db390bc812bf58138e811c744c598a1c216508a45592ab2327d54427c0acf68b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Size

1.8MB
MD5

e91e348fffce922f70c9007a3a100464
SHA1

9e39c8697711609ed937b6fd46209ee562310454
SHA256

db390bc812bf58138e811c744c598a1c216508a45592ab2327d54427c0acf68b
SHA512

8ca57dc308320cea5d09fdebd445e293d1eb8276b38795a0a8990a9484fc4194b12ce85d233c6127faf5941d9534ca54a3d85863528ba149f1f4a0ee6be0d686
SSDEEP

49152:6EW9+ApwXk1QE1RzsEQPaxHNQQZRHtfZ5LzWX19g:U93wXmoKB9hx6XX

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3476	alg.exe
2440	DiagnosticsHub.StandardCollector.Service.exe
3260	fxssvc.exe
1784	elevation_service.exe
3472	elevation_service.exe
4180	maintenanceservice.exe
8	msdtc.exe
4324	OSE.EXE
3256	PerceptionSimulationService.exe
4992	perfhost.exe
1676	locator.exe
1932	SensorDataService.exe
3496	snmptrap.exe
1564	spectrum.exe
4272	ssh-agent.exe
4560	TieringEngineService.exe
868	AgentService.exe
2652	vds.exe
5040	vssvc.exe
4688	wbengine.exe
2412	WmiApSrv.exe
688	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fcb271254a48edc7.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbdf58be0499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a45dbe0499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067160bbd0499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003749c0bd0499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2c8a2be0499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000854e63bd0499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e85106bd0499da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb27e3be0499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a45dbe0499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000323dd7be0499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3ff54bd0499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e61973be0499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000869069be0499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeAuditPrivilege	3260	fxssvc.exe
Token: SeRestorePrivilege	4560	TieringEngineService.exe
Token: SeManageVolumePrivilege	4560	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	868	AgentService.exe
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeBackupPrivilege	4688	wbengine.exe
Token: SeRestorePrivilege	4688	wbengine.exe
Token: SeSecurityPrivilege	4688	wbengine.exe
Token: 33	688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	688	SearchIndexer.exe
Token: SeDebugPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeDebugPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeDebugPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeDebugPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeDebugPrivilege	2248	2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
Token: SeDebugPrivilege	3476	alg.exe
Token: SeDebugPrivilege	3476	alg.exe
Token: SeDebugPrivilege	3476	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 3692	688	SearchIndexer.exe	111
PID 688 wrote to memory of 3692	688	SearchIndexer.exe	111
PID 688 wrote to memory of 2832	688	SearchIndexer.exe	112
PID 688 wrote to memory of 2832	688	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_e91e348fffce922f70c9007a3a100464_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3472

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:8

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1564

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4260

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3692
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
98c89ef6c1ba4bb372eaadc472f3cb56

SHA1
650bd48138a1380c5ebf28c8dee63b64fe9e26aa

SHA256
e1ddbed5c2f6ddc87f8b6d3160f2d6914f9d34e9508b1af9bcd910f63991dfbb

SHA512
1507a759605b321f4d6c40e3c46c6da2238a6190c5ed3bedbd85fc2a2ff5d85ae58a86446c2aa85e6c0955ba22276a4324c95deba36b3779aa1d306fb89845fb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9943e9b7f864bc1f05f9cfe94d0ccd3b

SHA1
7365ac70df6d3cfac598db7c34d1657f0db92d9b

SHA256
a65a8560d648f36beed31d428db0731b05ca5e27dbfde0df61b0a676af2a5a83

SHA512
87b84109f0771abb00cfa259b321ec0053213ffcefa5d40c46797a051326c15fd0e45be9b0206fe56bad22145df71c109e742f713cad37018be68fab0596463f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c2ebba53abf47e37b97a8cc9035ef044

