e553c3ae185d8b0b437fc5aaf8db94b54033949b1a2846b900a5242b076d7365

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Size

1.8MB
MD5

497fcd989d72d639251cf89ed46c728b
SHA1

a7f94a9d0b4beedc5a8f00357dcfdff0e2eb5bc4
SHA256

e553c3ae185d8b0b437fc5aaf8db94b54033949b1a2846b900a5242b076d7365
SHA512

62ec0d8f4aa41160f73d48212ea1d3d8274c01a345438e433438d9db4d65f63d35088463bbc89f915f83b91fa6eca607241f0be065e9cae5b858629884f68f4f
SSDEEP

49152:2E19+ApwXk1QE1RzsEQPaxHNPs7YSLTQYWkK2/:b93wXmoKcJ3rL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1368	alg.exe
4572	DiagnosticsHub.StandardCollector.Service.exe
2308	fxssvc.exe
3708	elevation_service.exe
4676	elevation_service.exe
3168	maintenanceservice.exe
1532	msdtc.exe
4856	OSE.EXE
3928	PerceptionSimulationService.exe
408	perfhost.exe
1012	locator.exe
2172	SensorDataService.exe
3144	snmptrap.exe
908	spectrum.exe
4588	ssh-agent.exe
3224	TieringEngineService.exe
4336	AgentService.exe
4036	vds.exe
2156	vssvc.exe
684	wbengine.exe
3900	WmiApSrv.exe
3308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f85de27c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000279cac32e6aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad700233e6aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047b0a032e6aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043a75a33e6aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb6c5f33e6aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeAuditPrivilege	2308	fxssvc.exe
Token: SeRestorePrivilege	3224	TieringEngineService.exe
Token: SeManageVolumePrivilege	3224	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4336	AgentService.exe
Token: SeBackupPrivilege	2156	vssvc.exe
Token: SeRestorePrivilege	2156	vssvc.exe
Token: SeAuditPrivilege	2156	vssvc.exe
Token: SeBackupPrivilege	684	wbengine.exe
Token: SeRestorePrivilege	684	wbengine.exe
Token: SeSecurityPrivilege	684	wbengine.exe
Token: 33	3308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3308	SearchIndexer.exe
Token: SeDebugPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeDebugPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeDebugPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeDebugPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeDebugPrivilege	392	2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
Token: SeDebugPrivilege	1368	alg.exe
Token: SeDebugPrivilege	1368	alg.exe
Token: SeDebugPrivilege	1368	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4452	3308	SearchIndexer.exe	111
PID 3308 wrote to memory of 4452	3308	SearchIndexer.exe	111
PID 3308 wrote to memory of 3344	3308	SearchIndexer.exe	112
PID 3308 wrote to memory of 3344	3308	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_497fcd989d72d639251cf89ed46c728b_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2424

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4452
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b9b1da27545a8e0a51fefc63af3d2e65

SHA1
efc939cf5a0a52837ab91a85906fa1fddd1f11a9

SHA256
2f226883beff22b344fb3878cbc3a56b4a418166d5d6302a982a4f7c2e7d9945

SHA512
a3dfe70e8e83c573c55a8ac270d24fd0771474b9a2af7dc2cdc383c9bdb5af61eaa6ce107aec43d85b1ad1177255c5b768d265f9e4ca8faab2e494fc6c2ddb0c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
785f1f50495071624cc3692eb34f7379

SHA1
3c303d87a98ae0056e5905af688a65ac044dee2a

SHA256
61332e543552660fc2e7ac8e9e14f425106d7ea9383d580f6f30d1e48781d52e

SHA512
fa7d07737887727f037e88733951e7c3621402b2326e1b02de624d35bdb81b69cd05f744ede13132e5a577f6c70d5e6f6abe76eb4b8b6f3ef32c731e17f92560

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2ebc4d3583d35f42a0c819faa3695ad1

