91841fa7b4f65821b501df1a5864cd450d974839c320ffd63677c860ed5b02d2e539c29cc57251013a18eec9e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fe4355dbb0445b7c0f0831653561431c

SHA1
d4553c9e30cae249f72269c62dc5572452e42ab8

SHA256
aa363d8b41bcb724c35120b64f1cd0d6182334c3a10c4fd1f92f73fa1fea9020

SHA512
11a76f078c60064cd9ac439cfc5307294bae96be42744afa0948d3173cd5ed91ba7445fb634b1509a26fd91e5f4ea4ed39d3b077083b2fb2b7f53862eb72e5bd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
074fbafc48ad0c0658b2392af8cd8ea5

SHA1
9b265cf3d22676cc6d1e5bf8391832964be8abdd

SHA256
a3e9c44e7414ae5d400d7570145e59e5d44fa8267d6ca0e2f373301dccda418e

SHA512
f82a7d1f6104f2de457fe2e2fe6258221b4d5d0c08048466c1966ae1cc755cb0aa05613a1d256703a8e786dc425b492f17d00bee7523d96a9542d5350d1638f3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
4e68440d46914562dfd67787633429f3

SHA1
762c2566b5edca91f2fc1c7490e5fe4a787ddaff

SHA256
5c2af8837560b776030fa05c82a2bd688876be969a775d2a44e8b6f258cdd292

SHA512
b5464f6760042b8518cf87c2df7be821ff368d9c4be6e7f78a367c6daf508cf6ce85cb3e0806749a5c0e4aa0c8e5f47f01a341d67e9ef79240aef3166df1730e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
0e4b25a27d9827e2b5326e158d2f391f

SHA1
c05ff67637c59789ea662508c2634c9420977362

SHA256
86fd62cadcb47180585b354b65726469cc522818c24d13293ff28295fd2dbd4b

SHA512
18e02ef0658344ac4f92880085a13a8cf41d1cd661547e4fd5a445f11f28e2542f65d8f1913b6b0ad3c0772478119c40904c8f15e767009771d4d46a3b910e8c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
da30da04ac4229f56b4dc37de68c3214

SHA1
a387bedc766fc124e7c67e2d9a2f7a5af3516057

SHA256
772f254194b80bbbe4c12a0c1a8ddf4a23f0eac1227f0d8c91cd5e2bc4fa8036

SHA512
864019370ba30fc90601c841d85804e6619aee4abd2a443f05ddf616ba07bc340b77002c536ea6b46254533c3aa9075d1fd463e2192cb759eba1499ae838a4df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
a597f3d19cf52195156fd2a03e0ea306

SHA1
da984cb459248295cf1b79fda36e392bfff34765

SHA256
4dc3b339d9986fcd6c9c7b10ff8d55bf8dcad72b57cfc2d341ca26c8ebafe3d0

SHA512
ed2c015e7b170e9d3c15756ad89994d49c9a864cf9a40d1294fab036e2804fb50f5e7b3c08afddbf87767daa2af7538b47ead5a373b7549c024a15eea22b7825

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
00ca20e8a4cd3d8a5b770d3895d92388

SHA1
d7ac6922e06a22c7ca965e4df730bb78ade6fe2b

SHA256
e232adb1c142e1227c94042b92a31635e00f5d4e3b90742536d4bac2a05c9405

SHA512
1e254d8d855bd56ae3018c45d2d4797c9abd0918cd79017b2db2ae9659de879d534ff6c112b875c303c0368ea3519605efbd40935442f214f07f5efc4ab240b4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
177ea3df027b69aea1a98e6c6dff5968

SHA1
c4db4dec382ecf9ef1fabde367046989acc5f9a4

SHA256
404d2933662c7bb48fad23f425328ad4fc2c1c861c3fd693682afdfbfb9577d7

SHA512
3bf6fc21ad8db5afd59e8839d04a0a98be1df818900cccc225f47f90033a78bf80731562b835a835fde53368268659e1f170e0061b3a186943a965e86e31bf99

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
4991a00369dd78c4d167dd93f0e079c5

SHA1
404d297a24076d153dc44a35521b64a389fde472

SHA256
4eeba75dd8dbacef5eab7bb6ced33daefb990e3ef0b90ea160bebb5634e4b562

SHA512
5c57cdcf579411d8ab43c1ffd42768ce0afe150afd11c556c90ed8b2da0500e62679b97d4d416e8ca9764b2764f5cd5ac234c78ef070a976e5dcbd282a12400c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
30f09671e3fe3c524ea2af4a84407af3

SHA1
35f221a91924d1b0c9004641ab7c63222061c26d

SHA256
724b6506ea82253e8bb336ddf050da37c08d7af6c6870e8ad350ce0ef548222b

SHA512
f52d7d337cf8e0c264ecbd30c4dc6e5ba8e218b266e09a7dc21d14ae0f96330c1f821a8c8910d7ca684192420d7a3d81df276863b42d497b696a5d4152ba128f

Download Submit
memory/372-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/372-41-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/372-30-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/372-490-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/784-89-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/784-101-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1588-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1680-272-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1712-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1712-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1712-75-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1712-60-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1712-54-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1860-267-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2128-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2128-284-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2128-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2268-8-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2268-25-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2268-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2268-27-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2268-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2672-12-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2672-20-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2672-467-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2672-18-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/2688-529-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2844-269-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/2868-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3812-526-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3812-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3864-201-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3864-523-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3864-66-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3864-72-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/3912-268-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3916-273-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3988-277-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3988-527-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4088-274-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4336-202-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4356-344-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4796-271-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4912-280-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4912-528-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4920-343-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5076-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5076-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5076-62-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download