9e94aec497b7dd5a3ef5871789ed71ae334592c72c863e2ac6b7bd1547a1a324

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
Size

953KB
MD5

dadee5a4dbf3fb8740eed3cf4c884249
SHA1

f2206df55dffa3b7e41a6bfeb158fc6470bfed2b
SHA256

9e94aec497b7dd5a3ef5871789ed71ae334592c72c863e2ac6b7bd1547a1a324
SHA512

9e0801c6aeeb5cca1e3b914f6ff9a9ffb8eef9bc4978fd043f28fe2723b93eb098cc344bdb8b3ea45917de8e5c5b0405fc2d63e5bdc07aeb3970f1ffe0c43956
SSDEEP

24576:4Pt3+TporGvTWQvsBhvn/+h1feNLwexaR8cKR5CkJJFJ3ShcD:4t3+T4K5EBh34cNLwex+8ck5Ckb3SyD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2968	alg.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
4204	fxssvc.exe
1064	elevation_service.exe
2848	elevation_service.exe
1444	maintenanceservice.exe
4004	msdtc.exe
4908	OSE.EXE
992	PerceptionSimulationService.exe
3524	perfhost.exe
2680	locator.exe
4492	SensorDataService.exe
4368	snmptrap.exe
4308	spectrum.exe
4596	ssh-agent.exe
2124	TieringEngineService.exe
4000	AgentService.exe
4352	vds.exe
700	vssvc.exe
1960	wbengine.exe
232	WmiApSrv.exe
4488	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae0934ec16be280c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_94843\javaw.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091ecfa1954dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d7ed11a54dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e324151a54dcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cde9191a54dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abc1311a54dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000719a2a1a54dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005656e91a54dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9c4f31954dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
3324	DiagnosticsHub.StandardCollector.Service.exe
1064	elevation_service.exe
1064	elevation_service.exe
1064	elevation_service.exe
1064	elevation_service.exe
1064	elevation_service.exe
1064	elevation_service.exe
1064	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
Token: SeAuditPrivilege	4204	fxssvc.exe
Token: SeRestorePrivilege	2124	TieringEngineService.exe
Token: SeManageVolumePrivilege	2124	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4000	AgentService.exe
Token: SeBackupPrivilege	700	vssvc.exe
Token: SeRestorePrivilege	700	vssvc.exe
Token: SeAuditPrivilege	700	vssvc.exe
Token: SeBackupPrivilege	1960	wbengine.exe
Token: SeRestorePrivilege	1960	wbengine.exe
Token: SeSecurityPrivilege	1960	wbengine.exe
Token: 33	4488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4488	SearchIndexer.exe
Token: SeDebugPrivilege	3324	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1064	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3488	4488	SearchIndexer.exe	113
PID 4488 wrote to memory of 3488	4488	SearchIndexer.exe	113
PID 4488 wrote to memory of 1604	4488	SearchIndexer.exe	114
PID 4488 wrote to memory of 1604	4488	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_dadee5a4dbf3fb8740eed3cf4c884249_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3488
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a26309d6704d3abc9a0b08972e69e3a2

SHA1
ccca855c5d3d27a91e15a6f01db16528f5c32248

SHA256
9e43afa95eeee5f941040ffeeb98f7127001bea7dd3c9a8d62509c83cf3514d2

SHA512
1b229ace454af56137a1324f6872056818f08d9e67017e2c2189b4fd21926eff43e85a89512f4ad9c5942789c853656c4ba06da38f1c2dc90c18de20027f7501

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d37e55c015396911aefc9a735cf3c4f8

SHA1
d31194b42a2a3edd2f15d7b1400eda532f8bc34b

SHA256
90e2e101d763b865d25a16952305d65872dda42b7509df44aad86645eabcfb8e

SHA512
9d9bf63800e7ab0e9becb0dc386e7acaccaf2a367a25113b9cf3d9cad0017cc06e17f640a6fa592dd97860d0b8f6a5ad32f375c46aba24af3a666e722ef39c6c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0ed4a69d7e2bf0a502ab099d1b64632e

