31d77869d95211d1972c61e7e40bf31ec247a63e7cf649fda4dbff14cc42d836

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Size

712KB
MD5

e1da8b45c05e167be26f893b66d25356
SHA1

b912ec3d33ffc73351fed30fca5d8a268e848d4f
SHA256

31d77869d95211d1972c61e7e40bf31ec247a63e7cf649fda4dbff14cc42d836
SHA512

b6134e62f7a2ff5b01c2b561e1d39e23763d2876b9e9dcc8e1de64d792c9b8b6f03b8ac1c3171fbf6cf0b57cb6319b18d98edbeaffe4fa1b60edcde7d956f48b
SSDEEP

12288:YtOw6BaVJgeKznl5TXJR0j3p2pVUrrQuLoWTF23JVbd0UILzXSocmKdYNq6:m6BUJ7ozX0j52pMkuLoiSJVlIL29mhNL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2276	alg.exe
4796	DiagnosticsHub.StandardCollector.Service.exe
4960	fxssvc.exe
1344	elevation_service.exe
832	elevation_service.exe
4684	maintenanceservice.exe
4884	msdtc.exe
4996	OSE.EXE
4532	PerceptionSimulationService.exe
3884	perfhost.exe
4968	locator.exe
1116	SensorDataService.exe
4788	snmptrap.exe
4932	spectrum.exe
2204	ssh-agent.exe
3924	TieringEngineService.exe
1948	AgentService.exe
4552	vds.exe
3932	vssvc.exe
4264	wbengine.exe
4688	WmiApSrv.exe
3456	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5655b829c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9e082c6ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048ed162c6ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a53c062c6ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025dbe42b6ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081e7382e6ba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000748e5d2d6ba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1e262b6ba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b133d2c6ba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeAuditPrivilege	4960	fxssvc.exe
Token: SeRestorePrivilege	3924	TieringEngineService.exe
Token: SeManageVolumePrivilege	3924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1948	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	4264	wbengine.exe
Token: SeRestorePrivilege	4264	wbengine.exe
Token: SeSecurityPrivilege	4264	wbengine.exe
Token: 33	3456	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3456	SearchIndexer.exe
Token: SeDebugPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeDebugPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeDebugPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeDebugPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeDebugPrivilege	804	2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 3720	3456	SearchIndexer.exe	110
PID 3456 wrote to memory of 3720	3456	SearchIndexer.exe	110
PID 3456 wrote to memory of 464	3456	SearchIndexer.exe	111
PID 3456 wrote to memory of 464	3456	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_e1da8b45c05e167be26f893b66d25356_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:832

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4884

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3720
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fec4d6e1adf2ea342105357257883d65

SHA1
b9e6ff4d12c95fde55cd59ad6f25b15233974562

SHA256
18927e5cd1ceb8c75d47483c4b25eea0f5ec462525edc656111ebc4437cb1281

SHA512
b330424112b7b99722d80a2a5263c374edd3c2b4500468efda6625ee652f7d2842e567b6b6ff042c07c558a912d26cd0fac2b0197d5c820e9d7b8e4173934719

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7807e0bbaa1bf8b88a2109ef996550d5

SHA1
1e42488e0e0145a5de5f24737b49c92c8b375583

SHA256
3d01d8227b13625c7802208f75faa9d0a26064b287dd397694d447a8d2e99257

SHA512
7ea6a9fecff132c34f7843fa8de6a6c7188ef5a3965c3d3a4939eeffcfde0e6df7d655ecad32de535981bdef58057aeaa42395d47dc50b784e5df00002700f13

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c60a874aaed6a3ae5d769ac8ff907437

SHA1
0a72285f4a612c716c3a088390dbc400f48a0098

SHA256
5f917edb06891ebc12ad050806352baab4e7c5bad8d6c6a02dd18025e423221b

SHA512
756d592d1d14d3f9f182fa725604b830ac98d567982424ff342154b374b81b5de1e34ed016f7c3cece25bbdc334b7a718936ea3c03688f3bbb59fba7bc862a51