SHA1
e6142f0c0e9ec72319f0361ddcc8edb5da86e30a

SHA256
b8ce3fb9dc6fa7278bd8a919de3a9e953bf91d2c29ac3b6157bc1fee9e979c9e

SHA512
3d594e9a7b0b7cfaf464c04a8bda61614569bf6646eb2e12af9419948b13f242f245cd8221053b5b1ccae8e6173051ec92ec4c8dc4ff04379142e41ce792123e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2db1581a1ef4c37a7c744c6f1ef7f839

SHA1
029bf88596aea3e9917b426742cfb549a2473cc1

SHA256
a64c0c42cbb61c7b4c70a4143e05fd8764ae920ec2168a9052964fbea3233c40

SHA512
2ab70bde98f71470e92933ea3b307df3d21b9964c34f27f2cc9827f647dd15c07264803d87748e8a630e6d31ca04e609e86f941477b9ca77dd8d4e5b5ac881fd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
86f91ffbf23c3e03572292258bf257ab

SHA1
efb67c1284bba0d4b997c1cece3b12a67260bc56

SHA256
7b25283c4332df74a43409d66d9559b98194820912b5835d967076271619f86c

SHA512
4f18dcaca3d12ff54753d5276532b7f87ad4f8b8acb96f3c3b5fbdddc901e47ae07b14c7132cde38f3aae8906797661b32ef7ec0fc5894c8a686753fbd9cc615

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6ac16cf37a2e8773880382bdee34e5f9

SHA1
243c5813a3b3b1d10427e3fc4b74ae9fe2f9828b

SHA256
4df086794cfc4b8b7dc8e5100a15333b40b8c7ab966e51d45bbe4cdd92a8c1c5

SHA512
d51bec78f4cfe2574def3bd9176e71e3bd94455c8a0e779d6464f350e85d43625bef34805b994891a60c698119455ce231a5a8f6c8075bac30dfa032c219d08a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
738b802c98a5f0c8668397a6873a6c50

SHA1
0cb431b324384b3aa4f36368dcba73f6994f0b2a

SHA256
76bfddc1103b00a362a8d48b5124dc3d40ca428010bfd7838c422485f117679a

SHA512
7aadbc6fcc23a8a8bed7acb44c5db36d31232ae5ab4d35592db5b8fa976f58524eac8f2793656c3a22a9a14c34f33acdf15ac298b8a71e7447cb9ad75abef271

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
51f895b26c0576b8fa54ca868b943b94

SHA1
2b84da585b7c960839bb97858464037875e403cf

SHA256
cc79e04a8d7850fd74a1ee51d8a42b9641dde2d81dbdebef7473eabad888f537

SHA512
22f0e08f19d065b8dbdcd7c4c88eb101311cc5e7f1d01fe57f4603cbdd45237345ba9f9729a01fbd878e0c5fd7e17d496b717705c5e979ae965b1cf6b39ef731

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b9d3ccb9b76fe1a3005ed8cd8d383672

SHA1
0eb65e041883d46ab2fa4b47f85769a97fd7ba9e

SHA256
b40080fc92f80b99a341ab7674928273a10ad11b01b0d6171e29e70d38ed9164

SHA512
8ddc06586972c8c3b384b82508b44e490882cd1873239e7cd6c5a4b8934d9156d5c0da0e083e555c7c4b1b0b267557e1700e3331c7d6e3798f5a06ead8d6eed4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8aed43e66f76922bc534b64c535f561c

SHA1
e3686ee1c9cdf22fd442269bd92600a08a10d53f

SHA256
becc1bb424fd8284e68bb1e25619ccda5672d292fc99567162abccf15fd4aefd

SHA512
e887f00339b8ae69d1062a5c5b148d61e296d984d6b2a4a6ae36ee2e9a85e598f4a98d2367926d0585a5c64ba9b5ab505b8479f7aaf0572d4d97ec3209ded5fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2d09cb6a1b81f16285feb5c4dc56a83b

SHA1
800507528974472ce687316a36d642d0e3b3d996

SHA256
7c22a3b2b3667a7da121f23fa16cbd320c61e1d9be8843e75245bcb2882c184f

SHA512
888cb88a1e31a2801bf2b434fd7571dc37e7e46c903fd510e9e5259dea887e8680dd614ebf6b71e2087e3431b035b2e1f21ee596efd99efed4efedabc53ddeb9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
24ac64654ffb7f77e8b3d1f560681df2