SHA1
f03e04bfaee0e1b9a3e46478d7084f8c834356d7

SHA256
76b5f871e8f2c099cb2bee8341d76b7ee60baab91001390d6264da8616c3ce0e

SHA512
104170fb5a923455fb8c9662bd23162ea385b206f74cb61c329d14c9cd0b5a8cb7587c4308e61fe47e570ed0e4e22fc1020611ababefc8b4ac36998e287e301e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a8d03902bed38b317ef854af258f4c30

SHA1
23b0115f9dc1a67ab2b3f4e85ccc44431aeb9f4c

SHA256
21fdac88686894f6e57e0dc47830e4b64c2756bfaf043d2ce9b4f5baee9ed330

SHA512
81b5ae094a32fca5678bb8b62a66d34cdf887fb13a433ccb07b70787520b7a53b8887ede7de6ac19022da5a34a80ec5decdeb9e22496e1a46504a95cd1de8173

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
72d3c8aa992a2191877ab346aa73d270

SHA1
c07ff768478b5db27a8ee8066055861ae28fbd8a

SHA256
738a9bb4746d465bb6161d569844b88990cee95afd991b46b20ad478b76c431b

SHA512
b5aaf3b358fa28d122182626e1b03aa0af8848dbe79021915ccb64f3f8e73385deb170c195e82295ce92ceb8eace8a627c3aab0af665a723bcfc480b1123a1b6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d8d86003a9c911e2224fac875cf6eece

SHA1
bdcda06ffcec1cb40a0d7dd655dd0dc31597fd15

SHA256
b05cb5e8e4e32830fd8c21d321bf61ae8e26f212d7ec60397f55262e104a0bf1

SHA512
8f37284cbd48276f400e5256fec4139c6545e7527c288afec96e26be121fb2cf3eed20a4d4816171b16c399ddcf4d533247e5eed08ad9297998f7a63060a3e36

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
454fa0c6dcb70bfe4367376b9e334a25

SHA1
82c227e2f6522a4dcaf64e7e0b47da04457188a2

SHA256
f9acefc1e2dcff2d0e1e9ea9ae8674996540c686f415412bbe0eebb0a94cdf2c

SHA512
23a6c3cf1fc7554d2923f64b8b73992310ecb841a11f76b0279ad2f3acf149e0d385a5dc2633f435c991a575a882fb796e93d1daf531c58ee124adda1e39970a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4e9062f1b34cf340c740cbaa51f015e0

SHA1
6bd2d8a578dbc711ee0e9fb65210b732431f2258

SHA256
2fc64936793b7b6f34604e0ee29bd146ac58ca354d5cf3d428c61433e89b2009

SHA512
d0d29c11e2a4e5f3f48ec67038c61d299b3ed23c9e5ee2403defdec93285a7de6202e63ac73becb50fe9ee6252ac9f554732725c1e4f73511ff50f4172e48cc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9b9968f2da91c3171d7a030afe5472ef

SHA1
9574b3325282c9f68d83bb91dca97cbe795a4ded

SHA256
218a5744b2523dea8c46927e35866493e8ba0a6cc2699efdbbb2cda59d758b70

SHA512
3f0a805453fdb281e9d27c30f768dd918e5b51d9356d790b6ab1161f0b01a4768d5768cda6498d0348d2a5020743a1f69e4d8de6081c12ea003daae5d3ddb7a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e11841115e533e840bf1dc3d919fd379

SHA1
8606a4cec120f66a3ff5cbde0a42d629ff13e731

SHA256
a5bc516ac341fbac11ad16346a7bef968ebdfa15e3a69cb546cad48418e9e1f1

SHA512
dd9dabbd1a600b772919a1ea8b03496d3192fe7550264686472b02b2c06f1b070fc8b0156c6da21eb5f55807b054694379ab51ceecaf128bf57ea28663d3188c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e7209e186eb457675096c384a3a7073e

