c0d24d7525a102dca04299b67806b479495675eb4a0ecafad9558f89aac4941c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Size

2.3MB
MD5

95ad5b10d65e86b02da3d83778e95c88
SHA1

b9703462217ee86de5da639c46f4c30296afed88
SHA256

c0d24d7525a102dca04299b67806b479495675eb4a0ecafad9558f89aac4941c
SHA512

865169daccff297a4d850e7e4318b7f9c6ee28a8e0395aa65506d145f5f32bc3c9ba0802341f1be6dd135ff5c54ff93c8d79d322a79340e3d93aa19a301038ac
SSDEEP

49152:if3ZoG3UCj5qzWt2skmzb2R3NBHCYcMKCqy+XyTmp6I+e30jaNf1TWbdz:KZP3UCj50WtQwb2R3N9cMKCqy+XuU02m

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2468	alg.exe
5080	DiagnosticsHub.StandardCollector.Service.exe
2196	fxssvc.exe
2164	elevation_service.exe
412	elevation_service.exe
3216	maintenanceservice.exe
3188	msdtc.exe
836	OSE.EXE
1364	PerceptionSimulationService.exe
4892	perfhost.exe
3916	locator.exe
4984	SensorDataService.exe
2932	snmptrap.exe
4232	spectrum.exe
5016	ssh-agent.exe
4020	TieringEngineService.exe
1788	AgentService.exe
3420	vds.exe
1952	vssvc.exe
3612	wbengine.exe
776	WmiApSrv.exe
1540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f57e8283e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080e5f511aba4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa47f811aba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eec5a11aba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002636c611aba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dd78511aba4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc10bf11aba4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeAuditPrivilege	2196	fxssvc.exe
Token: SeRestorePrivilege	4020	TieringEngineService.exe
Token: SeManageVolumePrivilege	4020	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1788	AgentService.exe
Token: SeBackupPrivilege	1952	vssvc.exe
Token: SeRestorePrivilege	1952	vssvc.exe
Token: SeAuditPrivilege	1952	vssvc.exe
Token: SeBackupPrivilege	3612	wbengine.exe
Token: SeRestorePrivilege	3612	wbengine.exe
Token: SeSecurityPrivilege	3612	wbengine.exe
Token: 33	1540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1540	SearchIndexer.exe
Token: SeDebugPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeDebugPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeDebugPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeDebugPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeDebugPrivilege	2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe
Token: SeDebugPrivilege	2468	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
2600	2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 3840	1540	SearchIndexer.exe	116
PID 1540 wrote to memory of 3840	1540	SearchIndexer.exe	116
PID 1540 wrote to memory of 1220	1540	SearchIndexer.exe	117
PID 1540 wrote to memory of 1220	1540	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-12_95ad5b10d65e86b02da3d83778e95c88_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:412

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3216

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3188

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3840
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3990596b6b0788510eda955569dd7949

SHA1
558ef4028b64d94eda96c838d112e0230625038c

SHA256
a5e1ac424872c81da91bb359e380d143cf4361d18453b0ab4422fe7b7c199429

SHA512
4e60a9f32f02fe1b74efedbdd2d3ec403da6fd7e174485c85afced1bae6f3f37f8c7d2af242ef799e489a13db4eec086205de95fd24eeaa52e85be1c6accd24d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
32aee74cd74c3b22ba0e6b29e2f2d822

SHA1
241bedd06b2afc02914f9b0fb15cb007e49d564b

SHA256
4ac027a3d925618b8b31e7c7af684b7ddcb41de2410c15ff0ed83e498758f71f

SHA512
630dc62cffd69635ff0fc517f09ed8933d9049da4c528438fe40ae8b1dccfd32a65cae1a09d2a5b17b6e638a1e61d6c671ce9285989f09169447c0a586a1ce1b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4ddcadc5c205f81cb20b2fdf562f2abc