SHA1
9fd3bff623efa5b1cf8b54203475002e2cb6c6e2

SHA256
1751751d9b7de7afeddbdf7d9445d29c42ebe316f33f0afa354e23b3a45b2b06

SHA512
13984ba463f182a0eded1007cd296e34ffc51312bde121f636a1b92bc3b6a7867a39ed44d4a92ac4865baf695d36b9d96451fdacdfe29e60afd6e2d40f7bb0ac

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
efbb4d3ea4de2907d5892b91ec013367

SHA1
cbdac91629a7cce6839e5cedd3a70913c623445f

SHA256
2da08a6ae7472b2152591f80e6f1669bb368254126b5c24cdd43fd77499b4f81

SHA512
63b0fe6c53428a135d02806b591b94b25fb33abbafee84bcd3793b3e997749a73d18eafb98b591fdb7dd5e291d922cb21d3cdbe137608ae972ffd80a0cdb83e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7295c1e3611e38c81db62b3d367f725e

SHA1
37797831de6add1b5ca74cd635005d194a085b4c

SHA256
7211c6b8c35c2775d2d89784e51f66a0291e2de5b662191eb192e6d0f1ec68f6

SHA512
80bc627b02d0d3a5e3ebc00fcfefe7b85920a1baffa49672dbc44f2c11ba4be39dda6bb4f17d29223ae2548a818525cf6d051e7cdf26f471c8b60dc4450b281d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f6cd0f4aabdc3dd4620dbb1f9fa3a52c

SHA1
fcb7b0882ca23c6699580af9bd36bc21005bd452

SHA256
be0a6b4ccef1bead490631563827b8427612f8683857cbc649afd53324ca0063

SHA512
1c28116951340150dbd70ece38c39eb9c3baae2072a43ea4a11d42cc9de86d72f270e43ddaa0ccf653481bd534e4abc138edccc13e41cc6c3e6c6c04587316c3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e7ad5e29e1088a192baba2cfa9370fbf

SHA1
20f9b73d9b10e1c8db5695a1b8c476c5ee5f145f

SHA256
0989bc780f7ffbd2fc643400fca9d604fe2ce4e90e0b5255193cf4ee41dd7f66

SHA512
6a49f632a2e65921a705ef89f1c3e9fd290b27985584cd62b55c204c2ae356c9ea8f7803fc2379334dce3512741db5149d24d24a0e0c2f9a8121f7c9e39d08c1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
29178a24d407b5967044de2800bd094f

SHA1
e8f7c1e0bc7bef55365a7921cf6bd55d6dfc93f6

SHA256
a2674ce14ea18a3ee70ef56dba434f2faf6a11d04ae144d9b030b55eb6ad554c

SHA512
61d53cedae206d99db799b6ff5f1f2eb247027a8d818f6d4309d8905b756d13dd8d6e9ba4a9791db1c40b4e21affbabd5e46b19d0d9c9d46f745a8784494f595

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bb32b0f81f27aed6bdaee4c12d6a38c9

SHA1
7d57ca4ce824e8d7e19f710866b51b8b863ea34c

SHA256
4ce48015ff40ab836a02174aa1c29f39458b353b1825537b0f536bd0e96db927

SHA512
438f0320e792a8840446f8e30eb0f3ddc366e65bfc2a8799b490ec92a2c959aca641986bf1b2b53395a09fe62bfd9afc50f98402f71ac0149bcf22d504feb64b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
33521c302a223db2707cf93a75805d33

SHA1
e2c17b4867fc665a2aeda2126501b489b2ea3e87

SHA256
1b571e107cf307a6ca1d7661311b5a2d125bac59664ec95ef1fa9f4a754a8465

SHA512
1ba6e5525ec811c21caea9bcaf14878717b70f0632f75d935ba11e6b594a566101133db5c2bd3ba164ef87adc03596c9d03ff0f46a174c0315da46d4d663a661