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
db60d1e4dc298805d1384920179758be

SHA1
40acd47fd3b2b5fb7e2614f6b1a60c0ea6fc5738

SHA256
8c926a947c77e7e31a0ebc164b13d2bc261e9e5c2cfce4221e31ec6659dd9733

SHA512
09fe9a330e49a8b67408f2918d6a26e6134b094726c2720608bbdd605e39efccb4eaed8c50be9877e2bca7c786f294618646e44507e70624bf15731af05893a6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
23d8d0704682f554d011e8d5df05c347

SHA1
12109aa9e938479a0d2599c47b593570df8c1136

SHA256
a36427628e6c161eb1b8795e237d58518a9ff4d4c46019f17c27fbe53fc65380

SHA512
2f90e1f64eabad9f9fbf518ecb7f937f6e167f86ec7bc1ad8409d13bd35f415861768388236327f4e15e4eaf9994c16af4aa705150edaefd35a73b97048b77bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d85353809bcb49a6c77d0fc308ebd018

SHA1
ddde966a0c16211f76fcf9b3a7fb4612480199dd

SHA256
3e4be697c57ceb2e336e185653e5d61046971a492eb9a517ee35e204fbcb8761

SHA512
87fa03ea87f22bf54443b508942b32f914db23a7028872e06fcd359e5160f3e4e0b184ca89ea7b927a09bc4467b52f2d01151b2f83700dcd2e21a666cf7218ce

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fb47e2f6cbcd7f4c770f359f0b96f618

SHA1
54e4a7df5969e1c7ff9a485fa50de4fa92634344

SHA256
da6e39ed3d62e46a355d1e8d7d0b509c6aef9d42eb70f059195e82f817489de2

SHA512
0fe2a9e29da30692278fbf4cfd5aec54c168248f3dab549ef313fde05d6db1dc081f2cc7cece9f72016d82cef2bb094510a37d4d7e91cc3c7e7250170ca31322

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
67484838bf947015066da074cfcbdc28

SHA1
982f08aa7df3c38e8843368f83da31d8284a63e2

SHA256
3495c7d5ed5c288b10f6964eb06eb8aa1e51e8289d0743cee319508b35758bbe

SHA512
f9cbea60b9525b818b730af5e1f358be597e563786c02b96ed3bdee64c57a376faf19dd6921c96f039a9a93e8de7d310b5893aa02dce16668124eb5fe712bccd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6546fa46ce8fe4849247c63e1d087c4a

SHA1
92cab8293c424a03f2b817b640d18850b8ff5e18

SHA256
7d060bd8d1d0369ace857d4d39b1810024f3fb0d5ef0a6050e132427f3943e3e

SHA512
eb8e34d92697a5bbea53249df579731870ecafc590f3df3e8ec1277fe4531dcaa695607962c14d20c18393eeab08f6c678e92cf8afd7624c13b0087c78ff69a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
51e9c5081d56872030af9e04ccd2734c

SHA1
69dd1cfb7d3ed12f431cbbea503eacbc801bc9d3

SHA256
046ad569a884445c4b51e15e07bdcd711a947b0be1d0b76222e641e142cfbeee

SHA512
7ba4f5c4f46067edb7572c857bcf78ea3f63904525e94ae9379063646bf192da8d9e4325153e09bb26c19c8890fe4f2b736318c1596d9d8706493ca8ceb67f0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b0df22d46126a9e52f84657e755d9f76

SHA1
7c70c966031416c4a8bb165ac6c2b3ecb0727718

SHA256
76cec8aaa4e9d81dca5d0f6dbfa3a8497f0655b0dedf0fef7cf4585d2afaaa63

SHA512
1bdf8ae6d3d2fa8f2152a38385a27b020dbc205b60b6fea6dd3e50cfcdc9404a754cc5141390e4aa525d23eee3a94bd28271344aa0ee4ad2053b1a7fd34a1efa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6326c8a15d4b56d75707fbc3655df408