SHA1
827616cc7b3dc4648093aa12a05e23245d41256f

SHA256
2fef7f435adb6b52d141898b7871c981e7f24ff196a451f8da6a5e486b2842f4

SHA512
fac8a8e187e8504dd6b2a30a19b920c6932962d7bb9edb8c9e01bc642663647405821025b31a2e66a268fdbe10c18de12cb5166752b99f1d443a5d78f4539d8d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bfc936ae2ac6ce96738c72b4f456cd22

SHA1
1caeb678db175bbff4b081066979276e3238eb2c

SHA256
64ded0870a63932e9adc0a9a91abb945939ca47275366eb64cd9654185c10506

SHA512
5b439174479f0e43857012b6f38d102c043204255b16b2e5a4097ca9e176e68f63110c4b9cc52081595f3917a27f1aba87f5bce7b8a88a38ddf13dfa9054862d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ae7e0c13e85c2e0e381e8b23e3036714

SHA1
173bf76180cb78cdf1c5c2bc1d9b87386ec6cdb2

SHA256
0457b5b1226f8373bfd91bf2d99c6422d74d7b3c109a2098159dfa888700f94b

SHA512
da45cb199ae0a84ecfb40929ec8c7a53debbed49c65b5da954aabef4f9ed6418ff91b280a06b823be7d57068d2e7313273942323d7920a84dca1d50c695cb2a7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0029de41f210cc27b54cd152b857d4c0

SHA1
3bb90eaaa316ae3229d85042b4782a0ca55dcdfc

SHA256
da35cedccf8fe146054416229333995341a0427c9b548ef79f16abcc3ccf383f

SHA512
96c7822905b956da788e689573a03be893929a7aa515aa2797c7d308ca9ee928e91fa068c167335ec0494b9cdb173ba103783962128b47a8f2008b7ca3167789

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2ec4dfaf7b394d11a39518dbe52ab353

SHA1
dd092da9909a6a00de873afa5388dbb0b33d2f7d

SHA256
43593878c978163a8a71357bb89d041533fba95454225dcddb3092242df2cea7

SHA512
4b4f334f573749dcf4344c4ce9de9355852f5f46fcae888e1c31ccf22994a68bb9b94f3be7d6d6eb0e7e9d73e67b14bf863f60d462fe7d7a52d27e873fceb5ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
52c9e792853d673b30c30d69bae6b701

SHA1
90f72d8d7954763090a04203c2926b3c3253d285

SHA256
c6f5ecb030071318e48e7a90ae4628874132190904439f48fa7048a364d2f63e

SHA512
8cc7d3621f186e8413be1d5869d476c042126e92374cdf00b7b4f3486ddadf68762af562a9e05352de59fa73894caa026e2a842645fe03eb9fe80b1d48423d57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
92b996c2f771e4f26895cab91887c108

SHA1
45146bebd7edc92f41aa57c53088349b6867899a

SHA256
3f09cdbe9f30e49d8a68e29d6a824f55dce6550653b0912997dc0bd60df114d4

SHA512
b4911039ad928ea9f22697ac80d4fb2cb71edbb1877fb9da49eb51c763abc9f511048699bf96181103e1e59eee8408ebc0d3e1aa26f5ee216c43a5114531c01e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ef47aede9f3fe1816e54ea8c1fe48c1d

SHA1
b6dcc5a6720c0806e25059710026ae2f3dcdcc39

SHA256
7358395aa14345b67b3e8da676e18e7b96ca4dc76c2f6d819314f2558fd09a69

SHA512
ca95aeff820ae77059fbc38a145ab25bab7575df3e7dd16cfc60c21896790ade4a61556c6563f074ecc897d9f9e98d85dc9e401f85823650d7b678977d043839

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bcda1c41d606d149147678160b78f3eb

SHA1
d7f88c17f71b568e38ba578915f0e86b677bf217

SHA256
06cb91290bd12f39b2f9fc20fd61c2e100640470520e1957b209771d0eae5396

SHA512
ba9fd17a847b17d71a174b146b2d327836fec192b64a77d4dd3c7553c540a8d2ebeeb6e19a80f169d1a3991a127340e4014dcb97c47e82c27926ebb9f7bad363

