dc2f8e406c72d9eb02d71b3b11bc9bdda52e053085ec240d7d148d988c43256e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
Size

1.1MB
MD5

99aeae0f85d9f18a32c29fee889f279d
SHA1

a0bc20c14d486fbb49a73c74fd1bd2b567ddd6d3
SHA256

dc2f8e406c72d9eb02d71b3b11bc9bdda52e053085ec240d7d148d988c43256e
SHA512

3896d8ee0ca22cc6e769a972da9c3ae1711dc400b53fa30dd15e88a6d02f75dfbc2342b91d9bcad7844a9993d9f15d4cca6318028b07d9789b4e999e0d048292
SSDEEP

24576:9Si1SoCU5qJSr1eWPSCsP0MugC6eT8/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FS7PLjeT8LNiXicJFFRGNzj3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3192	alg.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
3096	fxssvc.exe
4372	elevation_service.exe
452	elevation_service.exe
512	maintenanceservice.exe
3224	msdtc.exe
4412	OSE.EXE
5016	PerceptionSimulationService.exe
2884	perfhost.exe
3304	locator.exe
3296	SensorDataService.exe
1760	snmptrap.exe
2016	spectrum.exe
4712	ssh-agent.exe
2636	TieringEngineService.exe
4788	AgentService.exe
1992	vds.exe
3876	vssvc.exe
4196	wbengine.exe
4328	WmiApSrv.exe
1516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\594359e4293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exe2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe

Drops file in Windows directory 4 IoCs

Processes:

2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001c6131bcaacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000003fcc1acaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c17ac71acaacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8b7ef1dcaacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060a11a1ecaacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da530c1ecaacda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
2320	DiagnosticsHub.StandardCollector.Service.exe
4372	elevation_service.exe
4372	elevation_service.exe
4372	elevation_service.exe
4372	elevation_service.exe
4372	elevation_service.exe
4372	elevation_service.exe
4372	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4188	2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
Token: SeAuditPrivilege	3096	fxssvc.exe
Token: SeRestorePrivilege	2636	TieringEngineService.exe
Token: SeManageVolumePrivilege	2636	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4788	AgentService.exe
Token: SeBackupPrivilege	3876	vssvc.exe
Token: SeRestorePrivilege	3876	vssvc.exe
Token: SeAuditPrivilege	3876	vssvc.exe
Token: SeBackupPrivilege	4196	wbengine.exe
Token: SeRestorePrivilege	4196	wbengine.exe
Token: SeSecurityPrivilege	4196	wbengine.exe
Token: 33	1516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1516	SearchIndexer.exe
Token: SeDebugPrivilege	2320	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4372	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1516 wrote to memory of 2060	1516	SearchIndexer.exe	SearchProtocolHost.exe
PID 1516 wrote to memory of 2060	1516	SearchIndexer.exe	SearchProtocolHost.exe
PID 1516 wrote to memory of 1600	1516	SearchIndexer.exe	SearchFilterHost.exe
PID 1516 wrote to memory of 1600	1516	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_99aeae0f85d9f18a32c29fee889f279d_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3224

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1760

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2060

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
2c0b72dda9af2e6f3153cd6b4123338e

SHA1
2ca08cf99b9f99c7da04eeb775a26baa1fe913d3

SHA256
a96ae2439bda66e0b9af99e16e812d7dfe9d0dbecb3f75d079665a4fd8762dd8

SHA512
94bb3d5c192a59720c56d1bec59d09b8a3dbbd2d9474b4b12dd3ad71bb8d34519b49f9e0f81a3a5c6a6bebd496202ddda0a8c5ab9ce90d917a0e96273b443cef

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
18f85ccb1cf3ed80f820306525fd7c10

SHA1
b2cda1735f14cafb91af2ef56822b6db4abaf292

SHA256
24b63aadae0bee33d733ad655168da0aa08e1bb9d8a1a32d0a3f06dfe40433c1

SHA512
5e67705ddc675857acf8b8d6c3f58dbca725f33eb05f00069e1d573cc2e639716d12861ba2b5ed7b9773938b5b8b5f625348fe887a0a496155373fa7a2957cf7