SHA1
b07427c2df5df32e712aa2889c0566f79de796ac

SHA256
b48849bfee9e8e5d4f137772945368605014263161d9368799aa636e96e2ceb1

SHA512
ec1900a9b5f2753d18b433bbc6b3def81906798f3ef91348afe078bd6584507662d6d0c3c5beab59d573f174af4ed1cf69f9c40e6e7308b934f3e0f069e591e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7176727118c7747c4058ea9ed17651f5

SHA1
eee9cda926238312890527d729811ac7c3f73ea8

SHA256
ffe89c63b27386960e13d30587301f989e4bc6d35036a462d56ebd518bbcb203

SHA512
492525df996a2c722bc5e5aec748929917b2e02472369a409cc44cb0117e146131c5068559e572c2633e9e75e1749e2247cc9780738296009972f46fcb70c1d8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b84e6ebe799abe82061e958c2b8b292a

SHA1
909738d8870fb50867fd9dd6593e479500a942a8

SHA256
3b2cdc8ca38f6e323a15e76cc2820e73f0f7f1362092c5ff9a2a40fe9dd8ef79

SHA512
c0f8d21e2e73baa62d96cffb057755ff3f66723c8c6fa1dd20b1f49b4f230b6f847ce3a46cf4fa3551599598b80ae08dc1119f4d896fb8cdc98df68f4b56f6f4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1b21f2d8db69945e4447b79043f0a4ea

SHA1
5c089eb3ae33ebc1a18c7a7dbabdc5f55c2e9b02

SHA256
1d0614618c16cd14965c3460b1e195b03f288b042968e3c1185513c2acf169b6

SHA512
d08e9de4a31ced71d93da914af7c70e7d534c51fa06119fcd9310e6176dc454ae254d6f4117738323492d76e53dda8850f9abed909a321d553d6e160c5b3fabd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a9f0e2d222196b997b79a90224b61a4a

SHA1
139f35d4d196a32153336ec4f48b234046e9b1a2

SHA256
20f74b8c8a5246834af392b5755c33cb59d63320e30d7e890c19ad8d2eb06a57

SHA512
16f68db0646eb55b95e302b1e6d40b073c7d39e035aa6f685fb0992b5f4ed0cd67be5d2777a4d9c6c052f1f2ecd5667105a051ff0a6b297a9b8cf814cd4472f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f27a78dcbc6772c0ffb2fd3e4b7e2c1f

SHA1
cad64d5e923088d2cb2e4d7bf9b4b2ba90dc0690

SHA256
15ba778631799f933cf2454796bca5832453c96c54e827875f2d6ae9273d54b2

SHA512
4fb749ec6bec74ef7374c6e2084b241b6d7b3f521702fee2c599bbead7d47c2f097a0995c885afe3eb8d69b83d4ac4dc679d11ad630d440adb89327505bf73a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
81237119cbf2cb9a6b8a9618c2790154

SHA1
91f82c3743649508142cad4345633101a9a436c8

SHA256
ad1be1e63cb5b71c673e9de3c27e7ab8c1f84c037e60b48d918ad4a4ace1e392

SHA512
be6e2cc38b26a546cd3c40798080f20c16d07a6840f0cdfc23ea0b5c6c295c651a4187ee3186e18a4e2eddabaefd139043ff4bdb86f1c4880dc088d62c065c2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6bf85c487eb56aa025756bdcd88beb95

SHA1
47402961705e1d8ecf3b2205827a9ef51a6db5f1

SHA256
07e82cd92fc5fe3e20f5ef4d7af30f76818234fb1ba35dd0f3e9c53108f1dfa4

SHA512
aa42aa106730fffa69f52c8e16f2100e4777ea32a98dab3975b9ef77ee672fb8c2365e9af9e3773e8f8d6904d1072c7550adc05d37b9b236d7c47047edf2ff94

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8e2bea890c623ac3ec0a1109ca22e168