SHA1
d7b3d2eb84ea259ad45abdaee7d8680d453b1dff

SHA256
5c47842e5a71d99e2636b6825a825c56d3c87a54c5e70fd02550d05b94b4a923

SHA512
cf29f741cc925d0dc1a067ad4d4e377f52333fe5eed40d13ab1b2ec6f249cd5bebc37751dc439ae172c27cfeda78267aea31697740799b3ce9a674b2b7d3ebae

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8c5374ac045116f0b1c50027b1954bda

SHA1
0047b1da79af73551171216f793ceebde615e2a7

SHA256
5082dca8349e79fffff924681fd19a11ea78c364f2bff723d324d55d33bb5c5b

SHA512
163b4218faac1207cf1a0594a38ddd9e17b03212ebcc70d897b40e10768f1e8ac6cec0bc5afb4fc59a002a5fb62c9f4c64223674bd08e6dad625fdfdf32254d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
275f9992293c0ae545f01d6ef47a252f

SHA1
a9b7b0eb7f732e9a159a6b69d5a6191368aa24cc

SHA256
62cbe1e250b5e3f948a6050ef3f43ac322fad977dd043415ea77cef6fa7df932

SHA512
1d239b3799c31e78473e3cb15a4e0154dc9f7fbe52055439ec9e16a9c6997dfe5836af8cd6c3de7f6fd8ae7cd521adb338b2485b2ddd5b11dfc37b4d05fffa04

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
dc71cd240f88883124505e8abeb33e97

SHA1
56420a78f96236f52878bc82d9e88199c7b7712b

SHA256
fd515872fc49e38c362ea0a067e0cbf4ccb1bfe32711229ba2bb72be9a87c26a

SHA512
07bcac7c47051657dcd1321cff9fc4ab2be66bc2fb3ec90addfd158bee71b00e914f697168d249bf4f2be97e605aa7c195e9e7c847ab61e4f99412f7ef08185d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
bc530c4ecb4c48014d11d926d078b27a

SHA1
c5f46fd5ae784136c7ec8374ee95a768b2300a62

SHA256
3de6bbe5d8ad958795e36c8fa5375f50df23aea2e81c8d2023ec53e8f0b1b605

SHA512
1d0d4313f3d13a3c019c683d687d590e9a439e7c8bfeaf9c78a85f9a4b337a226fb84436a87f90c841a9edca25f10add414fac394c0da8dd0f90f01cbb09b726

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4c32308619875635bf605c494c82420b

SHA1
dca53a1653e059b600ee9d82e5016ae0ad8d0844

SHA256
7e8120a5f2ccef72d7e42b3eaecd7086c09feccf006a2357356134854c634a46

SHA512
3e7a0ad057b08c5ae7d62ceba849ab0081fb84a0f120ea14de97c2391dfdd9a99cbdcf9728cf7d0f27d8a40a5305ee78919db06a793b06115f1c8462b07b1c75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9c49c61dcb005bdba478fe784f1a9015

SHA1
97672d12a09adf379de3847175b70673a40aad4b

SHA256
3ac80bbb95e3db2470fbb9771251de968d4d2b33e7904b7452351399210dc8d1

SHA512
b52c6d48f7618b4da56a28ccc31f518551085cbc287ac56418e677aa01a86c688291e0edd07fb45e0b8ffcaaf7626d45ff2545275838390538ea07e8cc547ed3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a73cfa44ef3800496ef2eec23bb322a

SHA1
1f0dcdbc684352aa8924f33f3b898b5f3809d903

SHA256
e0604e3f08d516990bfb6d8f81cd5fcf3d4911bf8a6483ce83095a74c93456ad

SHA512
0806bdf4e54a49da20f4ddcedae78f9abf64579a4fcb067c2632a7b3b380646c23ae679e486548946cf9bb7d10d68eea37bd8ca674b5651f28dde24279157a7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
747d92bd07112a88d206461b29c233e0

SHA1
cddda743ea61618f7d54dc59f474acc1e438f0f0

SHA256
dcba4dfbd5d636a87a7af1cb4c224515958825e9dd941b1f181d5776482b0a46

SHA512
9f347cbfddb0d71476966e72d3a313ddcc0673c276c1955204e2c8a76bcb5811231a3a1f411c85230666347173c15eb4119b4720a348d88c059a9aea879f50a1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
66598a452354cd4e2de45625f3c4ce70

