74629c617726b3af414ae498a723f9b939dc97c5fcd7946301344cd371544264

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Size

1.5MB
MD5

263f9520f61b359f05878c6397a3e7ad
SHA1

5b167dc4f7ac8c2d2264a6012a51b9ad99d2b553
SHA256

74629c617726b3af414ae498a723f9b939dc97c5fcd7946301344cd371544264
SHA512

71f8d4c5bbb774bdedf3563d12eab0e8f11cd60e1594cd4b908d75a3758fa899657fdee00fd46b970898bad9badfff38db9630724d3edefa051e0ae6a59d1426
SSDEEP

24576:V6BjRVldlnXfH9gPwCn7vOb7HHcp/CGXQp:ABjRVlbnXf9gPTTW7H1GXC

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1528	alg.exe
1776	DiagnosticsHub.StandardCollector.Service.exe
624	fxssvc.exe
4072	elevation_service.exe
4948	elevation_service.exe
4528	maintenanceservice.exe
4212	msdtc.exe
2308	OSE.EXE
4884	PerceptionSimulationService.exe
2644	perfhost.exe
3632	locator.exe
2416	SensorDataService.exe
3712	snmptrap.exe
1784	spectrum.exe
2948	ssh-agent.exe
3104	TieringEngineService.exe
2004	AgentService.exe
3816	vds.exe
552	vssvc.exe
1724	wbengine.exe
3676	WmiApSrv.exe
3856	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\63a1a3d992be0f3e.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B7946F8-973F-4AF9-AEA7-D50B80611631}\chrome_installer.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9bdf53f9c99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d6a63409c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885eb53f9c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff0761409c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df49e03f9c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043b385479c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f869d3f9c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9b2473f9c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeAuditPrivilege	624	fxssvc.exe
Token: SeRestorePrivilege	3104	TieringEngineService.exe
Token: SeManageVolumePrivilege	3104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2004	AgentService.exe
Token: SeBackupPrivilege	552	vssvc.exe
Token: SeRestorePrivilege	552	vssvc.exe
Token: SeAuditPrivilege	552	vssvc.exe
Token: SeBackupPrivilege	1724	wbengine.exe
Token: SeRestorePrivilege	1724	wbengine.exe
Token: SeSecurityPrivilege	1724	wbengine.exe
Token: 33	3856	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3856	SearchIndexer.exe
Token: SeDebugPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeDebugPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeDebugPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeDebugPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeDebugPrivilege	1012	2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
Token: SeDebugPrivilege	1528	alg.exe
Token: SeDebugPrivilege	1528	alg.exe
Token: SeDebugPrivilege	1528	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 5028	3856	SearchIndexer.exe	111
PID 3856 wrote to memory of 5028	3856	SearchIndexer.exe	111
PID 3856 wrote to memory of 624	3856	SearchIndexer.exe	112
PID 3856 wrote to memory of 624	3856	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_263f9520f61b359f05878c6397a3e7ad_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2728

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5028
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
540a70cbe929ece044535b65c80583ce

SHA1
77016890151dfb892b43a86417d1c7154cce64cc

SHA256
0c5f0b95604d583439e478a6723ea1e10e9f5d9a7cf8a498e568e77e23154470

SHA512
6a2f3cd727ad2616ed999da7f8f91fab925d9f13d8937169df4de060425e9ec6882c552bbeab89e1c2a099c3138218af3cfb4d3ac61132e583bb28a7cdd0649b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d837ccdb69162292e812df71b77d855e

SHA1
7788833b5a44e4de8478a6f854bd3b35449a413d

SHA256
c9c29ae2ef375831cf75374fca637b5f485e9f7f782598f62597851bf35fa4c0

SHA512
c146b6fc0ec89eac9ed54bce05e4f683d3fac24c12141338d5e27af5e3723d899c358d258cb6f403d37341dbbb436c93f2f343b0c12a1c68d9459bfbb3e90223

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
7a57e188fa347e6ad9aed9a22c42dec4