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
cc16b93611c3736a3e70063509a7e76f

SHA1
76166b2be6d540c22cba3063864752b092e31716

SHA256
b1aad7da1bf9ba523e0bf2e8531d3c8f4c7102a0925ede8a685198f5a126d02e

SHA512
96131933ca173c57585cd1b765363bc5658adbd5924cdf95888d5b1cf18d01581b70c3e8062644323b90a939faae594bcab50a9c025cabb1756a0de1639dbb2f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
ef69c954aa25dd11485d7177317e69a9

SHA1
8968d5e02015863603fe5e6bc848c9dde90fd4c1

SHA256
4c3d891f138b3a40a6a2127e2e28380603de49690cfdff99feea5b5063292333

SHA512
3e85dcc8af3602dafbdeebe13cee315b3a340cba9976747baa231aad2f72552ebe94d534f35da4b5986acae1e509d71f43244d37a77b2c8d41f2d7a7c91c8c1f

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
523d32ce43026535a85c55980966c8f4

SHA1
d252bafe80d4dc796a615eddd3e2a53af9921ffd

SHA256
d4337b79daf8d76aa57670b24f8c31ea5c5ab98bc8dde166a7abc0341005e23c

SHA512
388c4e4c068e6a32bdbeb453903a8e872dacd0bf47a8bc56ed0ca6cad06aeba16712edc35ed95c3e53262a06b8a8e1d5f106c4f9963747c7db7577702e11d8c6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
8460816db21db164911d81e01183908c

SHA1
131477e8f33d52b0622d8334c4911502a7fb27ce

SHA256
b8dc93f24d4061e11be4d2055ff65dd1c470a580befbea2e03e41e7f64487c79

SHA512
496757e3800a144ce4fd7cf4e479d8325f822e77be077b4c0fb63f27542146d03d347d23ad5b8448f187ed81a6ae94759178a977986a8036951c06a256143cb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
d236c85936688173c640c73a52b67b7b

SHA1
86c2dbca02dabc71996c8acfc2c546c0e6c918f3

SHA256
b36d111ba1c11ee6fca74b37f7ffde2493e3b4e0601f9e0b388539f748ebcc30

SHA512
5180a968093c4771e665a8c1a34347e0c73e89c978b05d0e58ef1772bc2eb3179bda9d225d3f142d2b6e095638cf2131c45efa9402253f93911ca4caecdf436e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
33f67bbf20a27a7875fe94c201acb12f

SHA1
f9bc8cb288e05e8dfdd10ece8ecb2c161abe5c7e

SHA256
c3584e928639aab9b098361bcae8a7261e20090140edca6e27f4c64fe8f0a7ec

SHA512
5a78888ff0535bd988faf8cb5a83d24597e55416dc3406397536fd9315776cc262f09aa39579d34ff1c19be85d9dbd2095010165683997d79dd5f591f0e2ed4b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
504298bec95298831bdabf65add868e8

SHA1
a7fa1ed6aec6608d165e97e99c8e8ca63d787799

SHA256
8b2f400898bbe8ec8aedc693f1c00c18683824ae0c4788f797b9daf6c561678a

SHA512
18b32773667429aaa0bba3cd709030b98bdde76b82692b0a3606a71c0904131e4160e507e48e2727c0599014ee9c1a0db4a6e1b6b349a9b191be1ee20df899ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ff245f09c44ac30fc01c7006358fa3b2

SHA1
a8c5b05bc95e19d53443e2182bb578113722750d

SHA256
9166b612c38ec7f22cef1638f5676089d46792e5e1f4e80aca30fe3950f0b8bf

SHA512
690023ba5d6fe7090209224cdc83928ca4b31cf2e307419efb4dd65226572eeecf93307b5f2f79eff2aa603d138c18eb92629e66e7a2d5dd5d686cf36bddca43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
154230208bf687fce4422e1f73766e1b