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
641d177b35210116591e430e053db096

SHA1
4a4dfad0a13f140aecb183a6cf32d6083b6a9437

SHA256
96e8d692e49394f0480c6fd785b0d40297519fe56327cdbba926892ecfb48783

SHA512
0d3735ee50841baf01938c82396022f56b57628441488f5b40911590835f99af03539f93715b7ee84189831028b7b9807f0348a1db77603bfe2c13d066e15e98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
464634ff7970a6732f91178060a8fa68

SHA1
39a4dde729edf5e8ea182b323bc0852cf36437e5

SHA256
c60f256853d65ab3d1fcfba8531eae6fb4c40cb6bc0344f1a9fa42718d6520aa

SHA512
87bb2180f2795bffbc222e522736d95962da6568a2eb8cd49d342c6d563a1a3dcacbbfe725873878584b128a02b0d1818e17bbb16d3828a7ecb3964e2e4703ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b83b89ef218d4dd9ac31bc1271bf4f2d

SHA1
5c8748d5ccc12c2d0a73d871e848e7031577a3e8

SHA256
f41e25da1e1fa42c5a82de0d3f2b6b84f29f842170f66365c38b6641aab78f16

SHA512
508f76be3ecd89f4aa891878da06f96064f7e32a0d624d830661f2b2eecb78ae4200b118a611b99d426d51507925ebe43497f1dc313f31d1b3d85c318bbd3eec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d1adb537e22270c1dc9dab6762788868

SHA1
fcffa820013600c061e5da157221faf89274e1fa

SHA256
ccad072cf0a1032340607a8530f1f99c57dfeda8a9d6b110e2b99e93bb9481de

SHA512
abae7d19ca1cac7cbb12a136f7fa6a48b3de5950e3a7f1e460a40a7b8c2fe895d7911fe8bbff20bf4f21bc7bc2a7f8c8a1992c7f39e7d56dcfe6d711545e86b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e68475c45b6cc49c7d0345914f2a0192

SHA1
8f978ce2e1800b709714fd707acd9eca8e082cf4

SHA256
bdd4c344505f10c4bd8c9a5b4613e354f8a7f6c242fa56af41b2f62340826e60

SHA512
aea1f7c85faa2cedaa8f703aa073d8518f856cc2b9274ac6f4317319d5a2eb373eb054d08a9e02d54c692a4ccf91def3f3bff5e752de0db6509abb80dfc784f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ce464ea6fe061434628c676c19146895

SHA1
db46da2f081bb5d516579a0d5489c485fd000240

SHA256
2c1c61199bde5dd597a91d794c24c725dfa47a0d8d106381e39c581bfa0f6f0f

SHA512
46086d7b89159838634fdc0a338cce23a8e8457115804f6cd9e2c6c9a28f85460f61ccc42e156b94c00352b3bdca7ba205c7b222fc8446a494ccd367647f1138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
38df6dadbee8a94008aac34cb6abf1cb

SHA1
e05ceac41cecaf2201596541842239e593e46711

SHA256
89042e4e752508fc8c0e2d9f8933558c1a3e7302759faf162c00e46f2cb637d7

SHA512
bc61f76a6a12e1edf8cfdd533cf7b47eaf48c0de8cc750ec04d405d76cb84c409e7ac4e1fb858a9f823bd39e25b80a7fa9fc3b2a08b67064251fb9be8880118b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3e1634009af545587e49f83660d60d01

SHA1
548e4a3c6c4caf9bcc35454a768010bd826d92a5

SHA256
44633a7d6e2aada2e99b2e3c40607402249a6c6f117a61746dfe06c29260c124

SHA512
799e5735ff8bfeaaa9cac0deceb23ffeb497c4dbe155a23cd1606f64bd84e81ba9752fa2b5ac6453c724d6789e3cb465f504ebf4fce835c9725c6b9715866d35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
03447c3eb3b1882a8e5c15f683011d26