SHA1
bf50a5dfc99d1c342521235959bd1671c8e207b0

SHA256
f243005f3a57afb6dbb2af482aa9d6f9dcde24cd4328d541b7c3dc064012f3f1

SHA512
ba6d43d150c3877cf55b6b45fc880ac9acc88cf934bc4bb7aafb6f4e9f0fb61f7b582ee0af797297856c7d973c4ec134305867b07e23ba4ecb81910ea31781f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d00f4b8e956221e320aa2cc2d688011b

SHA1
6a32c0f3ecd7badf02ab69dddd86f5e6521706b3

SHA256
dae596fcddcee3838db7b687b8863c3e66e888ce39601a3515b2c37e366a869c

SHA512
1a229dcf020705d15906ee8c515eb76fc703ed1aeaf88870c5e58d6c3170a87d95ed592547f901e3ee00b03ff7587284f1684e23d564ed88350fab64187736bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c044963c6769f9f8b08bb63595ce9f86

SHA1
14c85f9e37d7f6de29b3f0d5bd45e85cf81fcd55

SHA256
d348cdb083689b6b2d5e8c058c782f9384dec1429a622040c9466626472f9563

SHA512
ffe0271c2560466f72a9b246583fc8cad96d69b89d88303e30127845ffd9f4318ce15f9c40f4804c78ce292ceac9e4148228cbdea418d0e18d4c88f3540f9c2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c109d6c84d10cdcfd171eb8bf7b5ebed

SHA1
b764f4a12214099855163a6bb2199bf535db661d

SHA256
c7eefbd60bdc1ba5c49ba65cc31f501ba3733d248e3f4148e785cb630038a24f

SHA512
87fc7f0579368a860cc80a07ad2299a0ed51425ca919408292fc2b3e769792874c637a631f1abae499c0e030ab9487ec3d1c662edbcda7fff02a5025cebe111d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3e901de5f5d1b18db7f626fdbc8a5916

SHA1
3b0d881d39ec796ee233a0d653c7c86f94f3915e

SHA256
0ac4844bddd0d2eea949883365ecbc46f12eb1e79cc1c3727da72edbfc33e504

SHA512
6d9dd989da48f7ff01ff9b6e93085c1d1dbc397590330cfe5c23c73777c39ce055701a97ba00c88b51ebbb7705b03d6029368562e4c27723acf73dab3a3e615c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
374a269f076527ccc2b5941341f8a13e

SHA1
1e3dab76e0ab5e45f9c0e5c803ac3e087eb33b2f

SHA256
59b245273c737f5f1931b258a0683d00164701eebac826b8068a007358b2375d

SHA512
06f95606e3bae0e11abbb1b703f161a35897efe3317dcb36ced7b3e699e4b3f42e2a6805e798bce098e3863bed77cb86c423ff7676fb4ed4e7c13bb61f288a62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
00ff288d9b174120e3133969920f3a6b

SHA1
2bd678356fe71fd2186c477cb387c1fec5c8ca1a

SHA256
88457f6894de0c40e91f47214fd5cb3805b239b4a1bcea3782d61dee8cb3322e

SHA512
cefce3d359f6839eb1a52511d10c99ebcdd8ec0d339aa4d531995aab96484b8579c6ab2518c12f402e3cd1107a3b99a116ddd58bcb422261cbf3ff22ffc687f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4c73a40d4092b70ca70f77d15f4cb206

SHA1
6dd7e1ca4274c3d1fa6c689c864e9a9020861e9b

SHA256
855bdfc9b0dc37ce527a1ba922e7920fb6909b051479f6247e8db2d6548f19cf

SHA512
e3fe278d55c95d245da9f019130e36d8e96ff7a7cc2c6ddfce5ce18e1a07550d317139bb66bc693ecc43cc6993b08b0d608396d3e176966ca67d4596be9dd609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4c0e567c1cd399245c3f0aba429915d3