SHA1
fc2097ce06b29b4c126cff54a66f18941e0b31da

SHA256
9d2d10c0b0550ac849a9496aca313c7d314cdb79088f82770beb3df160e21dec

SHA512
996f62231c25d9844bb4d8adcb1349f97d6f3ccf22a9a4b8a1c294c675038faa91916f41c59bd4c982c0342b02f6816a3d1ffe634f80c3038f62a0ac353706bb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
93d39be898ee70dafcfeca19904ed1ec

SHA1
5ca4f89238faa38fff9610b441a0227ead2bb232

SHA256
ee91dfc852b41250fba23277061ec4c812991c723ba8ae546490bb24328eb3d4

SHA512
d467333257d35ee48f35ca16476c9c474c4c8d10cfc840a9bbd742e41e1295d594178a0cbf648afccba2c1bef78aad30301dcb1d3f9cfa8e21e2bb3d82d8d87e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
3caea2919e64894a0dd44b132e131239

SHA1
a689ca0bc0868b138a4fbb4574537d5c3f1e9da7

SHA256
8cf762ac28a9c144ca87d5f412efee3727c7950fe175283537c518bf0b4bf920

SHA512
1f87c0138eeb260192d4c0a6a159fb846a4131ee8a1aae24c33862d0f60e69937ec43e1691661a1eed64af1a7c21f344d2e28c10d3121958b675c1e336edf8cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
df38939328a7c89529fa8a41be178884

SHA1
cb91cd165d6d96e53791d10c4b9f5b9417ea3d6b

SHA256
94525d50f44c42566b3ce244b903098a9710e8dcf93442fe21bc3445480c9acf

SHA512
586496a3c2a935eb7a7cd83aa818d3b02d70d2a392d2340ddef92832a6cf293eef1ed11821c6193a4aac2c68a4d0c3d66b293ed03b5ab053dd5587e134b29e63

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f3a6e453cf082fa2539e699c06f278cd

SHA1
9c6ec4831a442551f9142fd593c5f1d037b4f3f3

SHA256
1e297707783ec02894944539cd3d668970e17b9d44dfc2107c2a33d6e677f32b

SHA512
6c8e0bf093861da684f9cab69bd64a5c60672d548973af38ab481100a6a4ebdbe52d4944f1981aa38163d3df75448775c68ca167d08571b80c557106b5f9c577

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
9ef2418c56231ad408daf7fcac26f279

SHA1
43da9a445f00091b0c31eaa6a6d286b914f0c26f

SHA256
6bd92383e0c9ba77d64a208a8d295c858111b6e9367643c8fa305f0690eaf093

SHA512
f590dd0c39f87e9417a1d3fd85d7d78e6dc53ece8b79b9d55fe75b92cec91e7f3c2e544b430f2d6ddb976526c8ac5441b4ee47fe072e1f3f3a10f13ab3dec884

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c36fbf816e175e69edd6c44f0e9da362

SHA1
e6beee7c168e01583d672950a2b4db31db81b471

SHA256
34f00eb165c17e46faf1a323620366589dccde8b5ec1668fee5ebb96ec01800e

SHA512
0030edd619cc63c0fd41e071257aab7903e7e9123d739c97a818a3c31f84ac6a5fa434304d64a42ef58ff7718ba4a7871bea5f3b53b0fbac320f22cdc55a5ae6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a6ef631b500be864e9ee5fdd1547292d

SHA1
35d614fd5eebd9e9ee43eaec2bf1981de14421e4

SHA256
09268420205698b9042fb0efc7898b17da56a8c3634c9240508e866cc07abd32

SHA512
62062ff7b5a438e5a13ac3b51e9804348d1779aeaae79fd33dee10729a32537f84ef97ba033eb9d5d436e90a7625366c4736042d05965f441048dbe8a5423e68

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
8c2eb8e2758a57553d25e07bb8ffeff8

SHA1
3a3c5725aa7b40abc7e6f6b07b7baecd220a947c

SHA256
587bbf28b2e65ec6a270d681353dcba700c44a09d8ce1c29d3f0035ed1af2f36

SHA512
e2917c9c6c45d08e9115899f553203bc2510b7d7627a8e2a2a9216946b8596ee6fd340d2b505ae8b9c0cee6d7b4f4ccf65415b6a9c7b04360d51a90728ea7aa6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
db112330731003293136ff66a087f49f