SHA1
bdebde38622cd551a71ff2cafb6f00cbad5a1c47

SHA256
b8cb7b43823063c8ea5e525739631e1d9dd7ce328734aafb0280d326cf080954

SHA512
5eff487700cec7a2d199601f4528791db2a3505f579e8b7012adea873e0221607883541cea78f9834a279c4d84ff4c9713cebb9ac304c6f4d45eb3508266047e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
cb4cdccac731dca478bbd641838979c2

SHA1
41e82e5a195c7579375c38b52a974279d558ddde

SHA256
99505889e2f54ae3b091003c75989606c9307c5e3e84252c4120c2edefedd993

SHA512
7123b9b472e35f4ab906f8f2bef6f19619f196daab8901acacbe7c565c6949d2cccd225f73c3e702c2c852665fb9c58ec609aed0952e4c8581427ac38e2f4053

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c6ed8448fc3b9952e60c2667f1b60e9c

SHA1
a125476b91d4f24ce2ecf36978d99300d82df11d

SHA256
d7bc983dd7c61edb48b7a58b495b4e502d9e30f62aca93afac78f17b1fbf301f

SHA512
afdaa384d6eba2a86b083d73ff13d84d88f19656edb950782f89bb0e88d76f8cd4c55ffed08f91e165f46bba6337f7d36e13841b86343a2d510278389e6e12d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
323f445f6802f11895757343b942e07b

SHA1
ee9b18e2459b45d5f4fa559f6fc87dad5d88aaa6

SHA256
8310083bef7ce7c32afa5aa11281175357654ac1de14045fd2f72fdf3e3accb6

SHA512
9bc5d7a7340170a3b0d900d680ab22b54bc32e2375c9ab306c1615145a7529eb28d292224227b65bbdb9ab7d3611c39dea9de970baeaa5f494c0a75cd6f9a42a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b12f604c8b7120dad3d5d0853d5883dd

SHA1
aefdfcdc7a345863071e754046398cd65e7f6401

SHA256
0fa8aec75c94a6de1e0fafbedf127f5e65a1a4185c00a63cc02845b1bf77c4f2

SHA512
a9409f1d4fc58cebb47e248a700703ae257e61142db8ec650560924050981196e54fa1e48eded8c5557903630b48d38c4a891f1da1fe282ee9fa14e3d68a8c60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
daeaa7b5b7b7ed1560ec82234a5fd1a9

SHA1
b007107811b3aaba47decfd194527db7f234a024

SHA256
cc0a86d3968b3c48d01ecc9c237e90caf4b153c69ad538c9198bab96ae54e41e

SHA512
6798a120de144dd99b5893a78e4ecbfd005274ec141cd7c18f29b929111da4da0fcc83b9070691597168f1a4e9dc8ce3d0e77f39587885b5b42f26e3dca21584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
be1de20ec4031cb9effa10b5c4585931

SHA1
b4e3e94c0537065fabd8f3c86fce1bea438a8321

SHA256
61e1891c6495256636c89151462174918b99c7975e788fc9348526265c1c18ce

SHA512
eed63cc663edab51e10622731faae46c3a7510e8a8422094c06e4f79733b9923a43843bb98dba8399635ef7641d99fdb136a210180092b802a6a8874ad484210

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1d2c6694a661a70e8bc59344e5178e78

SHA1
26e7006e34e4919acf924abad205be584e3f0c3a

SHA256
04a6558c1db93623a0ad2e695cd7f9696f430489543753aab8140daa077c768e

SHA512
f87317d54226f015ee41f7efa0576f8547b27054454d8fe51d4ad9759f3bcb7fd5f412ef0a058dac2152828e9a70d4bed10bd56180a1b661a775079252facb90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9ccc0fccdf29673ec23f11e972d66d3d

SHA1
d2795815202f7756ffa82a897a24dac67dc8b57b

SHA256
6f0a444b160b5c8a2979b554392f4e65f98a6432691097a08993fd417aea5ea5

SHA512
82f69eafac65eb5779a1c9410346892f13a58ae38515ff88056a5d441c791875e7bde07b0d07a188ef175f505a2b8e6a7f079f375da5f94e629378567a971cd1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d5407b4fa8d616ee7ba75823fdf15d77