SHA1
0c668c0e6deb57383a83d61a625927ed0d92ff7a

SHA256
cf3b97608e5dead7ce4f40773cfd97f2f4d0ec92ec104f73cffc5b8c59200756

SHA512
705f27fc657ceb112590ecfd16ea2293412435af0395bc65655649d28a2c83f32ec198ec87519d05cdcb72e25c92f733c14f875b10577ee073912cd8bce496e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
56d55f1765083c2ad2f8be1c52b717c0

SHA1
2e762f55dbf95b89b4b648f9594cb43f9184c520

SHA256
63a4b4c9168a954e1a23668042039bf3206ba8715af217c9c8a145611ac054c0

SHA512
904d568a9fc3df6018d33e37d4068bc1d6555d469a6afbc30fb447827f7d491a07dc5876486750d1568ee2004cca35527ce68bb9e4d261c9a0429d70b7d7016c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9cd9635be73088cd1d76ca4f0f9fe71e

SHA1
9a62f313aed5a73021133a5f23f3c8f152209c51

SHA256
0379ab282a17d325ee01a85be845f6275f24ca2aa9bfd16bd4eb4455dc2b6e6d

SHA512
bf103d50e04caef90a991af379b7307ab45102b5a1f0653e3037c961d8db7261a56aebff6b772930e2d97dd53ee325b9862ea13caa2c4465185d80b9b909ca61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
022c6e30041f191f0fc42f7adc24356c

SHA1
559484406ab83f795f10436c20e259427b04f83f

SHA256
15c29c56d8ef24ca5b0147b78918d47804b22b68fe022ce68fe32008f15a8b57

SHA512
bd57867e3a0c5b6202490d32d11c985f8209982862f46117f00f620731ad5aa6dd48c1f1553010d576f28844a340b44695e740f1d5e29c1c91c642c221ea4cbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c3e3a021125e5f9fd69beac6665a244d

SHA1
a966ee69fc2fb76153418c6cb24daaf906a1f3e3

SHA256
eb76cdc51fbc0c4409a71992e6f2358824528fe19431fa960dc8896410c03bea

SHA512
13fabd34baded2f851b8fa585bb98fec6dd1c5a05c9c5d189bf00db8c017ab61528d799c717b79ea8af8661e98a279f36abab95b6a4c096c9a8862a401ace26c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a43dcd1492cc676c459f7c4e036f2445

SHA1
bbddcc8771b2205cc657707a4eabfceb75f02d73

SHA256
99a8ab7fbbe9d9789bbff95239e1e873f8d5f76ab8a1ba8aa910c8e1e49ce745

SHA512
e8e2b1b4fa928fb8200b54da43ba9f31757d4c994d5d13793a62857c1d91c8331ae3528ad121f1cd5d9481a5b0e603afc2128a36a7a07aea972657f919fbcc18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
10a8c75e05167858bc5c5381e5c63bc8

SHA1
83b781ed62da7470a647e6a116697ac48d902e36

SHA256
fd9bc4bd80abf1ffee45f78da605d49a7ab3fdf5f1b8452402eb1cbdba3f7fc4

SHA512
9134557732784bb5ee5337285d6f33a034f7bb9b3fe4f82cb2544552c53932c4af897bd5215794f03f9ffb13c8acd03499b7140088aaccd9459cc145cd320c43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a6b3e990949b18362aa45d8e297ec0a5

SHA1
2567a8cc4e372589e1f43cf4733b12c51899f85a

SHA256
64f24eeaf4a740235bc49cb9d7e0e086d94b5914df64d24701eede87cf7f9755

SHA512
c86867da6afef14b21cde40761a99d84b23717cf5da9b1e98ee9b7fd858bf76808bc30fdbd88183f45a31013daa9b2b449bbcfadc73c0247721a82f07c94e953

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cd9ed4eaec05e7a11cc1b63e40c21952

SHA1
d2ad1718568d6ceb98ad4e7a1428ddcf27acf38e

SHA256
3033cf470120572de5291028a0b584b2880b9f42f25d43067136a39c9791f425

SHA512
5b8d12c1700846a86d49ad814c7003211ffdba6cdd06bfa5cac3baeb0048c737aede5cc30ca656642f4173242d23750b55b4781e698e4c896c77f8a5666609f5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9c5a03c5f421544bc9c00f5ea4b3356a