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e6bbcdfdb3124e90812381036bb2c4a1

SHA1
79fb8c63510a0f9c2281983674b4287d8631e61a

SHA256
6282cb5c30774de7850c85892799203170e4e8668a4dde73251976edceb8ba3c

SHA512
eb78e4efd82b687abbeb4be2f7d5d9ec856f249f577fe4b86826cbcdac66c147c869ccb25c7884e8201014a22754d978127332d57681e74b09d42e4cb5c090ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9dfe2272dbce497fceef4f903fdda8cf

SHA1
dc5bb6cbce0ff8b3cd4b29eb4caba44b89072726

SHA256
2f15ebb2e91997890d03d488cdc68eeb81a64d169413ddbb780290faf8723737

SHA512
b0e073c86be863fa067a3726f2faa779f6e7241a33d1f93b42cad5f4a2f87c1919693fb497677bb4d6dfb200dc090463548b1af515c52593c68bae7ffefc664d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1fdec653bdd16eca28bb0eaa62878037

SHA1
dfaa5765b1563560cac895bc32cc72b73256e284

SHA256
bd8d0fbe34e36916e1a66d95e698600f5c726196d3b45a8913336312c6b00813

SHA512
b72896584ddb08d4e2f377ea7c160cc045b93058fdc65e4375a50816fd0377e64b9269a575581550e8ccdae7098935268c67af85cb63bfd468a4d5b927c25560

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
378878cd28e6e649a9ec6ee445f651a9

SHA1
e214d0a9163fb7a258af9593e8daf2b0a538bb5b

SHA256
aa9841d62890560bd5a7c7ae4c89301f8f691676158ca15bc3825479855c394f

SHA512
d8768c5f1637204ca4cf419f2def833ab4baa0714b2aa85ed330a62b4da0a0489d86608032f7b0cf574222c578fb4ab42d46d11e21c8787b767b7c5dccc372d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
acb22d029cb5f82d8b3f3e0f9b59d120

SHA1
79d0535af6c4134da0d0f5a8f47a878864b71e4c

SHA256
a0129b8409dd981a935d2e28e86022dbe3aba81a6912e148c947af3890aca249

SHA512
0d41b7df5157185bd2ebac851c812c5bc43d07483fbc8f32d61b600656e281ec2e0eb341e097cebc51f6ccd8f8f7f9b85f545f75e5922f77e65ec51951a81645

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a275f17ea64956201401a53da35a6004

SHA1
8775fc11ea2579b0b67c7d1af8c743cfe4b72357

SHA256
5c7193d9b63840bfbe97d310c3e4eb538378d04441af1f0b195fdf168d617955

SHA512
2c436981eaf3c2eaac4fdd581af0111f58acda2baeba850569dd134a225de98bdac5df45c955ac5f5591c2689787361bdeb674736549359a2b0b44830ffefbdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
20dc9f20934c6158f078205d24e2ed65

SHA1
30a3b7ee98edf9bc17298d5b81ef9010ac7a2073

SHA256
e91b6c58c005e06798d66db6c5af52ea28a39a301f337d126588d854e5544d02

SHA512
6b73337e5109e3e5ca4f120071acefdd35b5848d55b3879b11be9fba5c21cb56631102c1d50fa1897dfe23e45eaf8a9d502fb308ae671e739c965fb8932719e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
136b90dba806fead95e4be1b2fd6adb1

SHA1
a6e0fe74396dc0c413146cd83bbeee7bdc6b1eb7

SHA256
c7c0eeaaf71e8714908c002985e727770ad6e09fad66559ab9a06eef10f41432

SHA512
933a1471e6e577736738203354530aec4f1296ad08b9adf178b502631b8e2b2ec0a0fff2f26d9b6332fe957813f3c4513960d9252c828edd02832c30874aa9c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
533832f0327ae1158eb306af9e4595df