SHA1
85e90765b641b1ea6f7035669cb7b21508c5ab71

SHA256
cfb127335b13fd55500a9404f509e927a36a31c4516e9c65d6308b48f9d5bb90

SHA512
d4316fe0b7dcec0f9b7d0cff96c839ab08acd0187baff0e1a3f1fbb90eff547aa96f629ef95bfbd5f021c1c3d3b881587dabee666cf79da92000adc6f5b25f85

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dc67721971a185cfe886a2ae17df0e42

SHA1
d2a1a050dceeda314615d0843289b8a16f2803b0

SHA256
6777e9ba0927b9f86c074fb8d143b985ef105e67cc92209e24eacb10d73c1658

SHA512
9651475546d0aced85ea8a0c81e3605c3f098d51d5c0814d87b003f36976a583e25e37799d73f23c3b52997b4dc183bf76205cb043e813d40bc1f8e61402d934

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8afa3f3e6d394b40d15319cb480df31b

SHA1
bcf8d67597588bf8f9595f11ec2cbb9640bf6862

SHA256
5e15292a290af5fb32d2316305def22a5d20e0a120a6a984d73eb25e0d6302f4

SHA512
f396920233b74667d8945f9e0f7a44a11ad15b64ea7a753afa30eddd79032a5c2a2ccd798aea3fd0176a96407d95a1e82b54182be33eeb93f4331e773b280797

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fa3482c53e0807007f94edbca621f171

SHA1
7157bab3298fb8be9f4cf13c9ca459f4e6d75f74

SHA256
279bd548871023de3fcacac3b1c750b67d26a4fe880db31f09ba6a77ab4099c8

SHA512
1cda77b97746c950b64c6a96cc19abd392096f584174177762b6ee10e3a482cd7b542e9e6e0d20b81057cad0e7cdb4c89991f25eae8c14b4f10f1cb2e610a4e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
87457872f0aa2e15bd82517c56d6c814

SHA1
96181ea92f689c4ea09ea51d9c1ecd49d325eb88

SHA256
bba67e91087898b25d962d59525a35c9a5d09cdf9d996b2ba7479abe42d5baf9

SHA512
4177723b48bbdc35913a87b22dc710363f102308aae48869fcf0dbedd1c2c477d609a1160948d521957a2568da9e31413836dbf623311b13c1b8bdae7c249e7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6f6a7ff431e2556cda6429813a3ee9e2

SHA1
e3bb81ff15d1dfc52f7f6866daf34936dd4dd1f6

SHA256
644f8a1ccedafea8d86a502e55f18eb05bbb66676aa4aeacdbfa19a383eff1fb

SHA512
6aff73c8dbdcc22444b319289c1d1e44a7917000056a23db8c2044831e7a0ab99b617fbea03daf25b12840494712856bf4e39b374238f4a0730ea94e5d4feb07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
ec1b23ea5e0556df8ae7900b659103a2

SHA1
406e7bce312b1271bd40e1e997f2f4f199eea876

SHA256
ab1202f810009466914b80f44a106e6611bcf2da45a3ff5ca9990cb83a3f5ff7

SHA512
cbbc5f96ff58845107417c9f118d6078e0c4a01c9ef440da56378c8bf8b3b162905caff85d3c0641900d75c6dbf3452b5e34e0becb221fbc8c35ad2a54967453

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
52725f7d10d5a34ec295da2eb9199884

SHA1
f06576198d8a3bb3d903e48de7bd9dd7a68ffeb3

SHA256
9451cab07458f324509e1b65114acc521ad1036aeabc50719e090472ad0268d5

SHA512
90a39de220f73adf41740d12bb2db0e251d3c34213950b7008347f469763bd1098073bab1b2f7f6fd58806ecd7c04733bad60b27f803159ee72cf8a0a9acfa92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
44c8b059315893af8d0016b06cf46d33

SHA1
a57f57925ce1493a3b777f5aefc6e345f01f970c

SHA256
86d63fea1a071a20bd2d80b9c934c57bba123d8d4095ae9d6e4b6dbdec872e11

SHA512
1774b07616c702360ee5446dfcfb535640a1185d16e8813695ed9b6bcc99c9472949dff8dadadc1a435af0adbd4eccab2baa7b6bad21c66191eae34a936974af