SHA1
f30e89bd6390a77a81757c7348c1f47684013eb7

SHA256
ae5fb83ef9738f2124c937427c61220dc44f453ed955a3be00613d4d44c3e69c

SHA512
30d77a5a3ec8759b1835132344ed160f3774c25320ea8618cb363d04ce8ed2fdc8f7d879a4e31640b52e61354bbcd7fada88adabfbc1a72db2af1292b39d88c9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d62f93dee44902c369ac991385974f60

SHA1
eee1b9370f744b1ed2dc03951fd68cfef1505daf

SHA256
1c2b8c86731ab62ca7e41d33cf32d5d0054e8799b7ee7cf1ea112910933c05d5

SHA512
05308d2b463505bdd4cc738cf6715f58974b15d9402c9cd6e6bdbf7398ed3be9e1cb84c3839975bb395602998ced4ec0f427ca6ec32481d2e18ddc5aa5fc084f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7f1b60d9f969209d19cb05b8ee15e66d

SHA1
a12a385571461757361e8936ef8480ff78ea0e1c

SHA256
192acebdf4faecc12e719e7a5e53549a2de8be0a08b19494fd4fbd7a22e6dc22

SHA512
947c5e9acedbc786227aee4c0217c7a0259953127205542c7a5d428614c40b918070bf0e3723bec51d45543f029907d2affb65c19937cb1cd14e4f57e6b15229

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0112d5762a46ee0aaf4482dc011a9d9d

SHA1
91fbfaa5e15557bdd87f6352af75047365b417a5

SHA256
b6afc42e9b826fc2eede715b7a7fb77188f09aa68ebbf303570cfa2489aae6f4

SHA512
16828dddd3898c04d579572969608fabcdba8937e78ac9d76c6310100f58c8dc2d2238d0bdcb3aede6491198c8814b53a03328a77fd4aafb0ecaedf444991c66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
86c35399a0598c81bee5180c37f8712c

SHA1
57ec12d16dea6dbffe4245c7cdb4ab5af023610e

SHA256
916fc05f950c91c0fcf7d3150e4f5a80dc918f2bf8dfc9c9f7090e7e04a9d4bb

SHA512
9a8e0ce5642f36364c00152c41980eb1180710bd2901c8d63b513ebcd0b21898fdb917b51f55c4eb19f328aaf4cd8dbbb2790071a8157af1ca7d603e1c88e595

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
951afc20a3e2b7afcd4bf36ce10d6165

SHA1
380833b00576b663d2d739dea64099ff2be21031

SHA256
b130b301ff98a79c98a238f6a5871e846a96c41fb63996888c316fe839d44c9c

SHA512
edd3c11aa36fdc3992a4f5cc1bbd266e83a9bb867798df4c84bc9d7239705c32354ed63b951c8818a2b5c425d53ebcee7d84fabf062faaa92aa0aeb9d3aa6819

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
95b63c5319d40a084080497c273523a5

SHA1
380caf4e4709a8078a3df90521b320f9ef464dbe

SHA256
a46bd4b32d150fd1ff40fc467647ecff452d7381e22a43fd0be0185e6f08b2ce

SHA512
9d977460579aee9a76613e21a3022bd1283769b2951a688b8c34e176977b1acef8340250ac6ee96d3f4968fa5b981963f3478b3a44d413006984132d96d4a7bc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
152ad18a79fab79640187b4c027bf61e

SHA1
a3adf47676788bdf50931bf24dbf076566b4b0a2

SHA256
a1553d8943e5fda8af17551631e64819fe5790521101dae02898d7936a4b70f3

SHA512
98770125b57837a032d37fdbee2fed748228fb35f9c08a6e532b99d345bd617492b0ad4885c92308fd152c90051163be1322b3393e6f4460cdf37f4766f8aa55