SHA1
d8148d753c52ab2b5fd973d351f177a6a1eb042d

SHA256
e7bd7cf1946b118a7a9a4dda3af993dd19d17d6bb451d6f30c18b6c0c9bc2fa6

SHA512
642ff393303e340dc5ece73414078b2d487a1980dc4af535048c5a322b1da02031236fe73cf9ac8eb918d5dfffa42e4f56db89440379a6d8a07b52e74b650109

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
2884c8895a214095bc06ebe65775091e

SHA1
d0d6a3a981cdc42c2e571f6e272ad7c390acd078

SHA256
cacf8d9260c8551755a57aa8ede5e66722591c6cc12099f2e6eb7d6226c7fd76

SHA512
ac86e275374f2561f36a0f5f09719311cd28f3d2833afc56e083ee24e190eb1f7f5a54bf3af2d02cfca95df8af0f6c61da49f8df7a686b4d50e5e0c033d4759d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
91ae23698543305964a4c5e0c361ff07

SHA1
e1c52bdaa447ba4491a058dc681edb6b236dfce2

SHA256
dc6a97a0130708a8920088dfcec3600b52a95fd2eba1679f577da8666fd33e96

SHA512
8df25587a95ecb236d48454f4111e37e7262d7455706df2368c1d4b87cda0dbe26612331624918f89ed1fe4bd174bd868ac365f87e8ffa5112f990301290aa5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
5356caf3ae704baf20b814b700515ed4

SHA1
2d070371a8550f7cf59c80b8ffc946700837c386

SHA256
447147356c73c53be49e1b075b9303ef086a9401189f75b0de3fb65fc775c1a0

SHA512
2744c20a1fbeaa4d24c168b40a844953fc91c3f13773834f13c4c786ee732684ae03649c8ab1ce53e0cacbd02b06cfbc7888185e2b7bce99826ba7827768f3f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
b28e48e3d13ac380f6a64ab3c6655fe7

SHA1
e67e1366380d51cb2fe9a1cc73457c79c2135ff6

SHA256
d7cdc8bb3c8569e36e092ab1abebfefa5949350d1b89ee528aebaf358aff8508

SHA512
4a4dbbc838dcff09dbabd1fbdfdfd90e897f5c91240c7ef6bcfa112f09e0a48efc11522e2ef4fa2ccb1fbf789d56d0f51189f081b72408d3df33102dd55f274a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
c8127cb453dc2210eb506c096880c244

SHA1
58b52d63899486e25680af4c6dd51f0fdb9f9d85

SHA256
16636b5a081174821a38311432014838638ca6f092663e15f2d7d0e1c7a2b0d2

SHA512
78504b81a06ab57a8cfbf7ab390eca6511b75384b61f2fe95b180466495d66eaed1c2b82c9ceec67fac2e795cc5a5e786c063d21b466744225c8fd659ff64e7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
63100c3e2ecf32226cdc1b849917db1c

SHA1
26c44943b144d4e804cbb8d6a86878eba72e6424

SHA256
f4ff0b82ee58c64715909cc7a14deb18da1d0f01fbc9893e3505e0091fca33e3

SHA512
9b932fe8092da2ef98e814f4c9d09c2ae06ead23cbd96b89839e7522e07f527911b27ccd2c5b56ab3ede3da246011c8245b5385224dd6705f506e8d396c68f89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
854abece86414c9ed3a5abed629cb7a5

SHA1
49cf45319043518336362c3cc0a4e425870192cf

SHA256
c2481b8ed1a79651e3b1ff24985b99ee74204e4e0b678dfd7d70ab24592a4cb1

SHA512
f206540fe197bbc7d623f8f3a7f6f6de03e1d1539f9473a4e6bbd682664ca8b7bb6f3f7eac33304fb377067e275e4dab74cdbdbe189d2c82b9e07a90a9098ede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
3fb48eaedede390cb03e645e7fa6f6a7