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
befb5e53319039b371ba12ee2cec1cb9

SHA1
f47354a5799da8779fb539fe4a8f605e18a00f75

SHA256
56e631f52c46803327ebb19748c9ca0bc0342f168c9092f154c28468ab038062

SHA512
387459a9298b11fd5cbba6994b383dba11a9ebc01d833b4d83ab4b66dfaee0746e8349472149ff7ffd5eb84106c6efe66fa3e37812b6d43567a78b9c0cc6ee1e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
46992e3b35dc2639cee9d9829fd4cb03

SHA1
88a5b1d0f11f720dd0efaf82ba6da45da5daddd7

SHA256
4eae92e9a21a6253d8d7d45f676394577f4a04337049af4795419d3b259b778b

SHA512
7e9a2674d3330e8793438deb8a962d4f259cbf6f0b04e0be3a2849300ee47a08bd7e3c50934e8b8fb280bf8cdf753195ceca2186b94a87e64d85972b3d7c40f9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
03bf3227b525711ecab41daf656aac05

SHA1
def6f31ddfecaf5a04a4e5137cc0fcc13e8058fe

SHA256
ea323eb6bef49efb6a90ed78def4b5d9b4b638444f0e27ae99c1b8b6049d7274

SHA512
4b969b46f6f01229e22b5c703bf9be1e0888fbe7e1f4cd290be11d87d8595e6d8a24a30c78bfa3365bfa566ac7561678296288e6eee40b854020ae431da0ab9e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
74639cb1918da093ffc61779324fa654

SHA1
2ab153050eb5914777346e05322b4cce3cadd74c

SHA256
82be954fe6739f65e26dd7735a8362ecafbfde900cbfc1f734c57557bd8410af

SHA512
5e6ddc4129d80a26e6aea0a7f0d870f309737101dbfea751969bbefee15bab8b9bd347d35ae7219dd933f37f6422033578afb9762c39d8c10b3878a815f4e8ef

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b09f188e739a423b9f56c25664879afb

SHA1
0c7ab208da264635ab90bde0ef2b8091f009d09f

SHA256
131ac126fd60dabe0dc015c80af7fcb88e5fb17feb7149f9601be3a9537f3f65

SHA512
bba7f0e61613877a7ec52e2ee56b14a37d53c45d8b34f1f9838f79f07e94d1316acf2639677b92f1d543086cdc3ec13e3cbdc66b30d54181b78793e7b3f5fcee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c340aa56ba28f9c682c578f46ddbbb62

SHA1
1eb4248ff01fab6b3735e92de0c8dac4d34b3753

SHA256
ab29d01f8ea59ec5debe9f8e2f8a9b63cf8387a71b8fa7e77a100eee31fd0fc9

SHA512
6d1e61723588274794581c451a15b1d38b5c15840e23a795514e60364f1239c093fbe5e1ff6ec7821a358ac2c20e25869ebf586fb488fe3cba67515a4c85f29f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6108670b3ea8b69aff67a2e8662dff6e

SHA1
cc5a7505f674e66db02bedd31cb0a246bda2ad47

SHA256
544bf89021a58eac20d731a15dc15b32e5343269f3425d592852bbf0821f44a3

SHA512
cc9574361b4ea403dcafd1faa890633bf5380381c606b8b3a92a06e75b7ec5a948de0d3078fb1091f0455454bf8cc69b2842d933d09578afefdf3c346f140dbc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
64d986ec0470befb8d558bec0263498d

SHA1
345c92b2afb77b7f6ae0f05793e433467e2955a2

SHA256
c1a28f5f1cd5d058500f751ea78237001824ed8d04a3bdb2d232024df868652b

SHA512
a2d44b62b9d2d7cc663f1a9e8b8ae3d15632055681408cd58f0645aee61c9dce302e03999a92de3e34820c06d26ff051eb984dbb9baea4f7c083b0a254ce1c13

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
435ca88c92526d90ced064eb142dc20b