SHA1
f95858a80166f96fa7f2906dccfad885a6acc357

SHA256
0020ae2f0dd94edc650e313403df1c3c8ad6586b5d836678d5f1b5bb888306e7

SHA512
abbf50975c0be3138c26eec7bd411228322acf534116363ddea1df00633901c923ac6ae268663b7f879bc43ffa3aa937fb5b93c2bc022a3142a3639ab1b09d5e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
840107905c4f9e08d43eb64c7aee0a57

SHA1
55deeba96f6478bd100db4e7a58e6e6679828f1d

SHA256
5d0ba213dde131d896c998e20ca97af5d1d9efe1b0ca582586857c9fd0ee26a9

SHA512
c85162c747da8ce4ace7c0c37d08645563afac05384c7e5d42cb8ae3596acda53bf9e6a8cd97c5061fc9b5cd38faedbbe2d63f27bc4cc8fb7de7c3668f0fd4a4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8ecc273c49bdb479a99a7bfb3246c269

SHA1
7acd5c06311c6e5e70f0a225ce8957163f7a2b0c

SHA256
52c8d5a5d36bd997afcd7127c0df9bd9461f0cfb595798280340564e0e7e0a5e

SHA512
05e4eafd068c7a6c2c1416521ecf9538f5fc5307b5f644eef67017b4e0d6d965bec64ef065e9326c4344232434b8e61e8375f64e49bc284cae6c3965181a4f92

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4e223e95ac180ca7bbffa65ac4544d99

SHA1
e37c6e9e6f5ec89ccf92bae887df61b5f030b4e5

SHA256
94a0cfaedd1e4d0f32646df187c736c263440f55b22276b5976ab1f14c7b8d41

SHA512
17a8b73d1f238213935662e71a7ac888290f44f0c301a9caaec3c4025b442a5ab847a1ec95b58e09686452dc083dfa9c7377aefa7233d5a49fb5bb0950b042e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
114de09c2e021f32997b4d06a3b566b2

SHA1
332d5f204e1a690db0b41627d78ad1b11b6ea00d

SHA256
2a80bdee33d35db384d75682a6277f87cbb9d8a592a97601c73b8a8454f17093

SHA512
10bf73aec134b3a5757cbb331c78617ac8c592abf5c0a0d4f57696bf4ee985c6d6c9d66cc4065ef7e4787d4dc6d24f428750ed4664c1508d345a08742ccf9eb3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
13237a26e3a18e26dfe92fcd141d90b9

SHA1
923065da8cf42bb9a7a89d3c93d83618377f504e

SHA256
13d727b6a7e41687407540169b86e24828b9690349b96c1e8e4d30c589baa4ae

SHA512
c69f31f7b0834fe14b148badffcf6a83e264a625d305c8a6c46aeebc297591a58d5bb71bda3bc3925daef6777eb12fcc9f5f1cec9b07911a339541b48ea233a0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
91a07698fe33d861e4f44a11fc6fbe7b

SHA1
214c54c4bfa477da6d10dd340077165b71d76c83

SHA256
2da5e1cae0ab6e1cee83b85c15a29c7857ca11560321293cdf3278a6ad39807e

SHA512
b1ec2a20f8a4bde08c562787dff869828c718f98d6feb2e1e1037edfb2f80a9d2e9379689ca71b00bbb891cd37556bb33852028e392053486f33c8c02ed7945e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d14f755ee61d1917f43971e09d834eb0

SHA1
f1e0c796eedfb9177bbd766b58026b22710db5ce

SHA256
413d8045be3541a3915f5af8300a9da6baf268ced6b2625e897217001f8aa426

SHA512
129817a6df24ea4ffd36c266d17296b258511f98f9706e6becce7502be0ebe4fbe9979d945b0932d22ea4c9d417f191976de95f13a21adcdf08fbe64f4389fa3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3732512822ff804985004e3b8c35fab1