SHA1
3538f91604e9dd6100a767922952ef891c27cc8b

SHA256
2cc2e3bd3ab055f3b17824f589081bd90f257966a1ae2cb172d27e226ce629a2

SHA512
a78033347dae17cdcf2c0252a320364b7b099bf83fa47306d7fbc584f1377224ef548d542c8c233c8428e27228efe59bec57e26eb5ce4addfdc18501464c6ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
acd6c30dccae64f6ecaf5e8a551b97b2

SHA1
5ded85f7c355ac13ee8f04122a67dbdaa777c603

SHA256
8c81b27fbfca326c8143bac48333b2e4cd773ddfdcb0bce79371604bd3b72a86

SHA512
4470aee4b12bbacfe18cb20b7ebc90be26c44b2ff50c1303f49888fe397f88363035ab9ba338c9a3d3275503c25ef4bbd034d11aa7efda65a6931cc06de2a6d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
65eefb5938e36c6a48286ad85ce807b9

SHA1
41fb989b1f150e836554c32dad3968af421ea0ea

SHA256
0923bc9d7a74ca3396f13e0338b9f94c58569f96bdf1b087a548545b30c1a07b

SHA512
2500836cbc5fbd8aa8796e4af1422d6a1a44ac0edd0e0f4c0a9af4c4ffb1f5f526b04c33f6a31ce8f16e88f5b00c94492d545bf5ced9d000f17275e103476d52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d7e39aebf173a4645487dca69dcd5234

SHA1
9346eb2274ce3795a654ad79dd4684302bbfe427

SHA256
dfc66b6b31b53610a54d0d2266074a7013c64e432b53aa262a0b3024e20be903

SHA512
997fd8e44e9ff3f7eeebce03548fdc39176a12d0002d3a6bc04e4bed7132009cf22dbe66c761852147768b2f9ada002e53d5e89a76b5f492ecf7a79390d98e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d823f15b4933e2d060c91a00cbdc4c1d

SHA1
b63a8d7f8bcf74e0346ead6460900667da68a18b

SHA256
9e0d4f58205dd4374e9530980e3c86aae0a03864703658e3c2b02b53db32464f

SHA512
ab1f49875961ddc7b6b3669cb64a38b70c15332cf65969b96d4cabb6196171fa344a88600620d9a0e09ceea702af98b972ac2905f2d1fbb56e59938a1edd3a2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
28efbb09b83ac9655e8524a2e2666ab3

SHA1
12c99c3cc0c8f8ae19bebb30dd4f5ad1fad5011b

SHA256
d70972c8fe7681a14b312acb3f1cc5cc9c0e9c53d9cfeaeb5a51aa193d45b900

SHA512
c90488be4fb549a4bc511ca7c14fe06ee655edc1f8cc254a7348febdcaafc749522ceb181dca0db316c51badaae3c265d003f27646c33fde6b502b79deeef520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7812b87917dc2305e3a540600dba1574

SHA1
e9f625c7cc982fe00c87a24107409d075cd0ef3d

SHA256
5fca9a15505f259be595ab956a31284f5de1e3a37f90bbf31b249b508069d4a5

SHA512
d351b70d124be23fb6d18a976a1f7bb0826f2faa23eefc18e49d1b5f8f7e8380af5764e830dad4e6c728a8fd6a99d5034c1b95b73dd117eab5b6b7aa4fc74287

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
93db974d0d42ec40ad467b97e2f79ebf

SHA1
06019b44da297b908962e1237c7a5e3e1e709beb

SHA256
a482c43734d84e7c968da511867e2d6f4584613edc614d6d02338f736df05035

SHA512
db6c34f1a978e6a7f06029e93218e1c6aeff6001cdac2277e2b60138a3de174ac2eb4dd2e8b05789ceaae0e124be8446ec2fe604d1e5a9572b26401a01386f74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
337c18c05d4e78d784b9843a15169b97

SHA1
933c3e583b650dfc119d7158aa9d4ee0e505dc30

SHA256
a94a8f47b14f64f700808b7ac07c23bff1c16577ef788928bae933dfd8ab165f

SHA512
a9359af4e19cc829c9ecc362fd178c3f673a98a8595e97b120641541124ceaf90d0768a3584b7c782d2a77cfc3051cc9720fd8f812ef452cd1c53b14accf8b53