SHA1
2a840cedc2e0f794c87c81d9ebb41dfa1945dad8

SHA256
09ae5ec2dd958915a641dc57fc3dc061387f586ec96f31fb8720d52b7064353f

SHA512
01f6a1cfbb5851064377b6b5c5f49034259e73c9b24cc118543b477e8575a6f6f3435a7450e1802af799c44b90da233fdb7466ce29c111eb4d7c3e1fefbed991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
bbe1c1473daf4e56ac156f579b716fd3

SHA1
f2b8f31f0194c37b0ecfa3f207f9aa5138078838

SHA256
12ff1800e8678eeb01b747a63fdc941218eb5ed1f2a3fbf69668bbb7c77187c5

SHA512
dfd55c9bf13e74cf09910101daae2d09e73638d845583bcd0a7662039cfdd3f5ad5d654e33e943dd1b18154d2cd4ec21ebfc4121512d7c08a67bce5116e1788f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
66298ecf2228bccc2bb4a06818c3dab3

SHA1
2135446fb16da6126c57c467ae13e30558ba0528

SHA256
64a983fac5c315fe0efc35ddad75b3027544b9921177a17223b76a78162351da

SHA512
2f844cf9510857cf28f4eda73d5b6a7814d101bfa5ea4d0ec78779226ad4401ed11c5ba7d352b9fa104155f849996ef8d3823eb512c7e9c3cfede092fe4c5d65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c2b38d9441240a30a5a529e8c4d9388e

SHA1
5f2d5db8205638b87d37e06a0fb70d439f880874

SHA256
d60ee80e08af26dbc58cbde573e8fc160a9153bd363cecd6c55206d17b620b9a

SHA512
ef45b16bf8ca0410a2fd9916e846e549b1484145d7569fc5703246d69a392fed36329f536a8d133867404460ddc5cadc1981a4202f01439f45d04b379dacbf90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
5e294a4ce436fc09caeeaedd7a51fb9f

SHA1
455124065ba80d5e00c672cf5b0748d17e18f73f

SHA256
9cdba429c4dc3c5205de65e185cb79204e83b33f32ec0fb38cfd3ccc648fdc79

SHA512
48bc94434142f01bef6badb8105fa5a58db6b32003524e1470988ad8277fa8d32ec566dc508af6c344c11afe3951344a9ea2b8cac11ca25b344ce54650b7769e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3cdbcdc5b95f939177e196a69ac1c668

SHA1
2e03241c1631e4a98e4144f6cda89706c5e69002

SHA256
3e972ab2085920e103eeca772f8c5ce9441faf157dfb25f40ec487507a06fcdd

SHA512
0bdb5ac6e6c782bb17250ec26035304f958da44c811a7a5f71147b25847a4f51d2a4f52ccacec715ae0b6b72c150186340d9a037a30c9d3d91ffaaa95072b080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
0338a7c973125ac93a5244056b2f6d79

SHA1
6e61000ad978717b066e257567545cbc9d688720

SHA256
f3a8c36f6cdff378ef63ba435bc42d2cc77b8c51ad851584243e5ab99b7a306c

SHA512
a6262df1cb37c32c93e80af25d5d287f90de7513d414d6b13e42e4868521777d7dd334f7cbe479e9e2f7be2b7496b477a15ce8c0e7ebab327b510cf140da53d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
e41ff6c5c901a39b06ff4d8508a5d92a

SHA1
0bc2caa52caaa59c1704e29b3be86e63be940d96

SHA256
e66353faa279b9d2ce4b8562ee3a400cdc0ac387197ec21a5f1e745def183b9b

SHA512
e2569577f967040a61abe19009df4c12d6a5dcd5913bd59ef32c2b75fbe22a519ce97fe830de4843ae4a4287a8dafa1767a62ce03a70d9ae00dc644bc8fabdb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
7cfc084dad43ee62cea0738bed5cf66d

SHA1
36071e03abb0048f401171d8fc64851ae9b7ad83

SHA256
9ffa4356598c76324d6fee41fa2492edbda77217414ea64b85acca0a2ebe1a52

SHA512
cd6313de944ff704602358ab2334f135aab1890780f9a3731a4700fc041855e9cb4face4d7fd509e159ee6cf5bf044aefe16d7eb5b6a575121c2856911c58d87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
9be355a0d711c0d753d7b05d37be7828