SHA1
8d65e4c81978f771895cb51b95c284e90dbcec6b

SHA256
132bef01002ad378b4a2b29f3005d97fd179cd1ebb0d47c7351542e4766115cd

SHA512
3297349ab56da0866efb76de9bfe007a116c3e33a842ffef3122e1eea6111a3355dd6e894e4ac6a099950f9177b9b2d34660e2a19ae841629de6b8bfc44a977a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
87fd05959ad9dc0434360b70ac3170bc

SHA1
8b5c982f238a688523e7d4111296baf04351a697

SHA256
a777ca823d607090e39a9ed00140cf2d6bd023daca6f956be3a27f22d350d908

SHA512
4e9b7748a540a8f975642ceee74165d932171b228d8b23446d047b2d325b875903afe38ca209ee2762dba5ffd68d6174cc53110089743fd18ba9a7af498cd418

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
71f00540d9505eddcac755b0a432ea9f

SHA1
cbac2285145a317735c785cf032462049adb096e

SHA256
365d4357112b3e58a2a8b29d155fc85bf01b8b5ddc61118c4872ed2d698bf79e

SHA512
f0c4888f6680835c3f65ffab836f07b2c537d018a79a1095327c68b34faf950afcd6fdc229accbd7ea7bcd0d6f97bd798a5a161d1d2db23cb32d831278d08c11

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0f82e41c9dd8b4bca521ae8eb368d7e0

SHA1
3398d4336b8f3339046d6048148e7d84979f0a55

SHA256
9ca72617dc6ec10abbd54efd5184d58414b282577fe33145c0997fab31c16aed

SHA512
33fc2b8ac3c6d344e2e5f39a4b330fc5f85cfbe52d367a0c68cabf2cb848e97da49acdff147e3f84406292757b8993b09b314aad01207b261184d64d84b0feab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
73a4b5f996bda4efcf00bca49f3a4ef4

SHA1
e43090978eefbe7c217dd2a784191d447bb3cb6a

SHA256
7fbb0a714e42405694185b2be1c71c712937f0916887473e18e37eecbdaeac2c

SHA512
9bd3a681373687cbec4edd1b368e554494262889abf97344207b9b8b6722a7dfd656378056a9cb32fae142aad5dde358a1f788ea50698f39bf2d7f21ec8e3f98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
167808647430b52f2b64a7fbc773414e

SHA1
39a247dd8a256220f05241e4e98037049808fc65

SHA256
72b5e8d4b1865ee81e7fbbd672d1b376ecb28a5d2faf788c88e972980e39fc3a

SHA512
92f75d120edc7dd86d8aae35a465cb15a4ffbb9e9a95d8899c64763e77710a041a5ec8ce7a9162f344081b64a2bcfd3ba5f56ef8183e7cf0a6cd804497aa31c2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
00280ef2504f0bc9651ee8381a9e2714

SHA1
8544a43ec1bc066217729239e22269dc40315bbb

SHA256
d045604103a708d187f3d81d68c58fc17e8017c0b521973f1e3290e3ec368929

SHA512
b7555eb8b7e802365f9276a1ea062113709be74a4109b37718ecc67b7220e4cc700bb6f1ffbad2aafe84156df0d241ab63389b167fc4d6db9fdcd8f91e5e4aff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4e5579e4f4f80fa4f3d209eddce9e15a

SHA1
b2ddfbc88b3696a76dcf02a1244fd6588ceb2a70

SHA256
3f1de4ed0189862ff7ee32abea1240ef296a173ac094117aa6042be8b46c2441

SHA512
098abd91a4709393b77d9c7eed6382f3190709306c2871c63af43bdfc5c5f9a7cc62bac5db1946a56060a261cb62911471d5d7eaab3be2a9f7a3ead9ee347c9c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6f77535431b620282257de39acc2ab6b