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d4802af69634119659d8c5109873782

SHA1
bbf49f0c270efb3536693f1ed004f47298f35d9d

SHA256
1b53662956464728844d6c764325245ba8cb1bc02d2aec456cf0793b24dc89cf

SHA512
408ba9088bb29a0deaa8e551450df9d102e185760160bccfd4319e60378491dc2d79a7462609afbfa45221ff37b94c83de22d32892969ded8feecc8ce02e984d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
662dde361643534d92b9745e0efd86fb

SHA1
cdef6f92d3a0e9286364f3c2a7deb4f76514b914

SHA256
d8bcdb7eabbe300470349b80678a1a00ed1445a21d3aa6c1eb3f73989042d4f7

SHA512
5c825da3695645573afbb286f9f72c63eb5c3e6c8b539785b848b58c7d073083503a70707032c54897659d02ac41ceb67776788863c6d65561535dde20956e4f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
500f5344169ae49c71be565c1ae11fc7

SHA1
1ad7aa250683c96da4e08937b95d737fb1311ea8

SHA256
c7f0fddf12840c085605d1e243bf15ce949751d859cc4bbaf6eda60dadc8e085

SHA512
ce5f8cc1b20b4eb24567aed0f0ae1e977b5f9f84cd851efba443b6123571c5e88cb5ecd006750c8647b237d8b771e2dbec0430b5fbe3bf7d78a411d2fe787e21

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2aa17f43bb731a1361a09edfe38e655a

SHA1
2ca5c01a855ddf6c6d74fb86837936596c27cafa

SHA256
f2dcca09bf9652d187e6c894c54d03cf89d58d1d00ce7fd1ba17c9d124863e0e

SHA512
2157fb3b532b0392c67c0f7f7c3b979ab9918f995902c2378ce907cf7c79a6beabdd73363b76e96f519efe4afff16a6a17d03801868fd7a1c06114c5f11d8adb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7190539d0935d654c6860b1daa46153f

SHA1
6af8a609b11d48ad2773f2952424e8129044bf91

SHA256
e81b49d97ce619a455bac58753de139e24fb985f1c6a7eecddc57c2327be8d1d

SHA512
f190ed53bc6d52d29007b947c43a0018e715801f64f64685dbf84023dff95c8e5e2efc20deae0bc6fc331769cbbbf00c41fdfd262dbf278d4b494dd4e028446d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c29cbf437ffe6aaa281f0c5ec1927312

SHA1
bf6c719c35436a83f2fee8974202befc6e8bd292

SHA256
c6b2498056d74012805209e532a39071241e6c2bfcd927cc26521bb5678cc793

SHA512
06db35f6b8348cea4dab99ec666ae9f5d164c678238a7984b0bbf2362f64467e21e8e908296d0e256575a1ba62c66e4feee9a4e25e1a424b1df48cae2a17c46d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
988d661d29ebf2af97b1e05e50081f63

SHA1
852aa4022e6038fe13321cde699115faaddb8b0e

SHA256
a6895260e127230e8812e3255bf91061cdd40d58c1cdeac4a3e13318c6f1f313

SHA512
e28b68cdc0ace7045482ec2e35b1cd152b0e19b2b957b3cdfae6d0612d54a8b1566c6dceec7e4e79008a6127f807900e80198a974d8ec4cc412fe83887bc6214

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
61e5c2ecbe67d2aacc55036b464fba1e

SHA1
ba3320fe3b0bc78a3b28e653492eb0aeb9b1f266

SHA256
c78275ce5ecb42ad1e35723adb910e5a79a98ee451f66bab713aa4aba97bc4c6

SHA512
d62d05761163936ba168de16433ba0fd98ff91c7594f40740231d81cdf807b386a772cec0391475da8ec074e8f4d427907495c22e61eedc259e0ef1789aedd45

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d238b2c100e1d897aaaf810eaab1c65f