SHA1
c8fde46a094d9169685b5d9a4a214dc5d8abea92

SHA256
d179fc3d96feac6095d60a90bf3b883e76cecc3c55a8df4d1c2e259af41edbd4

SHA512
7d70fd44407e06d59d353ab24f221e6bf6fac0788b0ceb2301a37790dc1263f7497a55c272c0aeb54e950ea8ca556554e1b7249e3315df4a51a3e6d2defc3d52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
8ca1701e86aaa54dba52925429bfc066

SHA1
86e4feaea6234f8a82de736cd599b78ae997349e

SHA256
360372118cf4c84859617d42fb613a62bfbe74cf3759cdc7e689552e9ae22270

SHA512
a919797c55fa012f83ae5cfec9824e68097aafb436a89f85ec681999ce36eb211b9d4e14e66f8ecb74baee4a4b5410d2d43bce49c6ebf666e7bc99a022e3890e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
e6c3564361ac775f6e0f0aca26f0116f

SHA1
54ba8d0e4317ff71835650434d7279cc2490abc8

SHA256
ad158afdcfa1f67cc1b9f38d0dff5bce36a4906c21a00a149a08707e893b17b5

SHA512
2b542e2463ae2b12f178e71452b347b4ef486f91d7866e0370296bb846ac89530ae816dd2076e6535b557c93acbe3c55d31e55588684c51c6cfeb6caa446e433

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
8eac3f4efb5ff7090e5e2fb02ea1fcbf

SHA1
959bedee61ce69ffaf5e0598b182236ab7931a44

SHA256
7cb30c6bd9ee9ec2d36156af502f1fef729aabdbd7fe60748bf8ff5ce091783e

SHA512
3a8a6127635ce40fd9ef0cf62360e1c83a3d1134d44ec68e3eca6794c823bcf53b3b8b9f48cd8314bb6472a422ceb7dbefaeb0918e3d100a96c2c13b53d93b30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
4b26499bd9fe1e2d8a4cd451ff4628f7

SHA1
b279cbe748c9b37e007ed01d77ddc4057c70e25c

SHA256
26d8a0295140de1886b498191db1df0758d37dafa24084803e589b4b55fc8b94

SHA512
59c34f1336e951b2efbf8abbfc813d3ffb1cee5e92624a3b42fb377adb388cd79adfc3c71a58acb78365f2c869dae57b7d31082e02c8bc3543becb3db8b17af8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
25a76bb23b13c627db7029ac211aead4

SHA1
23fdda545468c5a6e82bd26ea4e4cb787883efec

SHA256
b834f587b212614415de881768fab086305a8364c3a072bf6517383c5681525e

SHA512
313748b4eb057e21e6ac3d943051e14b37842525674909574d801dc9b68d50e810d223367f7b85bd994b279701906ecac84a649f8c2d6a363d88ec0921d170e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
c8e4f8ba2d52781c087f6a6967e0b468

SHA1
9379e9aba57a403c4075b1602cf206bf740e30c4

SHA256
14a163b5e828b7118cbd065ea0e1d6430294a8eeade6ba77ba43c928ee9485cf

SHA512
863334d88cb5947b690d2e50a912e6624ffa35ededc70d0126d475b4b942c87fb49b449284410990a4dd7018c4e1ef0df350c767abc4cf465dd47c433383fd82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
665164c8169cc3b9dc50f03e90f60db3

SHA1
7f702d89f94101f1101a69f189d47bf5f1326288

SHA256
72d10b92839b61ac76be186124ceb7fb1cebfc1bc438cbe82e8f4ab1b31fc81e

SHA512
af6a861999deb96f303d285a2cf8cf0ee3fdd50bec2806248fae6506730a57c87fd00e5cb33e682165d9ed0a51e70869cd3f0563be39f42ee4e16c84e53686b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.7MB

MD5
430285b4166489a43499eaa61e68e690

SHA1
22c5da5e948cb27a02090e7e5e4483c5856bf0f0

SHA256
193c149517db4935a4513dca7b8be5d11614e7aad475bb1cd6361e9eb4ed565f

SHA512
fc563447a22ae801b6774c1e84bd79a11b035a46dc62e6c91b2ece3c8a6475a0896c71891c795135ea1285d281416816632f877d536184cff1a97f94a264a714

