8823520d43a9e393798af27bfe8a587fe565f7520d0e1adda3ef964a7a20cd83

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Size

1.8MB
MD5

b06fcaf516367cfa8984a0449412993f
SHA1

cf508e0161660bd2b9e80c14f757ce84f6e5615a
SHA256

8823520d43a9e393798af27bfe8a587fe565f7520d0e1adda3ef964a7a20cd83
SHA512

be329ce89f668f0a63b94a37ef58f43885d83613bd78253afadd03c6f9d0167bdb65ff73b6bcad64d876765b358193848e9b72e7b0b532e1f32771d07e4249de
SSDEEP

49152:+E19+ApwXk1QE1RzsEQPaxHNJgDUYmvFur31yAipQCtXxc0H:D93wXmoKYU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1684	alg.exe
1916	DiagnosticsHub.StandardCollector.Service.exe
1960	fxssvc.exe
4044	elevation_service.exe
2116	elevation_service.exe
2652	maintenanceservice.exe
4856	msdtc.exe
928	OSE.EXE
4692	PerceptionSimulationService.exe
852	perfhost.exe
4108	locator.exe
5104	SensorDataService.exe
4100	snmptrap.exe
1796	spectrum.exe
2724	ssh-agent.exe
3320	TieringEngineService.exe
1092	AgentService.exe
1100	vds.exe
1644	vssvc.exe
4932	wbengine.exe
3108	WmiApSrv.exe
4088	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d282b95592be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000956ef4b024a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005535dab024a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3cbccaf24a6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002385c9b024a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac6b8caf24a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeAuditPrivilege	1960	fxssvc.exe
Token: SeRestorePrivilege	3320	TieringEngineService.exe
Token: SeManageVolumePrivilege	3320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1092	AgentService.exe
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe
Token: SeBackupPrivilege	4932	wbengine.exe
Token: SeRestorePrivilege	4932	wbengine.exe
Token: SeSecurityPrivilege	4932	wbengine.exe
Token: 33	4088	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4088	SearchIndexer.exe
Token: SeDebugPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeDebugPrivilege	760	2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
Token: SeDebugPrivilege	1684	alg.exe
Token: SeDebugPrivilege	1684	alg.exe
Token: SeDebugPrivilege	1684	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 3800	4088	SearchIndexer.exe	111
PID 4088 wrote to memory of 3800	4088	SearchIndexer.exe	111
PID 4088 wrote to memory of 4944	4088	SearchIndexer.exe	112
PID 4088 wrote to memory of 4944	4088	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_b06fcaf516367cfa8984a0449412993f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:892

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4856

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1796

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1572

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3800
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4542196abd916cfaf9d8ff939835ae8b

SHA1
e4f3cbe96c22b2b8c0445d4d313b5910c5b398f7

SHA256
20a3e92e48e99ab577837d010c2ea80a4024046700d9922123dc310dcfb6879e

SHA512
7fdc8e19a90cb338c3d4e7cfa9efa29d7096ca59b098370bcac27ba192e3f58c2e607edd52ad93aafc4915e580e33fb19163e4809496c7daf0d0c51fe6b706d4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4e119ec5453135fdb0a8fa26c59b0faa

SHA1
2a52f48858e63801b9df56a1cc26a6c3cdfa8b78

SHA256
fcb8e2fa1dbec9b10d6dc14e3e9cfff79a0d02adad885c7fb08c3991cb7a3dc6

SHA512
cab8baec404ecdda0a358f8976a7f2b8c80531e82a99204a52af1b841e21bdbc045723275c53545be84b1bae815540b3523786fa86b4092b874bee816ef15562

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
289a1bfa76b7462a5c13dc0fd06a5f85

SHA1
ff7dd635d49cdb16f2c1b027f9b9b4d2e7ade211

SHA256
31302cfd6287e53f11e58064f69f77e7ffa8985b3b9a5314c3fbdbf84d1abb16

SHA512
5159f0e531b78be8b7b6e58c6b8e86a9a0a1b5e1a02d5630a71c58c70fb6d3b833218a50d47f5ac69b578090ef7a045213736c3be724fc712cef2a988646b79a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8bc64ac883903d4544d8895e951b5145