SHA1
193915bef143e100a44a7976cca499746cf55131

SHA256
5e9b08ebd99a0c1514d1ae026e4ffa0695c744010be396aae014edd2ff8532f0

SHA512
aa1da76070ff1c00bfd20189f15ba206d9750b98c54617391322d0b87de42885288f1d8c6262a4a7921a2694e4829e8b9c898f6817927efcc5f467b8482ddae2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
20fb1ebf7a1c174e518cf266cc38c909

SHA1
72231cd625f3f75f0aaa9bf56ff172436d27f416

SHA256
c88b44d810dae16cda629c554ce3b4dbe5eedd5cfdeaa1bc9d95946fce943282

SHA512
d215e49411637ead7df09b0744fa65cffc80f9f61318322105ba1a3c7e2dcdac0b67ce0afc954bee0e5617c026f8492082f7e41d91e46af8e3b1ad7c9508318c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c832d008b6c8daaa12375dcb54da4910

SHA1
64bf9f9705baa50eab98225ee55393618cf71634

SHA256
b6a97a8af7092e792924c94df7f1c14db9b93b15be129aad08c52926e30f8151

SHA512
8c1c68bf123994ffbf2ae0aa851cf9c8235255758ef7c5ec139a3e93257d40d7f62d137061f1d0e46f4370f244f10b070079b42336e794f5959083dd039c15be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
293fc8a184eb814fb7349e55608560cd

SHA1
02a27ca8113fc74ce50c0cf25198908a42dd9fb4

SHA256
f7abfb2542c9f7b10bc932955df9a531b0ae8e43626fd0dde2800e48232f5a9e

SHA512
b52f236e1ee75e6d5f09e2169f74a81a57fc568f0a6ddc43a198ecb3f7c7963b400ac679d06a7dcc26e5948cdd8f381ef58960f29906b249ed33f7d8de6a4e92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
432170e5015e6fb6bba0780b6b22fa54

SHA1
01956eadfc90b95e718c3a78897c65752cede36b

SHA256
b41f3e6218e3add3a831656f0ac39a76cd64d6aadd0c61ee6a86f604c0d3040c

SHA512
208fd084c13cb9fb272f96f47c067403c88886d30aee807a50c587b52fdf759ca0b95718b103bb1dea0d3bdb3413a2187b79f1aacc143ab45e88303daa13851d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2f60df6dad4e1f9704b322898413b5cc

SHA1
703fbc8f975e1029d15789056460761ab376b526

SHA256
c85d2cade42e65f7fae3567dea7e1da563986e44e62460033421eb3047d103f1

SHA512
d4eacdb606f11e4150dc0fa111c1a3c4cd9090525561787536dd5d2f361be89ec83219dd691b09ada4db3e365211f110fcf65d78c95445b9ef5f9c8fc50fcc17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
54a9d5d5ce4b7d1a54f06f369f3bfcb0

SHA1
5e68e70cc7840538a3074aa1564eb5fdde37f5ef

SHA256
87eeccb27167d325e54320ad8c13b0fdf1cb4d70ab02c11ab7cb7e3b26c8c6c6

SHA512
e2f8e39ce8041180ea166cd1e898b1b2e92bc916781ade5f2304b43663515a295036c3060c2a085368345df7386fb55980c5306a1c78aa3704dfab33fa8d730a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
6dd1724f33a833b0575bb1a0c0cbfd13

SHA1
326f88ef9e6080fb231ceca4ad690646439ea601

SHA256
c67e4d1f7e5f07af3b12a1bc89d6f83e38572fb87f1d5001f3c58fff7c309ff1

SHA512
1597cc73788ddefa21ebcc2a366304a57547376e77be9d9ac29cb5329f458c8f6b17d25a6f9f034583fd359559101574ea3ea67d78ee85146964d0c85f4c7e0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2601af98248661ceb30712a0b184255c