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
1.2MB

MD5
41617086c5687c1640815a46fb9d0db4

SHA1
c877cbd26f619cefec491648b8347c4765f7d26d

SHA256
dca9f3bab7127ab03544f82a21998a2ca9bdd8c3e6ad6697349b6919fec04be4

SHA512
269aa42eabf02844f8405f0b06ad23296e3b7c1159a6f0fa40f7dab5c6b3e0b70b78b77ac2b541161b0db89ae9973b608a51655a6063f7b903f2576ecc9fbcf7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0da07c4ba449b503589b8852b9f8e6d7

SHA1
ee6d6ff5e7bdf5a2c8eefc464c6a94f79f2c2187

SHA256
0ab42c5fb147616b39143fe7d05f86b65857adc1a1b8eae92c0e2a12214810ab

SHA512
33a8f8716e6160756fca47a0bee3459ffc8146d774aaf464482c2aa0fcf1d42e01d3f898f90ca0bfe28205dc60357147b150303334efa40031a4e96dd7cf8cc8

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
67e672cbd598ff2fde869767ff2b6c93

SHA1
b522ae6e47074fe85c136cdafefabd7618fa2bd2

SHA256
3287013e44b77f2d43a6cfa39b31da6fa7f7e2eecaae99b7b8668cda0e90bed0

SHA512
0fb1cf6c557d5c3a10fe41e09f242a2b1509d7b1cb7f33ae6a43e8e12c787c1ba6dc233eb6f504657976aca3d3623a21e23d677df5c8572fa62fec1f5832456b

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
49cce72297a1ab5d550bfb648e5e9213

SHA1
d701dc653df6d2f98d2b95d06de9700d72cec4ec

SHA256
5cc45b41aedcdd7136f0371532ec274a4c2bd0e2b8b4d2ef3dd008e65b8a48c1

SHA512
151a34c6dcfb224b11b7119466610404c0c8a4e59762dd2433815925b2270d3252f8d45cdd65ea93b7dac525f415ea1547b248647d7ca132c0a187d656f89c0e

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
dcbad24ebfd9a1433febb1e511e68cfb

SHA1
c1bae6e8dd889fd08e31d805223a508017b5d604

SHA256
2e05e4cce98f27f92ffb913061f45f3ee01aab785a8cab0304d9193cb1e9e772

SHA512
b265d6fcfe7ec060d8f482adb327928c9315a06272c6af73ec7db5eabb65e8fece7805608fef38c7bd17e589ff81da05fa6064b3ab162ff1d4d07cd23851f8df

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
f45f9d060e206b1d476c9afe427daa4c

SHA1
2998336be43a0711f4aff42e45140ccd3bdffdb0

SHA256
fe8a9adc96023ef5669451351a8ea728e2ec5776422370956b7926ccd87583cd

SHA512
6e9be6d438854e30a3f472dd9268f37aa91cf843cf99a8e7a730f89cea2d6aeceb3648b775bcb00f8a30317f3d5a0fa02236a39a7aaff02cac8d9826a7563392

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
42ffcec6f989a356734792b8f146e033

SHA1
e52a249d1f7c5bd17616d189c4e42c4d42667994

SHA256
f4f2769e5679ffd83b453d1823220620d4fc0da25b1e7aa320ff072002770c76

SHA512
a35dc7c9a3ced829830cc21eb32d364e3c3579cce290ea4a167fb36e4735c81b835983cd24d1bcb323bf9073d11b4298aee144f60e41d51a63a3890fabaf083e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
d169444bc3e9e9a4e9a82074b66c13d7

SHA1
7d1c171e1df205d1fa25ff67932c2f25380fd252

SHA256
872ff6f3be97023289fa6b2a06dd08ab00961113468c595d7f5b459c868bda50

SHA512
bbbad4fbf88bbf12e7bce13393e7ea7624b8cd0d0608d4f2f9d0d1fada9cfb98fc6cc29ef4434c9c1cb284cbf3c6665009853919b50194cb06019555dde674fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
fbdd82af8ab2fd265215f06315772ca8