SHA1
a0816d2fbd6ef07cee6b2d29d00bc9e547afc13c

SHA256
46189df85b0a61e2c81f30d3abecb1685c147927e5d879b68e494659993a3d79

SHA512
72ab79984c729028df78026901d4bbd437b153708deeae0d72d15f5326352157ba84d4cccefca189aa4ee7de1383cd3d639eb662aa4b02b878df7824bec190e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8094c97a2faa78163d6e490417f8cfe1

SHA1
e3bec16ab580df0b1ec74645dfcf8de3ae0dfce2

SHA256
4939a15ee45890a4d75c8aa03ba61d35cef2b423add57d3480fc3ab372de0a37

SHA512
131fb06f435d8a0f42c217fdf1e244c4c74382363736f91771b2e4864ad077250fd36c4863bc29661f4eff2dd24053d413e4760e672aace0e7145e42db74cded

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1120d56c7308de5b938145985a6a249c

SHA1
b5780a8e9aed6c7b71c369174e24cccb9c39f8d2

SHA256
348aa595cbeebf6a7bc7b5ce4ef697929eb6777d43e3a19497ba3b5d0b966fea

SHA512
c2655799a1c754a552eaac8121667394650196c79c9345c098e4a4aa29487b7fb958690f2c127706654af9eb58eae817f779372591a9ebed65c05e82e72ed9e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c8e860a8cbe1c9e8b646169dc4df9f49

SHA1
b209f298f918e69cdf2e1ade4cb6b938395270b2

SHA256
8924495126db35225c64701e56eb4d46962ec8308225445a00b186cde8652bf8

SHA512
9ff9be77b06c69651dfad9f89b0bea8ca8e0b226f5053df28cb75c9ee5c0dbcde2f2bd1ab35f14dcd1a86ca8c8640c0978c2a5bb51e9731379b1d4f18f4b3d04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
729a8b3319d8ed0fbbad9ae243bb0dd9

SHA1
3cc5dc02af6f6db60dc531cfce6e5ef3186de145

SHA256
a9ec29bc48eed9649a685f21bbf0232a0986d9eadb24a802a8740071d67cd06a

SHA512
18bd6f0c8b7abedad61aec3d311cb86f1a731d6444cde7b9b7b1b953f05fd63d839b0bb525e6f20822a56e09e7e1d2c3b3e5dd7378ef4e312d45cf7cb45be69a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7fd709cdba0c373f60bb542f4b55615d

SHA1
0db9dc89ffc0f9cc8d319318af997c08750eddf5

SHA256
b22f3f322a05d8629c33a52e593a19aea51a3affada59781a7695d29f7f11684

SHA512
710b1155b4906e3f854b7d6c5d55d2c6c588bee81f7192e01ade126f98712413f3c28579d867be970d6ffc2ddb59626d59a5d7a21c506be6e140ddca7ba6be61

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e5933f0959a7f2e696b3c4250dc02e2d

SHA1
14a7095008b8394c936555edee8759f6de24877d

SHA256
17e21db442381c08b1f46438e6b03dda4efe34a24b36480ea4a8542e76e2e036

SHA512
2988ceac3b4e27c175a476add9eb4ea90e534104061e8119f50cf21c6c94cb1a048a16d964726a8a5afe4d14c63aaa9a576ed85eb4ab5a166d3f7ee8b56412d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e04c304907b6972be5f12b959d99949d

SHA1
54a3121eba22bc5b992e851e64440c41b4acb806

SHA256
e888b3601f31dc356f405cf55acf4450e6e97e4e59784c00cbe649625b0ec749

SHA512
f33034b977c0deebf0dbdf8cbccec689ce00dd5e3f4e0267b65fcbdaaebe9193b8ecde715699e0f31d326a91b1a037b27273535390360ef0b77a86f80c1c484f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c7a2a022fa510a78f311c3b3d9808bc