SHA1
aa7a3127d91227af59966aaafa879c506897bce9

SHA256
414c07648ac0cf5903b7498f1dc0d9a5d72bfc8497819ec98960089e3b5e5248

SHA512
45fb92a4d57505905f11a3f71dc090c9f042ab24100d8e8d5ada7b48882e546fedf40414251456baa5bf872af30f1fe62b4fb671cc17ceca339972febdd58785

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d99dec9bea53802da779151b294109b0

SHA1
cfc41e63320a4de83827030ca3aec3673ba1ba91

SHA256
ad77b5071a17832689b65642f4f029474c8bac1288e7fac059ac5038e606cf90

SHA512
607a6aab165614c583f7ce97d97d8835a3556b2e503a46719364ff801d2a125bc230b3770e59bf96ef5c4f0bc22a4bd2916c5e7605c807b04879a3820985d1e7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e457a7bf915830aee5c3b3db96723e1d

SHA1
a61486fa7a3f13cc8e2d1130b523152644693e86

SHA256
7a19b81c11b1738c60dff9bbfeead4fd391172c4453d9007a525887c43e46b88

SHA512
af73bd062d74a2768f1bf7ea9d1f6a4fb9ecbef325cf8779ac8fe3f3ac72cd8230318976de8bd3874f6a05411c167f03c88b01f7cf3e53d6c4cd5a4f4a633ce5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
89eb0fd38e190db5ef790c12f8ef12dd

SHA1
53e32650650bfc3259eccb0eb6c3c731b6961b21

SHA256
9d2873d29f68f98068d8567f7eb506a87b560960dc5fd8fd7c4ef8578a311fac

SHA512
fcd8a6006e51d5026605ffd49703d42f142087cb5c432a51e103c929e0532a8ec9a08f904d5584013e7778c420ebea1d13f8edf08244ee1a531eeb6e20b010ff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bf877639bdbb179343b50972521790f3

SHA1
3b4f9dba4af4d57c69ea132132bdc799c0dd4257

SHA256
c53c23d279a6c026a34e6822c155944b4cfc0c0358d3d86cdf5cd0cfaf531af2

SHA512
2f6815c37404d6048428d608eefe86d6c99214634b773c5a1b88670cd58bebea483ea67af5169afdce8fe917f633de746972a37c40230b98cce2a7284f0f0481

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
85f52bddb7cb904e678ac6dec09b320f

SHA1
bc4542c1e64edefec4c5c5b7241ed4b2e2b1293c

SHA256
b70f2849d96fb221ac028f89744edfb4395d873351264c234ca0e399dafb4fad

SHA512
5370945cb788c7cb7a78ddfa206a6163f03634a2744b7d83f01f827705a184f670313839a78f414baac1b59bbb3125adde514b706d07333a27ae0077e14b2660

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3dca7ee139f0211340541a88b10b53e3

SHA1
8a555d433a66a3522e6dcbb30dd44dbdde15b13e

SHA256
597eae14d1c8ea0291e58f6b5769734ba0aa4dd7cc672de961d4d407bce61934

SHA512
f941ea206048046ad66d219b55bcf5ce709e344588d6b481dcbd570c8f353ba802e2dd6fbde66a11f1ab618f467748a780de1fc931d9881678c4e6a5239e93e2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6b1e53f545908ce8baa2c30182708925

SHA1
cc0c5810c0507862aee11a465768379c12726fc7

SHA256
229b2d26baccc253247c63f9ecd70c73d2fc6b16e0bc420b3051c42f9897cfb2

SHA512
d4c2764d58f937367ba8cede01197b7e8e035a14c4583203b5a38add75339fd63ff0830c3fc4fd6bd2c9fe969fee59b3ba47995ad7183baffbde486ef413af8f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a3a3e14d789607db85674c78246dbacc

SHA1
bfc9b455fd8843fcefa887e8b8f6e9a51cfd8029

SHA256
b539ab5b28e15eb0af7aa1a70eaf1d9d3b2262a6d00c2e1b62decb6d7e5f71ff

SHA512
1b5b8982a77048f467a6e0abf75948b780f0873b169e49530fd4d1f6a8d53561bf2a28728060ca99a3bb411d41d465b050f2c9b7f711e59ffb3bb5807ff010f8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a0b79d84a17381f7de9c97943d95182e