SHA1
e63669f9c6177e9f068836af72506c6cd1147eed

SHA256
ece2877efe4b0bb7fb84d91cf4dfa2386218f213db0d87f64c778232c2eed5f1

SHA512
65657546661a0981fe6914e1abe0e65793f2cff0f96f184952681f5451f6a8776c8c4aaa5fc734ebe5280a05dfb734b18ee724d7e54905e91a692e4f622ecdc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
42062076b394d78c26b4516b719c7353

SHA1
e9bab7351f0c98b636b57a0f16522407f82bc6be

SHA256
3a99f18a054ecfd1a3ed4688362ea1f33368a1fc0389e97d9e9c07b3ca4e15aa

SHA512
f35fcc1c58cb5cc18f04cb09a3496d83204da2997e7bb01f44f84288fc171b8360f5ee33436bafc55fc25dac828b98ae702c40f2a95f05656b24d1dfd6e6be1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
f8c14761a26425ed979b18308c9f059e

SHA1
8712a653f873d796015106ffbf983f6cd85c2543

SHA256
87451896090b3a363ccc3b8127fc1d373e28adb3a2d7f8339c25d15c6e5f2945

SHA512
bf56d9b19520d4de36b062b56d8e953d9caf13822af1b7d6d21b838bdf03e1c92b8a5f71b4c3dd0e27627539c42eb0428eea76b25060f879183214ba3b900c0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
77d9abb77d2cc4061969af45cd63736b

SHA1
a88933a568f0b31743da5269e6f009903677b772

SHA256
18fa4fa9920cdbd8c705af4933475c86096ccd3ae490b23eac31fcf4aec85f6a

SHA512
ce09bbb4f7bf63041f50960f593cbaf57f8ee2b00868af2413fba68778346ae46a1b3bbbc377ce639b4aaf8fbbff1e890c2e85f2b5ada78bae824ed85d8a4c6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c18f047db8a19171d5eff71c12ecb6ff

SHA1
533087d583780a5a7bf736224a0e9ada8ff6d1d3

SHA256
215a9ac97f82586e1fac7de56ca1ffc268532e80c71cd3f4b5a3e3eaf0eebff3

SHA512
63fc64c33f6efda4ee8425548dbc5aac423b87c21ff283cc20b1e1e3a78b1fa0038801dcbf7e83c9381dd450ee9d586edb9e6818368c40f93ac808f12aa81626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
dfc774c71f2a1376adf16e3ce0483e04

SHA1
e56dfb3ca1fc56154fd03e664d9ec8847fb93eaf

SHA256
0080374e50cd639e83a4482e12a00a552e03b15bbe0d5cc70952c2951a380c01

SHA512
d732529bad5a340671587970008a80e6a7e9300b4a3b932e10b108c8a6f25e5602544fbe28add2def023f36fac44f374eae09b96684760809f49d83b8cb79c40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
7152cb6b376f2b49d4ff96ed859706f7

SHA1
1a7e37f88d85aadd33b64b2ef66cc424e9114497

SHA256
9d03d3fb90f9cf888038be61ac6627ecaf52d3e59a304149d001bfaf76ffcccc

SHA512
75be91e3765129e553907aa36377da0d765c70b3d30d378f7ad494591325ce9c5fd3846883760cc206f632da231b44a0fd1f3ed74279a33897c1ac0ae28fead3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
902da66eb26faa294f1b82f118b78bf8

SHA1
ffc04d7f315acd13974f92b9fb7b58885773de58

SHA256
266764eecc7208561d2fb06091a49d278ef540b0fff082e7f3ea55091521a609

SHA512
461f89f1346bfdfbb25e104ad0609e8db7a6537dfc4f33785b28b7c6722ceea1be13bb5d4af5e34b2bd1d419088eec3a1b85fc456a44b0de8cc38a178edb9e05

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
99c802c75e1f484955ba09d9644ff37a

SHA1
35028790fb6e181e19daa3e9a129a3fc20d316c2

SHA256
de138ae852fdc03461d21ca8ee128d32b2c8dfd8bce754db3ef0adefd9cd93ee

SHA512
eb8c7af47f770778139ab24cb50d3de6b802ae7d604cc9382c787784d49092247b7cbace8e4036a9207c7def4a1f21fb8e0e9b49370345ab9df22f5cb55be981