SHA1
768ca034423fecfd830e89ffdbd66496ad96b729

SHA256
02c421fd4329809d7d4ed9de59ce0df8550c403a6dc5edc15c7aa0d3565a0da9

SHA512
e9d64607f18f2e919d38092cf905e175850021a0e0cdc4cc990ebd9efe1a9070dd0cc43ad1e3167a4f5f847b8f365c5b9affdc70129c0fb5b1cd8028dfc9cbba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1d65f0b1543b81879b57341a5fbf24bd

SHA1
976fb3542b23c5c6e63010ddf23de8e94928249e

SHA256
b6a0b9d8537eca007fb2ca5bb095bea8841d735a606d3e3c2e1278fece4e3adf

SHA512
6e535b8f8e031997c1e690e37f8916d2c48980ccb44fb2abdfa4c09d48eacf7d62dec0b2f95ef564d174fb977ae9ec34a1a77801b88a9a9a1770d5f8c67d0c92

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7f2a092efc363d1fd62eda2b19835589

SHA1
07cddd4d36e301852aaca5e6d22960abd30e5e83

SHA256
715922e16c1ddd68aee668ce77621e15f779e4913a9d84e892d4c1317069efa0

SHA512
3e222a76a52a7e399346fa6b3273263774a7516f13f80e4c6ea2b3238092b4649881a365771bcf37640a45ecc19805cf0893bc85d5340f132fd2f6783e868989

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5c856cda20fcd451d64708cb614f8cb3

SHA1
aa547d482c055b5902f15d2bdb81fc63f9b592c1

SHA256
fd10519273e64661389803f4eb78b9dc325d8c1350ca45f46350348aa7cb203c

SHA512
7627b088a325835989135f632e18c81fcecf9facc129a5d13301a209af5aad329cef738af8063d6c8659ffdfffa46172533c215d375a1ee59bb4909733e3b200

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
71eb1e0e43b9d6a215095c42e33468d4

SHA1
ef226ecb5a8f79f16e30f3b85e5bdf7f34ecc4e6

SHA256
37d350c948f724d5d64b4059beb0217a7987a97d103e2845d5ba39e562710aee

SHA512
168d866acf55f64c1f0253d561c08308ec49719e8ba0e50ae8e40ee6a80b3c46bdcf5418d45f93f2451c11578f086734c81369e8f9dba416b4e0b48f4c79ec25

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8d44b3782577db00a2fcb6be329b2a56

SHA1
cf42ed9d8f53f036056ec784d7913ad2c498df0f

SHA256
ead87f68782a28688f0b6c41f6c341ad0c2252ecedb355bd6f0e89230671faf7

SHA512
3e03090bbe001ad169deda3703f4c131cc53eb63d080362b252b71e6becbb3711e8b59784060d24cc7d2defcd80a49274a4561ba3f80d366c3d771e0e89349a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d58dbb8e0694b2fdd85f02739192716b

SHA1
83ca9bd8446a9141e8abcdff6c0081711aa28e24

SHA256
4873a9d6f5b91aeb756817bb84778b4701f4cdf14c389e6a461e8db25c8cbd12

SHA512
1eca8ee94db5ff6374d8cc677af6b610bcf2f8b20d92b70bc3fdfde8ca22304ec05d248e4c0245529c05d86d6ccdaef024d6243af6ddb955b9fb4eea7fcc72ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7d57c4e368897ea0bd95438ce7419b31

SHA1
fb4c3f0f25c3286c43c69acaf422b249b17aa5e6

SHA256
9ba3d07ad773ae4b6ffdd465a8569a5c7dd1e70f0d8fdba08fc2c76ea1e7498c

SHA512
d03d120f4b886519759631f3667dc335681ddf73714ea7e8b147fd754bcbf67bc98fce10396e2418ce5cf8def6fccece245cc2c3bcb243b67c70d7800230ad60

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e11ea7b3caee576cc90742d67959e15d