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c9f05083b615d6a3fc85a85bca02c3bc

SHA1
cfc9b9d12dfbd54697fcc0423800a910ba54e149

SHA256
1865fbeb45df5f9f6b0204f161dd65804eb06d9ad5ebd58c9b05431117920c1d

SHA512
aa485cf53c0923bc02e93df8cbb561c67230c7d07225ab32c245a54988eb43e39b2583c5d41c4fc8a9e103e88f71ca5a867e558fb0f3c995a25aa906eb018d41

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1b0ed3f87890e48d8ebbb1b2b3210bbd

SHA1
10d1cb607c2165bee5a4e85c561a2f2d5dc13b32

SHA256
daa34d09e50b7c7c4e146343e9d4120aa83138a3e8ec790e02d5a02469362adc

SHA512
e42e22e9428ff7bcd5c1eb9e0f40a70900bda390d614b9aff8eb446616efc6f33d062cdf3eef266cc44985c135ef520a67b255811c411d81751379e2380567d4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7700ec57246108d96b6b0dc2230434de

SHA1
0273ac40ef0e481dca309629bbbe888442148787

SHA256
164b35d5555012b583549344c895df4e0acc647dcdbcd2cc69414272b17f2e4f

SHA512
f4f8332db42d619a3f1aab9afac5118997787596caf626bfa143f4cc6d31e2783f7c7c05c20ff155c2c4fae7dd373f16a6d9a7403712be2dbe7297cd9f2cf3f3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5b07654c1950ed2e062ddc514f85810f

SHA1
a8ab42e3b4d6f8cb30b93a88dd4adfb0f1620ff7

SHA256
533908088a79ff7ce8b9d54ab22d006db9f1ad6cbde190861fd518a9f214369c

SHA512
2172a51da5146d48c3963e739bc265eaa8230d7e09e8ccab138ef041a41ba050f02b8cbf181bc3af0ae7ecde1333864972dcea5703da7a4ff3152e0cdc054c03

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8fe445c0c9080ded3117931e00c470b8

SHA1
e4e1240ee29433701d2e8882efe3a309608779fd

SHA256
ac1e3ac6eca376f0b91bf5363faf83ae3ce147ca4cdbfe8a214482915c1f22a6

SHA512
2411d47f6de4a0beaff6664e1858d42c433568f4acffb84541604e49e6e25f8a45ab6815e7293079873280808dff996cf04b1144601e46fd91d4e9af79a7726e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
775f61fd80f79c29d13816725aa5d6e7

SHA1
3cd1a8e03f0b76bebd13d90700937c05d7483525

SHA256
db321eb161178a1892ab929e420539d46989d2aa557c7cd1832aa9ddb8130510

SHA512
5ba0b20a0eb07d9d19e4222deb76842b7ffc337a724090040a86dd9b6ceb667a721bd3f5f292886a382cac22afcd57ba70b44827af15242cf794c1dae2813a19

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5cadc89179dcbe391129f774a7ce2be2

SHA1
db918a9cd9615544878079518b54b396358ceef4

SHA256
f85e57e9c605fafd603fae46f51199547d745fe6673b3ebf2b561fdfa9323d8d

SHA512
d4b8e1cc9f28daf92059f39f82021a2c3839d4797cf15b6fec3d166e908a30111bb4ac2f6135c2300559f660a8787b5fe6d8ff48ef46b17001a98068faac4849

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4cfddb11aff1f4b808286d4ed109a7d7

SHA1
5855f9d9dca2ad4c701133c26410a76b5c31325f

SHA256
3f9d3bbac7efde3b48b7c196491cc1b4fee846ad5d1bface3137ed6023036c93

SHA512
38708f9bcbf09822f6ca9610a673f75098d03b8acbf270703cc007d9f3176e6038f2634ca2015a9595abe7ba727f39d87a64e15423813637a23d784e217890aa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
44c8b654399e5106626bcd63039884f1