SHA1
7908642221b7dbba7f82449e17a4bf41a6b666e9

SHA256
ab2d740b5c8b5ac1cfdafe803a707dc95179643ba7c859641b2aef70a59e53c6

SHA512
5b8d6b3a58630faed21c334d2348e58bc6a6213d5772ff854fb9fc98e22cb51d7fc57cb6827b45f64e05501f56bd5431cd07e9d1f7a35389d8defa67bb276b8f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b611e49c06995617c0e995d25bb1e7d6

SHA1
8868322df59bbc0e765bf706b4b44670af9cbb82

SHA256
c53ef3f05311745db0f416b441beb166eb2af57caa91fa533ec555b9b7921139

SHA512
ce300303054148b63082f7cc23729cc1e520279394f00cb2b5ce073c5ebb063d591d7dbb943810bd135b31543467e599694ecc062573412c65dd57d3800df80b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e3a1d4772c6c990bff79b1b4cf25d87d

SHA1
137a40a05b986778a3b606f2f9c28f3ea8c161a9

SHA256
effc9fbd3dbaefaef8e4fe6ea089eb899fae10d0623c836294862fd2bb12db69

SHA512
626a2a0dd689e865d553d137f2018918a9c83fd135116bec74fa62a4b44efa6e7333e8853b20777fea24c6cbec5356a1cc1fb31c57e6d5c7d543fe40110f5b18

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
14cfd6026dd0b752437dd697895998bc

SHA1
fd297ef9ef03a930f327d885215eef02ad20a207

SHA256
508500aa2babf604edbf90d20765115e2ca2004a67210926bd4f15f60ac7245b

SHA512
1f905c2ab9aaf9d2e11a21de67ed3f1e6632321c2acfc8669cca449cbcc8bf8eb2af0c7ba488bf0da6f80dcccce9aaf40cd7446027f177c5e536c203e919bb47

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
80a5697c56dfa3b355c33f2f4032600c

SHA1
55768c28ce39612e93fea40b760a73c4f7173408

SHA256
67b249eddf3a98d1f442189f6f12a0cfbdceae25d7c4992f4f78c4cac9cd725b

SHA512
aa47f28f554ccb3a83754f8f37b26f0068eb6fd61a2813092fdcb6b1a4e07510ce2b9605bb73113fd0f40e8a34d9c44b6e4d3568aee9bc7129fefb13beda5148

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9321af352729bdf8f0b4245c5baab377

SHA1
2e53ac0bfdc4b73d792291958c4b362ed0fdf909

SHA256
424b20f13bd7be94950eb88d86645d6d56d94f204f9ba2165c984901b5eb17ea

SHA512
a2124eabec84770810b7ccd160bc8a4ebc12d74fd01e63548b25a573e1f0e3c9d3f64bf9d0811f1cd0cf775e58ed25dde8a1dd0f76d657935a07fb45b16768d8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1d757e9c189e11a6adca4f5dbf02d9db

SHA1
39b2281fcfab11d9eff587b1e49c3da8535ccd27

SHA256
ca9a60a4ef7c9c733be6919e160de3cb88a86b5b81f17c06d279937f1ee65e25

SHA512
a0db27d941ec36b8d1fd936eb48d56b24d0339003ff8788e7ca16e3b2905902dd1c75e5039d6523ad67845c8f94daecd27b7ffd7f04bdd8c1d34166ffdc437d0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
95fa198e6304df1d5d741174024329a0

SHA1
fe8d9bdbb2d7a1edee3eadfc3ed6049f8e7b2156

SHA256
2f643bb2af152a063d67b59907d69d8be116b52cc44cf7dd148ca0d406ad9954

SHA512
68c98aa867bac649892269d23ec2a422aa50af6c225b43fa51fe132bc762afcbdcd12b1518d3399d8cce397dee6706a723efcc110c6ad52da1033c358278b2e9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
dcc8674ce810a5a0cdd28129e43f2e9f

SHA1
afc2e416b80ab3de60a0d2b1ae1700231aaf3478

SHA256
814bcba99d8346755515d1fcb0a47f563818a83f7d82e1e30558a26bdab65752

SHA512
afc4f625d3b7915663b280d2816e4aacf31debb8d7fd0716a95d58d4f2a45981833df8b0116223ef543711c3f396b893791ffa3a2b943c7e66625365086f3d48