SHA1
affd4f62f1ee3f1893101ee3f586443e2e9be257

SHA256
ab3ae114a84eb1393ca2164c13f581f0ead9da13194158169504e5d7e54feba8

SHA512
61300aed448762ef2a1b5bb61bcac4df4f307efe28f08f233b0d31a6a4e9bd523b4a862160370d1fa0febd4ecb8d6aa09161284c4a075f29094a6b30279d0b7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b3b90056fef60a9a652ca9898c19ee57

SHA1
64eab52fd70bb8fbe7d18638fc689b7666a6cb72

SHA256
73585872a0511ec8d3df84399a7e116b1b0c4cfda49627efa2ff10b82fb9cff6

SHA512
f5188c3325831c3ff5f79d7a2855f908b8c7ab14138aa3f7ceca9694454776e9dad5d0551d595859bf75eb352cde6ccd4948b173458db2aab2bd586267467b35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
65e9094957d8ccd133e0be399c6adc40

SHA1
80fccb8fbe9cea48089f6b1abeab42c8a2148e9c

SHA256
c50fbf862a82e530481baad0f450326f0765e4725b3070f7d549765a84ef4fe1

SHA512
8872033ca49fcb453cb1c7765008ed544f8c60364314b4ace27d7e141f0ac837d263e719ae4295f8a1cb299bccce8850c676564c16f3940ab8c4129fbb991dad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
21ba08c56bde9e937a9168e553c16e1a

SHA1
f3b2f46cdecc9705be1358163257f77aa112ed10

SHA256
4b3a6e5c8279c5ab3112ea4c343d47760700a9e1f800fd470bf5ac9cf1faa9c4

SHA512
d57e82eed38cc74f416df44ccd5fad2eeb7fb7fcb140d3d506e8fc6a20c3338683a00512edc1c105fb5c80e58e461bd6232f5d9f57103eb3bd8b49943cb2f826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8666dfc236066edac11395ac12cc6826

SHA1
22136b7090c6e27a1b5dd08d57cf37636ac3a33a

SHA256
a25dc87d398ad0a1a8b0ee937ad1afffe88e150ba8b1dc15deaefa003f7ee0da

SHA512
6cfe049d1e64063648488faaf81fa7fa5067e9bf6e01b43e64cc7e444ea033d7af0eab503c36c6991a4f439e0f3358eca31638f479d7ae357a85cefdd48f5d3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cacb40c58e3d5967fe80047d9b6692b1

SHA1
c675226585a00ebd0b8b8d0ee55d4f5657c12587

SHA256
2b347ea5a7f18f4a45467155a74e6bbfc7a4aeec3ccaee5233f6ab38e18e54ba

SHA512
f35acf3f9737867a6f9ee45382825e5157f712aac073c6d7cd1d372f50063e757e8d95a4a251bb9bfbd9f4d6aa934e7254ed041bc882443cd0d29297b79b4a07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f5e96c70cdf4496195c376ade361a9e9

SHA1
9f6c786cdf647287b3c6fe8abe96fa3774597a2c

SHA256
2cb6e4396389ed436146e08036f08bd762e72ad148cd0896c2e91f38a1ec24a0

SHA512
028767c0bd1088da1938f0dbc2b1f76396a32f61c80a3224e55e52dc3532b572106b63cf826903d7e01d2f30080e8add0a5d8049645e28d7ecb0b63638143f21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bd1ee089a83bc61ea869c113b7b61d0e

SHA1
e7a54baebf01411e20d2b3af53d066be22e377c5

SHA256
b86050b14593b0132935b8346e91b3558b0abab9291cd5a5a7c7b6701e43074c

SHA512
ec11a25192d129882e396f4def02a9663ec7a29f6686017fb547b06755c70dcd808c44ddd10ff7ce91d0deea787ffb2eae2d178ff7d84c1531bc4fd184f73055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b6248c6ad7ef216c8c3f696ef3a625a5