SHA1
a0903401e303410c01fbf78ff6d2cc7d11eaf30f

SHA256
5b41cd2520688caf8c6c2940136d06aa44d44aaacd6f6ad31f2d19f1b7a3538b

SHA512
adc5fad2bc44350d28955b1f1b2389518eab9441aba71472b6707e604716e00651bf98a271d6bc5ddbbe2235b9f5c02094feb529c7243e372e36b475287bbf49

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aeeb5c336a0b49b1b5b33450cee5a128

SHA1
d6b8796e880d99ca153ce5eafb205609838511a1

SHA256
71a6ea4ad651afb46a860cc377a9b29cc0e9ec0fa955041dadcfefc79da1e358

SHA512
9192481f69fa42b26d55961d38552aba484baf12d68a7206ab512bccd6458c1958956728ffa4383c58a093b49bd346d260dbd183ca2a4ac4ec1677eca684e5ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
71f3e36120a9f89cc529c5f36f983264

SHA1
810a4d0c7b97cc225ffc9d28515f83fb3623d2d0

SHA256
f89cc11741e1a96ff3fffb0f2ea9d227994789e80af4703bcb45e0c6b70e73be

SHA512
14c75d7fa7abdb0307da9e160fd924e400971aadc5725041bcfe0c600018ef570228ef39b5b5d0d36eb02363386526a9dacf8f4acfee9e35811c32591ce59505

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3afd915050c1531427495422c5595031

SHA1
c9d99f8f0e04ae3e5aaf6a5bf027771c6ea4edd2

SHA256
39eaadfb5c61f247408d86a4e02f687e4443c144104c4a95684782b6efd80ce1

SHA512
835ded6ebe1aaf6aa072c5dcf485ebc1ca9211fc55924eb400451cc7c1f69e6705ca7016c3960fca80d7134dcaf6bde319fa1f822145d01e7544b805f5243c2c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3dc3c73ab8d2e55a120137d29e51e7e1

SHA1
5dd932b8bc9387610a3bc26684ea9e306f44fc86

SHA256
7f59cf8ee8f8cc9530aac6898b847c59fb0dc31eb8ef974ae6b6354defa9b2d8

SHA512
c97c52d533744e516ebac7773db68eb7a89f70454a279b82b2f2121cd30702111366e28e5d784fce40747a3cb289ac85bf2204b16888b833e5f61921dfd1fa2f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d7f9f92a7dab4b8028bd8df2fee35564

SHA1
e1edf5039534fd7219845313f9725acc94381768

SHA256
3a6e7b548ab06f4e7764e65ba8e0946c3aa421347f45177d8a17007f498bacd9

SHA512
dcf5e21040c574601d2e1b283cb33f06d931b5f4e441c4408d3e79203d15171fd8da1536fe023ba989f7b07ce83879d98c6a7bb39d011dbabc3600385cbd8302

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
81d0ee09554fcfbc07349075e76dcf1b

SHA1
c099a023cedd18dadbaa3c0a9c08f1e9c8417318

SHA256
84fe10dce2f0ab17e6d025d8a7ffedf109d8262e46c2300df7538b63fe097d58

SHA512
70cfe2fe898b07aad0f67930bca9143729e28b096476befffa205bbab18945f2e84b354aec108957f71f3ceaf2c5a4514e6b915e1d6c6256649f153d7c7d3725

Download Submit
memory/804-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/804-238-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/804-1-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/804-7-0x0000000000A60000-0x0000000000AC7000-memory.dmp

Filesize
412KB

Download
memory/832-593-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/832-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/832-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/832-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1116-244-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1116-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1344-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1344-592-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1948-195-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2204-247-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2276-12-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2276-417-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2276-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2276-19-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3456-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3456-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3884-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3924-248-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3932-596-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4264-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4532-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4552-249-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4684-83-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4684-72-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4684-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4684-236-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4684-78-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4688-597-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4688-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4788-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4796-509-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4796-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4796-31-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4796-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4796-30-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4884-239-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4884-86-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4932-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4960-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4960-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-43-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4960-37-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4960-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-243-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4996-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download