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
0108be02714bf892b4a5cfba1dc7e654

SHA1
7017b37de3a10870d2cce7e7b74af1b2f02f4e4d

SHA256
c0c923344caf777a82968bda0c1dc01fad172320841bd8fd16b01cf7d4ce99d7

SHA512
917466033b14bbe28ff1bedab9999e1df8c5de0894c909ccb49b9cda79994dc42afb7b9bc995d9950e36a244b644b485bac62fbbb7920e82b7f18a2ab9f1bb7e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1bd4f1e14eab0b1aeb11769a619c7191

SHA1
eed7bfd24999daa0f16261b6752452e1ff2c5912

SHA256
fdeba38e37ced6695938081b6d6dbb61990b1ac67e189bf0493351245819952c

SHA512
6a11844302ee7e9c5becdc0c42110686bf3481952a456c7572cb1f57b13a7df268b7f90d6295fe6cd0d05bd513c43fa84c8a5fcad96733f0cb56b0ba1752d14b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2fc723eaa007616881715ee4e730e659

SHA1
7e125d01e80402afccb6557b56dbfaea76c208fd

SHA256
53746639c5daa2e9d76e60788ab00b738390a40eb367d0bf2631cca123398736

SHA512
653250d4f887326fba52becffd7423559827f9d60013bdcf063711b25f4b59fb00942459c31fed87533a4d37291ef3b91a9c459fd3951fe15a1ac6adba31a54a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
94abbba6796cced4897a040a4473a92c

SHA1
be9cd0831adc2064a60b62a14879525532140ba0

SHA256
7593a9bad432bef0806fa78ce2a98c68bd90913400d03c78654831cfa458ca09

SHA512
4191cf290f5892ecd9e82423d8099375acb685d77eab60f64c156e89e963a2c8eef728e565fd463c1cbe8bda2e2bbee8f6801503732b299702e7fec976afe3d9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
900f3051603e4397299dc3783feb73ea

SHA1
58ec098affb15d1bf00f6d89183e48755a067075

SHA256
3af212e49702dcaf3326cdeac85e6b5541831b51542d6fffe5324f26a3770010

SHA512
7b41411ac06e6c278bc7eb2050b91950640ff0c68700b47c83112be6704448dbf8c36a91ca12ed400a220a49130bef2a0ff057a8f2e076c9c06532080cc0e744

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7f79bcc9c41f54ea1f618ff551460971

SHA1
16630581d3712313ffa5ac6a80369a8b3d299e2b

SHA256
8b5548f072c2d6e3bd4f900355ee421af2f1f99c5abe59bb054bd14834064fdf

SHA512
1c3b8bda421f322ef3bd5e54141d77803d3a7b22d9f334180f498b51d6fcb87c728185597b9ed05c93b0709268d06b7f137cd248a40c84c7560db7da5f40faf4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
415649066ecc60a2a2013a6c69021389

SHA1
e6571ea8890db03f700300423506c0f8c146c2f6

SHA256
155e2bb3506620a80a16f888c7821d8605c70faacfbf1a6b4f9ffce9be630408

SHA512
67ef2d94d5c65dfbe86fb224a097c6d9a31b5518ba4bb3b37c1df254f82996b3f7e42497e0c3db435157562d7fd2df2da2b291e3e8543b4dbc8fa3f407929f70

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
d64f382f2b31ae70815f16a0515ed821

SHA1
c1d6fd476eece23d895980f1ca9c8e8798a2ad11

SHA256
e2938ee5d11ab0150ed4243f22443c81f617069c632e90ea51522fa3029fbf8e

SHA512
65d81a725100451bc77d903101c0285e724ead3465ada5ace5c5b41f093bf73aceab1ccacd09d7a3ab4ff911d941500cc6f0396e32241a35e9e33c77b68c1e3c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6632dac6ca89c65e359b63442e806c9