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cce0a5e4f0441e4828620b8d638c03ee

SHA1
4c1538428e9660086646467ed49ea6c2e7a70c2f

SHA256
4f1377a93a003d3a79a76e37b58b8f44ea88fd1f2652bec16e46a1bdde0403b5

SHA512
515e54cc71d09db02bec023e11d48d5b585f8b891369aded859823824a9613cb6be67285cf2c6fc957f898e9cd8cfa6b317668051db3209a8e03feae5acb48d8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
88747646e5ab0074b8b15c8e1d7b4a57

SHA1
fd8296e6dc3fa546aab1c2c4fd9a736bc0886926

SHA256
da49230498b307a8b4b7be97b7a252924d01d372878fa5c5c906f8a2aad73438

SHA512
1e3b5505964826058743ce638c64a38160d3316976e253ca23c3292e03f7277832fc91fc75a077d2ee580e7539169f0fc60c21996f79eb6caf8a299d0e1e9994

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
577469d98e0bd840b2d924b1cc470098

SHA1
e160d2ad5cf605397e0c9980fee75a3f1de0e1f9

SHA256
e78d02d68c625f7233e40618161fecaa9877dd1bf3e10225ab832d04899393a1

SHA512
57f45750099b7f3e68f51dad9cda7735a02896064c53659113c1edf860eb720327bfb03cf2338a9d77bf74511b9cf6240349b5e01f5c817998daa3c2dee49d6c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8c9ed66a20bad50d7996e0694a7f4873

SHA1
ae7d9b23d614d5ae8b84bd5a58988c574fbe098d

SHA256
51a590a4d10d9791b6a2ab5bce18aa72a1d29ecc8334aeaea09a17c40ed9b7e6

SHA512
0dc6cab0ec6d848b3a0cac46250c233cc8b78674ad9b31f4850e07f86f590a466fcbb6082f22180c47e8d3de82eb6dbe7787abdc4f062eae54d12785f89a7c1a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
de0215bdb96c5290439a8fbb6fe962d0

SHA1
59bdc6c19565ed0dfa0586aeaf6d6a9bd14dd00e

SHA256
b6b5d9796217371f8cef76c063e6d49e29f4f0bf4d8d5b8a8f490dbd00c595d0

SHA512
6fa3ae037a426d8a3b3bfb7cc7c3e55959346dccb8eaad7c09674c8e8e198290bf7dffc8217b4560f043b83819e2e754213552cea691cd73bccdf33b96a5233d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e6befcf9c6d682778bf35bee02005593

SHA1
117b6ebc52146cb905033ea83f655d354d1f5b70

SHA256
c1f39751e75ab3c4ef9879f773830b793fa11e7548c59eba4ffe736ca7e35945

SHA512
36c26e003f66fb9cd9bfec409cc0a307f56777f877ec7b8d060d995c9b31236d09f62ec62d484da18c22601dd0996e9a4735f931cebc47f58cb7eae4a096a8b2

Download Submit
memory/8-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/8-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/688-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/688-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/868-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/868-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1564-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1564-533-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1676-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1784-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1784-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1784-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1784-53-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1932-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1932-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1932-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2248-74-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2248-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2248-6-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2248-1-0x0000000000B80000-0x0000000000BE7000-memory.dmp

Filesize
412KB

Download
memory/2412-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2412-641-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2440-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2440-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2440-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2440-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2652-636-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2652-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3256-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3256-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3260-38-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/3260-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3260-50-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/3260-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3260-44-0x0000000000A50000-0x0000000000AB0000-memory.dmp

Filesize
384KB

Download
memory/3472-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3472-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3472-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3476-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3476-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3476-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3476-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3496-442-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3496-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4180-86-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/4180-82-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/4180-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4180-76-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/4180-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4272-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4272-631-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4324-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4324-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4560-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4560-635-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4688-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4992-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5040-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5040-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download