SHA1
35477937c2c301b379d6f6ad5209ee970720a7af

SHA256
b49cd46f228811c4099cd470644684dbf306138d33687be9d49ce92771ee0b12

SHA512
349e204cbd19a35182ddf3f71bb3cd37b12b2e54cd0406f6824c020d8ec457f27fbac664cc3b0d79d127ab79f1782efc789df12aa3b9511a50b474a9a5603596

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9e016b6f3ece3c31432378c011f5f55c

SHA1
85095abec379d85f6e4d999e7e8603abd709de29

SHA256
f81f5316766a776a8e6f31a0c681088218d1e9ce3a2f7ca2420ac17dd208b0ac

SHA512
4f7a2ec41e503ba8a71f64ebe265554c772d65b17b2da20c8057956f37b8e8a1be0fceef042bc0cd140d425390f214dddc09ecb31c8487d15ac7b62fe4876956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c1f42a5d7f25433706a4efb7753d8263

SHA1
f0271ba27c8f77faa0bf5ed79e20dad1985ce2d0

SHA256
d1c4b5e82fa47f3f401bf56ac2719b5bdd96eaf053a32d416e680508bc09d889

SHA512
7460d10c0eb58926e16bc296c86b77b855a663efebcb09463ec6db94dfb075d51aedbb6e37646d5d01d4df7ccd297ea20d1af00ee33aa1e550175203c80f13d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ccc12d4105753347167e22add16a662c

SHA1
2b0bec388648d1dfa8af6d473c40e2f2798087de

SHA256
36e23435602243d0da2f4b1f2b7843df26b25ee03edec783409e7c3442a192c6

SHA512
5d848b070cb96fdb21c999cdaab107d2bf1c2b24b25306cdcbad9f51a5fa7968b2fe84bc82309e32848e6aea6c53dffc26a4d9bdd7db6b8b9616cb1439d0f469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
31b463ebc576278c062f3fa26779f68e

SHA1
83478883db8b60d79fab89bf24806eeae269012b

SHA256
e332e7a39585f7707e72ec2cf1090f8edc4a0e23a1773a6f677736b83bca2697

SHA512
070102585c42a26410af5a645d80f6a28580f3171731eb80879b6a1d9b564d73676fabaa5e6e02153f8d51950f89997bb1e1d9e753fd84c496da41a3490e0e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a921cb49ce8ca58b8fe89e1a8b92652a

SHA1
b2742a7d8fb5907de1d9e6ff4c891f8152198263

SHA256
882ce315ea53dff478193d0eff015c5c2b699c4caa6edd02a1e61aa90948c4dd

SHA512
617bd5daafb25575bbd3846d223c7c237afdb1a05d964ac3ee225a164d83366951ab0db21a5ad36ad27d7a6ede42ed723c89a74e981d666222172858eb3b5fc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e782fbbf2aea7b7abde5c0b4da57f4fc

SHA1
8c659b2a6108e5eb823526a9c7d8a3859c0250b0

SHA256
d855386282a0988e7a6664468d0fead172c5d81ab77b496961728a03aea4ee3d

SHA512
f5cf059141cb5cea42606114613773575d7965cecf39d0a15a753104e7b629540e02bb4420dc8935042e80e42bb94412ac31ba14ec652ca23f7eb03c40559a8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e889f4e64b84576d55875d30cd6b1d33

SHA1
3ead05a3904ad3645d089f06b0d2bd1325f325c4

SHA256
7682d0f3260d5a979e2f6b649178da63bca8cd52eaeed9219e91c754998777a4

SHA512
66022682b534b9606ec8db01231e411efd4669e456e12373c7729ff84f0a0e5356d476e18090ef38d67708734ad8da05b23c2a1b6c28cb35a8563087a5a6b6ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
37628ce147455e5195c4e2e905ca4bd1

SHA1
f28d0619130395061f63af6981af3f1ff62f3dd9

SHA256
4c30eb10fbdd0c023e8031aa67d8400a437a3d31b3ed6f2a1afc722c39378fe3

SHA512
af1a230b2e979f84618720b6c46fe6d813675cc0a73c517c92af933e2508f37d2707a9d61d1b2cfad8aeeab292ccdf77f60fe461ef7a5735de9af93655ba7a51