SHA1
607ef84a7b9f4ae7d8847d0accefd7436b30f5c6

SHA256
40533b113811767fc6a74ace330c49f32d5e3a2071ecd0c99e70c8be3ac3e292

SHA512
0a57c77f607f6b400096476a6cd895d87348401aa782c627c1b2e7d45150903a636224dee61b421e37ca3cdb3d727a3cfd706c1edd995439f9cc3426f54bd32f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
9798638c0d694da3bc6aed3c831010ad

SHA1
f5faea3421d1c73e892298187f4a99f333830178

SHA256
ca328c8756a14265bd1fa71188409be75a05119f2cf56e4ded4e307b62c0f902

SHA512
b6ebf86ed877dd657c8004ce606508f8868e23925c29deac3ba8bf062b2c45387fd1dea458e290e33b50c6ea68aa613d180c47408e40f4a2725753b40206b182

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
9a2d42bee32a207f5c8823ae3ceef29d

SHA1
5205d9371e6dddaf617c9b21cc9572f18e78831c

SHA256
71d09a9ebf4d2d05c270d1b4eec7b3d7428216e78a3ad1b061529c367ed97117

SHA512
62229eb67b990f77e5db100b6fa3a918d08e8b9c40bcc6189e17deb3d371e25a1dfc07a7f710c44d65a03aaf71f78353eea0e8047fbd6bde4e4f19cc45b9662f

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1e62c18ffa1fa7aa31fa19eb74dbaf50

SHA1
eefabfc663970967ed7c3bfd59ba48809b2eecb0

SHA256
5fbb9f4403b78753064d277675dc3560ee5f34ebe0c2a31a430e762b61e133d2

SHA512
106e94e94df352fb90e1d12d2037e8176350dd30fb7645167b17f05f054d6587a3e8f41ac5208a6edbe109518bbbd14dc902ceba72a6d6a361196b5fb19f0ac7

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
660afc1ab356183a51d8ac485ddc7f14

SHA1
1dd82847640ca4f4234400cf33b66e693c76b6be

SHA256
d843a2a46e07aa0af7a71db5c4cd806132188ff44df528dbea24d7672671614f

SHA512
99e9225bf4bd8ff5f3d00bd2489f83987f3c0507df8bfbdafa1128a595dae8e2a852a743ebcf49644ad4e3d9cbad58a2c42c021ebdc058b54635d15a38c63711

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
817aa0e0907162356d9066c75af45341

SHA1
f99004a6ecaef55e5df034d649e12d0381876c78

SHA256
157c090119a97959f1d9201d59da58bc5e3ee59a6c647bdc57bef723e6e73521

SHA512
8ec217bb6405a7fa8fb8a3e940560bf821e38732c43f86d76517528c99bcb97d0421bcc70cc19eced5dbb839024f17552fba7ddf28ff98350a12daa849838e95

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
883bc327b75e0d9d8c5ed3ac39b41934

SHA1
3b9e791419eaf429a085b25974a8e2f77d6e1ab6

SHA256
a75200853723308f754368809ee328a3eca76cd087df5521652eef48f4f86817

SHA512
e47c1f6ef3b56298f79f3dabb058beda82d212306cb2fa31b5b5b516704a877de0d1e68c2d030965027cd08372a26c94ee551ced32fad1f1c6ec403553518a87

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
06d5834c4ed82f4dcb3c6bf6945f64a5

SHA1
9175716a7e142896d56a5f600d27c092dc43d41b

SHA256
5715638e8573f9284f4c7d7f2f7f6d21334bb6f5d1c60453cd6860877315ee6b

SHA512
31efb85df7a1af62fdb13ca99548d224c2173575d46a4778c376d6e7c2aa3d0848b496eb10871b37d88133af19821735fe0bd1e496823a5981302c2a3c43e808

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
c9fcd92d4e903b8894f779d0575a2b2c

SHA1
e968c295400c114d533b5a3a945af3c2f61323eb

SHA256
1089ebf565139c56dc3a7681fa187b1f3703684a5d0261118179e35589dddc8b

SHA512
a1f30c9d9056a6320bee2f3d8debf07a5f423267f1718bde51c1ac9a48296c5f59c01f2d2c4682c0babff1a15428c564c598effe9167448aa6d1800772a035d2