SHA1
94ebcc371768c7abd3d3f7796c9e5f8dc02261e4

SHA256
147eead64598b93b8165fca9f5cbdfd131bf5f086f36517c374a2c2f1e9f4d6d

SHA512
7bfe9bcd69418ab920218d1bea75bedcba5120fcaab066de2d0bd845bf0cab9893ffabfa0fa736ef281e0777d075bc3e1063512e71d7d7ce501c8ceeb2714e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7944304590b52d7f33d350ee7ad204c3

SHA1
fa54f18e2a4ea62a74a3b0ab2e0ff517f05da339

SHA256
4d8543c8da0183c694ea5fc53f2c16777eb54371534724aaa6a7d6218b8a056f

SHA512
1a23a9f5900511c1f7bc7e3ee1cfb4e7d3ce3a3a5a71d14eb7c538d8d68b9d65b7f2a22b769966c169f4ab1bc6c7c216c13421cb00c74d816a5854accf72a162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
48dd0f8b30efa8347ea3e63ed5d1b1df

SHA1
fa2c2e0844b2b7678f667ab0b3086530f2834f95

SHA256
3af7b0354199cec8113e1777434f022f156134a7962254b90b3d036a094f5046

SHA512
96bdcea713b86df585541620c82f1e65b73bdf77970a74c364d229fea418425940df62c42bf9f0f9e2178321bf638fc292f80786c23228c6adfb2490ecd0c362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
971eceb035bdc7c4a14f1aaf11b3eae3

SHA1
88560319313bb122edae0f729f9b14310be53081

SHA256
c6a309c5eb98998cc8454dc601c7019c76b624bf722f6e87466b1a9c9113e8a1

SHA512
99712cc091a440ac26bcae8b60b0fb2ae8481c7a67211a619a3212d70c883a47b05e6725043eb5d6eb87cd502c98218e155956f20b94d6d51f45948ef323fe48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
40d97740fc5a4d007c3b47fe863e6e86

SHA1
41032012d17a237c6301341fc4a5aa71f28a89b4

SHA256
b5f634fac959de215d643eb7b716760edb4545537ea4bc43e44a89a302106059

SHA512
2f36605f260fa460455e7aed48091597656a8836530bc629566fc92a7c7d3fda0eca3a9327402eb1cf152eb81f544742c3c7bb0f37c20af08ef2b58941368b8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2e578e92db0288de552df414b37d0d25

SHA1
140e7c7663c1b43fa856c2bd4bb602ebf9a5c994

SHA256
52ab1553b0ba0beae9ecf5f678a01ca95f8a556163597159964a0321f4c7cc6c

SHA512
dae9f4d15c60c1a8abe21d8e704a1fb4fdeb6f724f7d7b1944f1ccd27db89a19d201c6964417c68d9ac39c59454b74823d720d9f7b6fbc0af992163ce5e36f9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5c8570b1c5635d5d796d03d51b21498a

SHA1
f3dc0b4bb6655ee024e3dee2393e3a0f82c0d774

SHA256
5df2a30c8ebc0600cfb78aedf76f7a244c1ee4ef34f00e7aea5009d8f68d03b6

SHA512
6a508be8e0757d079f43686e2a6b478af7946480286ca767de50c37971b63d8dbaf6496a7f40d110ae331c8f6447a005f27f7a39068f962d784cb5eed0c9a89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
9cf8f046bd80b1612b5740759efe0d41

SHA1
b890891190c2768f9d23aa4b6099a0bf71465dbe

SHA256
88022da1609844f5331dfb38491603e71daaa13da5f1ae763e5a360e9347b1c0

SHA512
1105fb3bd5985d563b55d52f2a3b0dfe7d900233f3cf910c2a05872db44eab48f6bac40c46cd3b02d2bb1fed33601bd9fa1df38b83534f9ecbe5c06c6212a682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2438917667cb84b3182866c63e0d9cc5

SHA1
3b314d07fba5fe3b418c0bc9ce619320b158fa20

SHA256
7fe28283e200e06aeed67e3524a41321d12f2d63f78dafcf94a8a8a6f872d2b9

SHA512
b6f927f85a896c227e606c72a5386a9143d1cd6f8122616114e90dcf0119aaf43b330ca0a5190ddf4e29d587be8b00a4942f4882478c7bff07462291f3aa15da