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7714a1408d60da713cb02d7d481b204b

SHA1
6affe8b7637becc19d0e6bdc0031072e598b3812

SHA256
9a0f69b7d1f66ac4759d76b4a3b59be604f18bf36aedadc1ef3975c815a0c561

SHA512
d8a35877745c6bbf9db192188c6c6ad1db2fb90fac393833445b12fe32c0ad554768477c00c068b420e901f10eebfd7e8c20bf9c2c1bc2cd9af324b20c4c4121

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1df48193be5f16fc089d0a643596c476

SHA1
65458b5314e28897d730c2b0b0b62a9be2bebeb9

SHA256
348d86833c7686b3fd965f18b489531dc07d6bb44ab9b76fd88b9f689554f74a

SHA512
6162857d48f3503e9c3a5ce47618b68fe159990e06d4b488fe4e7cc5d6e9fc1912f0876b3fcffc10bfd6c1429074ae7a958ebab7b14dc597d6862b8d3a404b32

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
693afddb5505705713ddab654c233b81

SHA1
a7edda0ad692434847950e27f076b083c27f8c94

SHA256
7756e7fa0d6daf4f63f515bb2eba755b138e2bc4bf237b205ad8cc37d015bb0f

SHA512
e91e5cdbdbddad04154ae2dcf932e7177fea7530ec196c19d535f937e16fc596872f9b76d09da7927494cf646372b25c36a699f1323dcdf48b57c314bfa6b0a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
106a584ce7aaee5d649977d3499fb719

SHA1
490f72867ed1365272f4dd994617ab8d809dd981

SHA256
614c459a7fe18d36f531b4a0934893f0a6e9ffa6917c3317dd5b2ae243be4d9b

SHA512
1b8654a68a3f404ecc9d02e5fe5a1559bd6e469d5de5c5dc9e7c95df081527034b420afd5a2790e14f9ad3252cdf2461d6b8cccdd717e3edab8b4408d69f4a51

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f36825c6073b9a6591d350dda502084

SHA1
245ba6e1dae82bb1cee1c12f3dc0baef5ddab134

SHA256
10556823424197eae7fed85ec78b21ae03ab18244392c6fa84c2f34e47186474

SHA512
6e0d5703cec342dd382c75723ecaac74aa79063b4fd4b116c932fa41a7b2c5b3a46b788b44d183512c84d79e5b4aa35cbc722bec347d924e60e8aae707ae813d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
62ead65d783edf06c745351e228afef3

SHA1
29eb339a7dc3e90dcdd6a064e9e2d862a88ce824

SHA256
7e4069c985883398117c38ce605212f9cc287e326f380885f8dd3ffa94f6b7cf

SHA512
90551a6af1e5c51126c506dba6d184b68d7a02fea955559de075c6f038ab6e6287c50c43914d8c29f4c92379ec89a0f58a63a0df36dd47e314067b4f287e80b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3e89fbd04279ca049715efea8e0a66b9

SHA1
e3d7f91ce48578109c822c83a692aedd459e0808

SHA256
33ac93a642df023bbafab30d6bea95835c12206d4c9baa5f8d1a08b59446b291

SHA512
dbfd0771de3f1d4bdfae285d7bcc55d031ce38ad090a55bc360e72eebf4081e20dfde310bca30f355ec1ae01d1664ae3d24f9238fb37a69d97c30a9b09550b19

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
60176b9268ef2a06309cf37a555cfc0f

SHA1
25b0e42bb726707bd82b6655028904502bb6139d

SHA256
34cdb810dfaceed87eadfbdf57f98ccf1de3c32fa8745f9b77df9d9bcfb09057

SHA512
735f70d5dcb839ced5b26a6d0cb86ae4705f5ca55c82c40e3d3ff7871dde452a3f061b7c07d59b1b0ebb7203e5a540ed6652c9cefcdb8e1ed54286c400c4c7ed