SHA1
71ac66e0933d45dcf581385f2b88d17336786755

SHA256
c0306221dbee5d77970a14dd97865be327dc0cbae163fd4b4c66cf284c863edf

SHA512
edad72a3d5fe3448b9bd6924eafae00192f8b95105a8954faf68618db4836600a3d2a05b06935a395db214b4c74e19179738d69e344538edde4616934a24a041

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9741d82fade5207c0005d7928ebf2dd1

SHA1
34f248bdb3870bdcd5cfc43d360a865ed2af2c53

SHA256
22aecf3512ad3a21efc899d60c76fa18952ae1aba02d667cb330c398950226ee

SHA512
b71eb8d9c813bc02dbf353f40b9cfceeffa59b2017beb92536a72138a1f8a5ddc199a6b59195ec374d00528e8534894a70bc84ac0b7ac4fe8801b81cd95670ff

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2d8e76e94364532ecd4850d96ad784e1

SHA1
90ef19a0b2e9b396e21c724e595351162a7f2f52

SHA256
2ac83c067e40a3075d7be997cce26b29e2fe040af14ab943493acc8c7183a663

SHA512
dbbc9856372211efd2ba2866a795db90534e44075ce324e71b480990a294d509b8110cf9a12c1a61407581f5957c6b18e68fa4dd4131e189a161a604e062960a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9da0accb34cc7291d8e9590bdb201be1

SHA1
380ff0ae5649cbe296f967f28f6907ad6dc6e82f

SHA256
e670840dc4de10e68fb23cc41d745aaa34c29c575628c0d11cc73689630d78c0

SHA512
cd1a17f70a7dcbfaa2fbeb5fb1db3da4db8c577acb2834ca4fd875c4a77860707232569718963fe04aff00630ec58c3fd9b7c73c0c146f30d8058780c06557ed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a29f21becb587678a2c2471e8e9163f6

SHA1
cbb51822bed3f1099b6e6c88cfbac9911f3824ad

SHA256
6ead270fbd6f3b7d0b5a8b75be79ecdfdc4bbb7f5b2cfd1e93b74bdf833d904d

SHA512
35f3e67d364a580ec1da2aec488498b0597013c061c2dec7c5700b892747a83d53785aa6d8dbd961b51f9d928ed6ed509625367606b7a545372484a4b1f081b1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
eda96dadcc09d049c88cb2eac1179bc7

SHA1
49b5e1fd2f764b77affb77af22c1a3de35f1b666

SHA256
2d00644d86de04c6e1db35f31b2afec2ed90860b04940aa5e6bd67bc6bbe259e

SHA512
31bc6e98110de8c1c06b0306f8aca8c273ef410f8e1990e45c2352ec98e70081f858b812f93052ef0cf7e896f42115e12ef6bd092add13d10884366a95902b1c

Download Submit
memory/232-516-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/232-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/700-514-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/700-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/992-92-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/992-85-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/992-86-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/992-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1064-38-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1064-142-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1064-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1064-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1444-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1444-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1444-66-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/1444-62-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/1444-56-0x0000000001820000-0x0000000001880000-memory.dmp

Filesize
384KB

Download
memory/1960-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1960-515-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-109-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2020-475-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2020-6-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2020-10-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2020-0-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2020-477-0x00000000020C0000-0x0000000002120000-memory.dmp

Filesize
384KB

Download
memory/2124-467-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2124-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2680-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2680-163-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2848-146-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2848-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2848-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2848-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2968-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2968-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3324-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3324-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3324-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3524-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3524-105-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/3524-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3524-100-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/4000-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4004-82-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4204-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4204-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4308-379-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4308-126-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4352-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4352-513-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4368-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4368-356-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4488-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4488-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4492-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4492-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4492-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-465-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4596-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4908-73-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/4908-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4908-79-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download