SHA1
a4638cb9fa138b30d46a021c0f5bf2f6103b5083

SHA256
7e8b16661db5b4398e5c7d4ae0335328b7cad6fb63cfedbca9a88324211aebe1

SHA512
4f163fd24ba29a831d2caabc689c876e94589891abd9fd2b5d5347a6652fa9320523dddb2b0a21c076e4e38744786cd116b652fecceced45e7a689edfbe59ee8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a1bb2a901fcf27771f6d9964f298cfc1

SHA1
80f5c683caa0f92db9ad877a287df394599e595d

SHA256
e2af5f9f1683edc6c612bd2026b033d78213ae12afaa171075479e9a6a5a7ffd

SHA512
2f1d7f9c36372043b211ce4989312d3cacfb773953f90642ec6b77c60df4ca1e7306751fc0d06ce43378fa68ab116504d8c3d418149fe993a20835b33a52b317

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a4e8e282f720734ce5585cabca028b21

SHA1
412d2a7015baca42da6184f9d0989cec2534d4b2

SHA256
e4f6cbd1f60dd91144b20819a6c3b2dffc95f6c75adf5309f3eddc32450ba35e

SHA512
4a05d5e66c34c868a01281e0e99e9751a1b51d5f6e2840b192c8ec17529f68325a0f83fd8146cb4de01bdb9e9bc7c286168d9fd03f598a17c05d26d7f81c5665

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
28dec8a8c1043242791f5b335510bda9

SHA1
db45527b886350ae69abccfd582a9afbf4025912

SHA256
811f10b1c554819de4daae40ecc6e7288d0b5a500d9998a50f8f7398ba6a3814

SHA512
d43cc0472dc02b80115e18bcde817661087d40fdac63dcc8514c216d143d0ca91f01f301bced4150913d05fc4d3e5942e7b8f4fcaa6a5079a90d628288d4b522

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fb797520766276965b7c51c5f6bbae48

SHA1
b1a058113250d1d9f25f3e508274c2fb7fd8d1af

SHA256
2477ba61c102d2cd239ae5f0b540fedb8697af6033ab1d59fcea93ee3f804eff

SHA512
d8ba46bb1143acb999f49419f5b4928b8782769d07bed11d7162a1b45e76579a72ed7aa79c751759e56526d3e1a7fdb46b6c2a8b7baa736714ac7b28ef0642fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f3c3fbebe493226633d8f23183062995

SHA1
5f73d6d1cf3adfb63f63e149fd1771b55254590f

SHA256
cf1d962792a19e80d76bbafef838f93f5e220df16adf9ec136944ec7c0f451e5

SHA512
fb66c9cc3aceecbb3e48dc1b1a6c219dff5430392cc606750fb50f75fdf9d9bcf09aff9619a0680f4a69f97977aff8b3d900e04285fbbea1dcc72d4a75a0cabf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
99984fb6030b80236ee1ae6f1734320a

SHA1
6a5a2a7171bd5cc28d53c185f3e7b929caa10bcd

SHA256
1a994ec0e4d9cc2558b27a1971b1d559624a30dbfbdf9749b148c74fd59d2b4b

SHA512
4bfce9903931c55069d9b4e1a78d21441b6ea0b456085c36cf2c1354eea64010b486554aaf5acf6889aa78cfd1cbe174f0ebce085a89190c09f59f09e114b5d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1e3f718be9e57aeccfb94ce2795e01fc

SHA1
579d9b19b525410bfb16f3d4557c067ff4a097b9

SHA256
f2f92ee8bc347675fd2aa8743a0d8a9754b2786edbb485ffcca14b18be015f02

SHA512
d7c1ac946f65a4ab76a5549e8ed0f6526643c48115d100545d8afdbb5c641fe6a4cc5920282ab412f86329ddfb0f3276c412e2682c00800d49365dd8dd228ce0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b3274ad4bb3adac72b6cc04b307c8adc

SHA1
9499d43214e2844dca1c21b8b753747f6038deb8

SHA256
804903389767cca7d4b1dde487a5fb92998b88212f72566895cf86c44e110748

SHA512
7d736c0ff80c85f7d39ebf04953ad399b01b5b0f0226ff51dea824bdddc313188e8d6c970873182fc0fbe9adf572e7011a4e82fc8049972571368a054aee5422