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b7d62f416f03d52e91cf1a68e74ccefd

SHA1
b7c7a4598e51ef467c6d51a67543114e6d746b05

SHA256
96e8d89236bfcf9306a16421742ab7ace4e7a15e56eaa57e17643704562135b7

SHA512
d7178d84ab3624486e9078d585d8beaba865f38a12c66baa0709e741b32df9019588eee3d37026e95b6bfb1fe35e5b939943a333136ee260ed89881a4d02a5c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
baf0eec6b8c5b0f8c9d74c6da4dce059

SHA1
3340dbc0b6a7f1f21ee9fb376894aed21b12325d

SHA256
4979627fc3806bb4b3c11c9d68ee9cff0c843ce1ad2df0048d243a7174205911

SHA512
a0e07ea1437d35b795592dd108afb4956f72b63b6495571345b7b7847fb33b6275c9a8fbc322db6ea65942634d836876c73fdb5b58bcb848dbafc615365c8065

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c440ee984fdaf6d1bf7c4abec1e560c7

SHA1
43468dbc910d5b76c7c327389418d4b7685b9ba3

SHA256
a5b89233347596ffd8aaa70def301e1f3b03872e3c5be466f64228b28ebd2dfe

SHA512
72eee9c0a6fe2a425c315577e56af2c610577d29e85b0df2e13624e2bc2e7804bb974d325a8f86374bafb32ee185e7d2a3dac8c5c51466ff1869468bb35b036c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2b1fb5357c29ccf615191f3a1aa62039

SHA1
df884897748a958b4a7666bdaefe254e10ceebc0

SHA256
eea9328126efd43ceac992a4cdfea159443b15c97b6840a6ddf85ecaaa7178a4

SHA512
9b431970ef07a55570ced609ff285a2d154e8888e9393f6dcbfd3fc2c1793e53230a7acb24d53b7e194a5dc6703fdc2a79f243bf35a7daec1737f51b23bb6d09

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
192ed285c601133e965b89dd4bbca9ff

SHA1
6db866549087fb492060144c7b479afa24b2354a

SHA256
e9b8b40f7610e9d921174c71f8555d3bb4f503cda4f86fb71f68b1416aedea85

SHA512
778e0fb7db3cab38f890cf7b5ccca23b742f31cce66209f410e06952bf59aa065aed4d67c8ad80b005126fbb4b3a05b09397bf123e39423e52a52b0ed5d39ea8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0cf252c19911fdca2c9bf6f3eb43277d

SHA1
2e873f5006ece3b7b24bc6446ae67a0dcf611b67

SHA256
88364047e703d5c7cbd8ab68748e77be9fe0bcb06d10e1da5dc529ec77af1850

SHA512
a1a1b430eb6065bcc484df2012f1225e04e97dd421915bcf75aef2a540eb6bc4340b94d19451fcd3298277b35c5cf63ec7fb43f47f097dbc27a4c91bf1618195

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bee9f7b1cd5c432cf27cc6ef43aae060

SHA1
81718648b65f290bc34fa1026b797e56a8080ccd

SHA256
46f481d5359d1fd617099914ac7dec85e3dd49b1d20169e72fe32703b386e4f3

SHA512
19e8daf3098901ae10b9b564cc667405598c48be92b62dfe4c3fa869903a9b50ce816af9951ac0b58e25e7d64b02c644d16522e664d9bc1106e14499428d565c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
afd1b765b9f67a86ff60494ee759d122

SHA1
bd6bde4dc1a9d48248403755738627a758fcd4e6

SHA256
d269281269b64592f71fa1056072c1e6b63b981046b5951ada501546b1fbd0ec

SHA512
6ac6ef2d7f1fe6cde779bc0a42a1a5999efa36530ef2bc4f2fde8637174b4be21f925e47f01b8c9cd7bbf71177a67dd088def646de4754c40702f5f851b76ca5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1c7790c131ee18a1435dd2b07dd671ca