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4600e8084ba80f1684d652d1feec7516

SHA1
958d5d86f8fdadfd44f0268856f7ef8053b45a93

SHA256
49eecbd5bcfc68722abbea0ce0a4459a9277e950fb077e40eb50c0b005cc99a8

SHA512
5616771bcf1b98243f682671d77bce5d029dcfd4fc73e769fa1ba51edd79f2300b305d0aaadb1434c47d34290aacdf159486f23ab4f21cc765e6005e9352623b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a75ebe6c0981c338559eba3b34e27095

SHA1
3c9f39705f04f91f6c904df2e753fb771420319c

SHA256
b5c3124258ce5bf93112d021ef13c6b506d7438941299c653873e2aac70fe1fb

SHA512
f5a0e0aa7eefd23e2fa30868c8695c5c403d91b9958111018eebffe9deb7ec7d9d4f22442d47851e3df3d5745f7eb0b6cf00da2b118689ccfe4589d7d2fa2cc3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5de41d261de236aa4e7dce130f0ab521

SHA1
085277fd71ecf2492e79f250157750eaf3a1ef6b

SHA256
307daa34630320407b541ec386289e7d65c896cd66e451ce09d4cd21b4993ff6

SHA512
6d86861a90d8ef17361a8ae203c55b30db00ad55c3c6953b08a1cb53b18b52dea810afbe87930112ccb83940e917607ecb9497191fdf4d4d9925e6b9d8fd3813

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c03263e44944ce18592bb05167af7c97

SHA1
a914a5392a0bd87fa92fcc33a1959f731ed07f57

SHA256
2121027af0c3f7c3de7a87c8476e240d95c546588e2469601793b04df58b7ae9

SHA512
d4c3fe376b8f5855889d2d795df375885b19b150afbe6ad11fe9d28c08f562f0e677fb619253d5604d08404c6119371652f7efb02fb01d71243c6804a9947121

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
adb9b9f70727e87259f3856da193e4fc

SHA1
829d6909424bf4dcb1424c0c56652c62f7954189

SHA256
a8e2e6707b11bd7ef8127308d811b03bfa094fb992cd70e5b20628310d2cadf6

SHA512
bd5125d774c6967a919044d9b752e13701bff3c8f6bfd38cc743c330517a4cccffe092812ed32136f8e6515f1efb16ac327bd5c985d2cf6c3469889aaf56915d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d331e27eda0f8954bbed8188866a874

SHA1
cbb78ce51bdb803a18a1e78b93f0266c22111ad5

SHA256
152cf94b1eb524f553fe80655864182b1340666e10587e6595adbac0f0914afe

SHA512
d5a339204dce6059d0ad801452751354e88518469c5921a14e851f827eaa8defd416a5f155fa0495a900dc4c21611f413fbae27d0deeb233e2e7d0c3316293f3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
94d68ea4d39d39463e7cda7a2a13fe15

SHA1
1b1f323b2ae2c7e2c05438505bf4ec9b79a1f110

SHA256
68e09aedfd4263347de09ea3f9d0745204227e10fa1ed564fa118262bc1cedde

SHA512
4400a5ff8e43a65c38b9364062ef3e2b210ef0e844e934e9582a16a616f4003a951ab82af7199da9ae5017b6095f37fa259702d3f22870885e7ef70a718125c4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
aeaeff8f8a029bfd7b6da0f473630586

SHA1
98c31a5169c1a7b8850228d68bcb76486dc91c31

SHA256
f1e152c68827f6d276b25d375aa5c18919e3b0c70ef5d5efb37722c873106ff8

SHA512
6109503d8d2336b118e5c0f7da876026187585f9116dfb0f996772c00b8157cb27f64de6373cecb616b7a923c718274c14696c6f595d0cd3acd1214cc4c01f99

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d6b3bbee425f5efa68a9985e213b2411