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a730c0fd31a9b2513b6730944872609c

SHA1
42a23e39095d702143773ccf9dd9bc4ca4c5894a

SHA256
f36e1b397a2bd72325df5b979b68e3d2f1b729256b7140335186597c751d7643

SHA512
7e89f60008d8cc421ebd25426c0c89970f37d03dcac9bfbfb61b854d1c5c52bcb14fa6d10a69ea322054444025e3d8c2ba1aa3fc9017d7b462cfdadab1f5bcc6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
00b41f9cb34717e5dc43a64453c820e5

SHA1
e1ce59dbe939cb06ed6c5314a495a568e8869eef

SHA256
feee77446ba18ab151fefb5d2a1f22262979b03d1ec77fc5f879d3020d786b06

SHA512
c30879380f9924dbd7168183022c3e5d0258089111384db5c03014f3cb255e0630a3e994a5d5db4050226a0ee07085bfa8a105ff7941e45a338f532b3eda9e9f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2d88f7380c870c81a4d0b9810a5a63ad

SHA1
40a3bb5be189f6d9ada6a3640f086fcc7af571c9

SHA256
16ec82069f1bbd67c7e59e6689984d7339b9b6e0d8bb9125c484192a9dcf2cf8

SHA512
1bed24fbb4e5f186514728d3dd1b92e0430245da8bd41f43e69fb4656fdce7e192fb8f6598214d63e2b78fc6cefb139db4ee98a34630a984a8af37d5c969bf9e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
380e83906d999574749300e332cd1ebc

SHA1
77dd96a69fe2705ffcac1a7f7d3a18a53cd1ac38

SHA256
5d2a28b0143ae5bd4c4b9b303c128b24c14cb8657678f67e9049d02111943da0

SHA512
bd4f64e7adf01eef3f19007f073862a99852ec229b39d09b5c09bb7cda4eccdf9cfa2d0a1039567d19897ad75ca6f889bb79e74e707ffcef5f2203922aed025f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
09d8036c43d23490d971f64aa3dc36a7

SHA1
6a5f325bc3eecda25589063b5c271ea4f68c8c80

SHA256
912f4bfeb3092284a39b13e635692cdc03a4913d0eff003b18aa7d87ff5e1be4

SHA512
fd1ec53f59ab955987c585da93ef08f061688749461db6dfa9c86625d6cfcf79d136bb2f30d472a931e771267de752fc1f63e120ae6c555bf045bac5200611d1

Download Submit
memory/552-580-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/552-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/624-43-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/624-37-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/624-60-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/624-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1012-1-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/1012-8-0x0000000000BD0000-0x0000000000C37000-memory.dmp

Filesize
412KB

Download
memory/1012-111-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1012-0-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1528-18-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1528-126-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/1528-22-0x0000000140000000-0x000000014024D000-memory.dmp

Filesize
2.3MB

Download
memory/1528-12-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1724-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1724-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1776-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1776-34-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/1776-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1784-507-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1784-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2004-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2004-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2308-112-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/2416-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2416-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2416-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2644-253-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2644-132-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/2948-526-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/2948-193-0x0000000140000000-0x00000001402A5000-memory.dmp

Filesize
2.6MB

Download
memory/3104-530-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3104-202-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/3632-265-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/3632-145-0x0000000140000000-0x0000000140238000-memory.dmp

Filesize
2.2MB

Download
memory/3676-268-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3676-584-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3712-160-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3712-410-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3816-531-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3816-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3856-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3856-585-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4072-53-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4072-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4072-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4072-47-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4212-88-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4212-96-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/4212-207-0x0000000140000000-0x000000014025C000-memory.dmp

Filesize
2.4MB

Download
memory/4528-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4528-85-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4528-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4528-81-0x0000000140000000-0x0000000140272000-memory.dmp

Filesize
2.4MB

Download
memory/4528-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4884-115-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/4884-233-0x0000000140000000-0x000000014024E000-memory.dmp

Filesize
2.3MB

Download
memory/4948-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4948-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4948-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4948-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download