SHA1
0e5df99d247bcd219c8a211ae6b12d0f78bbb8d0

SHA256
f66db2a495e9bedb4b6eb1fb5759193222dd1b18601f957b5c84a3550c9cd1ba

SHA512
5f8d54af2d3d8afd9ad7514959fdbe6a1a5916effe2360288928757c4d6bcf9cc9fd3671222f9bff710d48122f1328053441b0db1dd4a5e5555eb458834b7122

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
799658e12aadb68a0ffdaae496864d39

SHA1
711bd4481cd6c5c700917cccc18011e0b958829a

SHA256
4a02d452a2008a52898085f6b6f8df6c908923507f16d3aff82c8e1e65670e82

SHA512
85afbad55afbba144278ea918f007d8baee98e60aea92a0613652c58d3bb624e46bece218b4e07cfc1e84e7ea200a2e2ce348b0de68d10ab1ead842fda03e526

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1d6b4dafc51af0bdb561c1680665de08

SHA1
83b082a0631615fa4f2aec2195eb1d88d9c5b898

SHA256
a8e3fdf6b30e701b9c3c705bf5858b28f54d23dd87cdd010e497d8d3d22c32d3

SHA512
0e5532b535622ebb762ef63202da532bd736d1beebf7b7631ff7908a2f375a499b8507e149d2cf2cd7463cf71cfa08e21417b5b573b34241ca0fe533f575b067

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f1f9422599ff064a39fc494cf2a3f4cb

SHA1
f8868d772b3d9c61712c62434d6001d4ba4d3212

SHA256
681f61842623d3a9245f47cc6412566d404e63a789c47381407e2c5a99d6ecdf

SHA512
8a55dd5c796107b05930118e9b009bb1f174846dc06fbf4a14598a0ad9ca97bf39d480c54e32b1e5a86b9a0a239b729926cc8737e7a50f417193ec3fcfbfd104

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5d13c767e5ba7148688f7478405dbc3f

SHA1
183ef92afc9be1239338aac4fa2ea6dc6df786a5

SHA256
d228c18953d7a1b689185cddffff05fe75beba02f993e056770973452854e21d

SHA512
84e15349ae8edbf2e315e6a825546006c8dc2c5e4d2fff6012bfc3034aea28d1f810fa747446096e087613c44c12a488c1644d83b64c273d3061fb8616e83b39

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ec4807a36708b8b5517efeda531efd49

SHA1
23dfb1cfed60630b07ac21b157e5b391f59ddb42

SHA256
f02d67169e99f16f404067ad9663b3954dcea6951b728de48bf87ae60f547ed1

SHA512
0f023ff2741be573b001ba7eec81fbb5de803b1593fc043fe9d58ae2de2844f4e3c99823ea4448cb145793af1dac32d652a8dfc558cf65e8bc9045900d7eb2bd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fc74a9aec0e37190e217f3b0de5b1202

SHA1
1209dbb1c16992a707ae54b5dd9845f67e9645dd

SHA256
67c22c10900c18eacb0edf3f1358fb27b796c7f7491ab24f796d8ed824654a77

SHA512
39958af0477218144fbc96a197c4b75160b5b37750a3d1f0ff3c13476303591dae570243e52c5150ea4dd200e04aa4bdc68f408ff3aff4b461dafcba7223ee28

Download Submit
memory/760-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/760-72-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/760-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/760-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/852-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/852-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/928-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/928-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1092-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1092-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1100-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1100-662-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1644-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1644-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1684-11-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1684-88-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1684-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1684-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1796-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1796-542-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1916-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1916-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1916-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1916-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1960-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1960-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1960-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1960-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1960-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2116-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2116-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2116-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2116-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2652-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2652-79-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2652-73-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2652-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2724-655-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2724-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3108-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3108-667-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3320-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3320-661-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4044-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4044-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4044-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4044-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4088-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4088-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4100-452-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4100-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4108-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4108-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4692-243-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4692-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4856-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4856-90-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4856-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4932-255-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4932-666-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5104-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5104-658-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download