SHA1
4d01c2194497ec745771c65a2bc15c68eee04d3b

SHA256
4cf4fd70f2e7b77bcd4731c25103cd828900ef5cf88059ed5b8beaed3ec2f2d4

SHA512
f22c124f8ab078b7a329b93c9b28afdd9634f422ad487efe27777cf449a9ffde6da602b0deca4d0810581a5a3bc9e890e0826bfecde930c7a6d87697b06a5218

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d79ef081f09fca63dde033dbbad84ab1

SHA1
b2e55f16c1232287ddd6d4c26adb1a9966ea47ba

SHA256
7c0e920ca6fca04ed46cfedab631e51ee3554f52b6cb77f1da7abea925cc6bb4

SHA512
20497c6428c771cf77af6f7f8cec9f3ed3e17eec9de47cce700ffe041ca384a258714a325fdc1fbf23f25f08ade089f156e26f75b7dae28b146ff50cc15d90a0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
57f70a49e69d9b9c180ebd7d526b9ccd

SHA1
5bf79c65ff3bb8b3e2449f7c9291462e0fd4ce67

SHA256
d39a0b388254e59c19227a25d2ec311f636a598edc7ac9709c9ae48d9cf77a7b

SHA512
e7c2d61413a54a4fe30ef3159c5743c526456e9db7f89fcf0778f21a012f1ad092afe31b0a03862e93aa205c138492d227452a5e64eddccb599793f01ee76379

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
418b7dad111c3bd6caac3f78b0b3578e

SHA1
b2c6d7c4f8ee3bc3c09b856b453fefadfe649f34

SHA256
9fd0d632d50008c8583e042ccef92e63ec7cfb75c86e16a53db283fd6b1bfba6

SHA512
a1b5a9c638060ad03824929402fae7e004d48d18650746b5ee91b4a983aa699053072e67cda990fc5f5d324b69f908ba809c3238d1cb785878b64e285933b979

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2df937041d2239b92298970d72919d50

SHA1
8c2002b00c2924670b83c5f97258b6bffcb3fdfb

SHA256
14e3d94f8e8128439baff53e74eedf1a828d37df6b8e0bc36cdc6e774b8b2ba6

SHA512
5b21ac87ba0c330bffa0a0a022e0fc99ef46fb8ae49baa94b4dc989eb793e8deff41cf214fa00128b291ae76f12edca507fa109223d8e503494c517b6d68c8e6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
007f1cfe57b09b1f4199a7fcb9961737

SHA1
3cf75584ec5e4de41a10e697dd161b3827f33844

SHA256
795e2aafb7c966a0edf5d653e140e1ac0375c99fbf51a0ce4fcd858db6a4a55d

SHA512
20a1494fddcc8460a506741901ba6a40c17c10a38d6b88cb9b872f720e921a9d8f3cc732aaa705176b73c6bc275c142960f53f13932529009f464f664e50735b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6ca3d2189dcd093eda2e8a9dce111da1

SHA1
2ffea2841ea6c8f00f83c1dc12557f9556457137

SHA256
21330c9e60f30d40214ef9e0dce7338d0c3deb26a36a6f0ebe64fd1fceff36a1

SHA512
243cfbb006a8414b3e92b227ce788440cdda53fe38cd7bc4f61f279687d4c6c0516df54ff402b5628d1d59104304b04245aab6203821d9206471beaa295884b6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c6b2af72f7357431daac2ac22d508d9c

SHA1
c4ada317c97771bd387a11c566fb43b3ccec5268

SHA256
ce56e3269da7d45267dac39f89526fe11fe83481e86ae18bff47c3c53ac5520d

SHA512
50223ba0556ff9a1450195e43dbfd520e2145d9209c3e72d0bf276067d163bd1ebd9f746b13a2e0534348ca9062df7bb16b081f834c1936dc888c416d7089c5d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
e41ec606cf8def21c2450047ac6ee5de