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
2f9966e87e2bd0f6f7941ba08e4c8b8f

SHA1
27378c45cc8741ba566ca9b3e5a74becfacebde7

SHA256
2577932caa693fdf50608550f3a0643e492e7ce25e0483d456d4c38cb2bbcabf

SHA512
bab3c16ec796c2f286bf9502737fc966160a1a4825470af26ea6b6edf17790c9625f5434893d7fb10bb3ddec185920c79b3df2cf04cfa76e8a717ea08eb18006

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d638ef8ed54520ca2629f785af849c8f

SHA1
a61db333313f49509e822d8c1914426c21ac4ac9

SHA256
90de62e414955894cc57fab617878136c9c03317a5ad1e26198868c3f51bc227

SHA512
90785745f353f75e0b7f3b5e66ece77e2a411530fc80f9599823dcfe4136d6ce0ce361952f1cd031c951f14217252723ed7c010f395dc7d60d35711cece19e16

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
75ee5a439292de5c96c1472d3efe1cdf

SHA1
df3be2aa6124c66512f6d675436c0d46bc0dbe75

SHA256
a6b372aef32cd847017bbeaec13361b2efe538f5d16f8aee3f07dd1547649866

SHA512
96edc88f10135a8764f9638e80b59c40e46a474d5bef8e9b5c6d7b07a5a01e87a8f1a4d0aee6c603014aabf6bd07ec88d38db84a1ead8d44b8090327a2e165b7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
165521d2b2f7e916bec1fd137427dae6

SHA1
52c7324e3ba0a31398642f8259e8ff9cfd3c6882

SHA256
feb9ec9ea53a2ab87e755087f12f6669fa7f8b2edd89c99e153e024484968d4b

SHA512
99d94169609ae6ae3a7d5403f89170e48b3e43ab661b206d1aedb3575aaff47de991f3a5d18443d1da9d0b5e3e053f3de261d3ef347c401714f6fb0c71235e17

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9774a0a0423280fb9ff18874bbd04ca5

SHA1
3986bccb60670cbe8c9ca0d25b2d2651f300a3b3

SHA256
f8f2809ad7484843087e6bb25ebdf1eee431809431f84e7c5ca3af859498e584

SHA512
38753f9a0bb232d676e1eb6cae0998d4f84bf9317f11a817acf4630c0bcf2a775dd124f286046c5afb2b847c9a01569e9838004f8320f8f6282c72bea9066997

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
fbe60c8546c408cb1bb7463f42a4e916

SHA1
e817a8268f0d1c6b8e896250be65bcd392b8dc8d

SHA256
7f1055de37f5af0e45c84035aa9a1033d70429f81b90be623891da79663a7470

SHA512
95cffdc50164779ce251a90cdc03d26de337189a4b943c7c63693ac3397d5c00fab98571b1c7ac2eaf3c39d0fe92f8b5de446aad77c536a0e092b7bfee0f8e51

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
74826c347cea28f9744204ddf1272368

SHA1
6af2aa1a8f0a83ed6c8a3359693082426120d158

SHA256
c71240d195809957b323f72f86d578e1ec6c67ddc341b96f567ea7e4a920c6c9

SHA512
34ace8f4f14751a7dd28e7f22b4f33f150d5b42f5179422b8aa673a86e9ccdf24b5e0b0bb09c49b2b093c4d8324956b375b303e901ab9b10337c2739c8136ac8

Download Submit
memory/452-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-487-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/452-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/512-55-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/512-65-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/512-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/512-61-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1516-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1516-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1760-161-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1992-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2016-162-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2320-483-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2320-17-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2320-26-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2320-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2636-164-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2884-158-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2884-103-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/2884-98-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/3096-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3096-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3192-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3192-482-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3224-82-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3296-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3296-445-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3304-159-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3876-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4188-6-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4188-0-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4188-9-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4188-357-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4188-361-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4196-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4328-168-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4372-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4372-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4372-39-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4372-486-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4412-78-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4412-72-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4412-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4712-163-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4788-138-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5016-157-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/5016-91-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/5016-85-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download