SHA1
8d9861c41c53100dd7cd31a48cd6d167a284ef01

SHA256
f16902f1788f4f2c82b78528e003e9994ac46d009400ed72df9d2a67dc39f474

SHA512
b0ecf046014eec96dc521a1e6d141b2382c6756a7b280824b24d56a396d8c2ea031a31758b000c8c27607049c8ca1f908d7c060a504b95766bad3dbfcce2ea0c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
68ff0324204a74558a6fa08c14854925

SHA1
33523e9d484f164d471230671d4041334e161a30

SHA256
f418e6c939096b3eb5b4fc784d8043ec9d25190897dcb2af1eaaafeb919964b7

SHA512
ea0d52787e5991bae18ae635efc58cc58278ce276208fd046dad1889b19d0d36fae919beeb01f7b6c573ed2da14b8bd42afcf0fff9d699604943dabaaf8a72f5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
80333b7789f1eb1e56b4b65a97e07502

SHA1
1c66870b25d5a427f59dacdb4e15822a3a9d81f3

SHA256
06f57ed05555fd51736b48c4012ab698028682cf716bbf32ae4d29789c51c008

SHA512
eae95c23d06b23654b238b2da64b25fa1a1b8fa92c57dcaae711a6c28be89028fdbd233b2c074504ffb46ecfdf2dcd19629c7dacb33ec571211a35094f7f73db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
00f7ed60fb42c010e40ed6b3bd368f29

SHA1
122f6ad6d8a896b1c74062b21ef3f9e039204a9a

SHA256
7ba2a99f2e55aa1039756a566c73ac200e20c62fda7a5743da9d4b8f7e7064d8

SHA512
faf6abb97697de9613536dd7cc9cbe2946c1fc45a29b72da574314be14ce634d4f539176134cf0a83749f242523730158908283a82a0bc9c12be4a2a62c803ca

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
21a269e379fea8bb37ae1f5181187abe

SHA1
02de6db7b5fa3586ad027917ce309d46bd2bd92b

SHA256
80634d3ec56db9fab2b40fcaeddd458a3eefc815d4befbaca3bb0fe4da2b7042

SHA512
f3bb30c2ee9f3d4e56f73c896a9a20a6c623a6d604cf011911368c49b1d6c9e06af076e2370f958722aecf93d134ecc52e602b65376ea6eb632ea944101c71ad

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5c6e3e9da80169d4ce8eb0c3feed8b61

SHA1
cba07d1d118818e64f874f156d74ec894bfd6f11

SHA256
ec5cd614ca905c697bebda6a2c6a5a796067829dfeaf6af295ff918da9e0fdd5

SHA512
5b6e72f153e1a2cbb66944b5b7d1be767a39e187b439bc0822e3478f1d7a8fc3d8af2f00144f67bebd5c136895dc8ff50007691ae2c16c0676d7f5e117cd35b9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a1a893afff9d1ecb734c8a21fcd35f91

SHA1
39cec54a9822c22007507ce2e9db84c7473fdf9b

SHA256
3455e740d842bfd16ce46e20df20797abc69db87a2bb5402278d7a1438889daa

SHA512
ee386cedee2924d61ba6345e44470e354cf8d98b7352868c80445e71d0f22eb4db196b7afbe09bd03d8c13aa4c01fdab6ff1fff4f3c717be5650359826745637

Download Submit
memory/412-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/412-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/412-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/412-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/776-512-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/776-261-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/836-224-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/836-112-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-235-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1364-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1540-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1540-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1788-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1788-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1952-508-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2164-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2164-53-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2164-47-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2164-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2196-36-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2196-60-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2196-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2196-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2196-42-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/2468-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2468-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2468-123-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2468-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2600-1-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/2600-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2600-8-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/2600-98-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2932-162-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2932-368-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3188-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3188-88-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3216-73-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3216-79-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3216-81-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3216-84-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3216-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3420-507-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3420-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3612-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3612-511-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3916-131-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3916-260-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4020-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4020-505-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4232-427-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4892-248-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4892-127-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4984-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-485-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5016-499-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5016-187-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5080-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5080-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5080-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5080-130-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download