SHA1
86968f06896e76c7cf23be997b97f5480e9cc79d

SHA256
e9849872b7fd6640ca59d18bbff5d40582002984bf10f91dd9af2f39bdb3cac5

SHA512
98bbdab8ab7e681a22854a192cd00c959e5244a927291a83a60323a8f2b9379b5a582da25b4b69e1f32583dc0a1f334d47c7f0d449144fb3f5ebf69eed001662

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1d545efd37348bba42834e4e54ab5ab1

SHA1
874d3d52f13e8c2a399f6530d6ece9af0fd4bfb5

SHA256
5cba09852b23857e7a3d807000bf4b8ae4063632054a65944d645ff968b7afd8

SHA512
e54fe6115eb3cfcf0ab5a011d8a5ab20a1454e3f7bb06c1f165dad8fbf4244fe643201f2d0a5ea21ea6a9d139cad7cd0e5405bca2ff972956ab43b13d757479e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
10276073cb1cebd0dcb40b494d76bedb

SHA1
7bcb3a7aeacc0dfb4b916cb9c6a1e1c5a5ba7019

SHA256
c62fb5013b5377c175f848676cff132c25b9f9f83b5200efb8a27922a5e71ec4

SHA512
121c4243bc5a6ee97954670a8a042a85899dab8bb99745a1813768a5cb304249ca3848b918e33bf746f73078a3948953b87e2069c7d8d2f087fc2e5f50ddb37c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
27cb972bc9f2987f9db347398be94b58

SHA1
83bd80250fbcd2f2a00340336529944063c62e25

SHA256
ddeb49ddf23aa55ae3cb558c0c4638354ebb53e1b8779bd4cf30ad84e745536e

SHA512
bd85dab36073574a167421d8e12c6701453074b1fb115ab77bafe5a9a149e9cc6a331c45ec5548043e0a907ab1914e071f44c11c54a99a70b027a3e62945ee24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7e68b189b177bf2a999d94e4df49caa7

SHA1
070dea5abd63aef8218a52faa02dd87d27f022ce

SHA256
1508bdae5d72b04470bc902c5ff26021ea364652168d6ece17049398d0f50e94

SHA512
7554307b5df2369906f1523c01aa268b6d8ed04eb033eac19bf748c8e9aa8bc914bda4079096d0192085ee343a48400637e386a34cf13f2965c56f48f7f0049b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5287e16e669a4e34d850a3cf6ece7164

SHA1
7cf6742c30a095599817ea954d391a856af6bf13

SHA256
379f47adf6df5fd86c32e9092227308219435971217e7326ca8e689296e32f35

SHA512
3d84ab7db099c69519c77f73e348e25baa5ea40f4a65118b1695882e98640b3b138ecbc10e300cbb231e4b32b1450ee1b4d47961dcb5ec28c84c0c48be2f7194

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8a87f3283949d05501fd47b822ad223b

SHA1
f8e4b01bdfc62ff71908aa9ff742dbcb11cc89e4

SHA256
20cc971dfc8f11100804bb9f60a9991b26655aa7edc183ab009cba72bce5096d

SHA512
abc78795819487a627e3d13cc41c989fff9a2ea3b30fce1181a7e7f8a391bdcacf205d2a230a8d41c0ee44cbd86a53e845f751a88e7aa268a9abc0c516d50ca6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8923a246237e9a45ca058a07c1b80736

SHA1
ce28ad5d7fffd93c058c26a02556eb83458260f7

SHA256
c6c9e485d4019aae7a292080f7ca5eafbd72c670a67df79f9f0a9f3f6dc712f8

SHA512
b7ff9960596319f9a0b484c951bccf23a14ffcf2991a0d67c48abad2d1b1a37d6faea537fc6cb02111f2f327451ebcfb83c15a69fbf81b87c665ddebaf91a214

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0bde37ff60617cb1234dd8b399b3db3d

SHA1
a4a7bdcfaf3cb95a5c80b046191f4a527d5105f4

SHA256
2a69bb62dea102194b7b792acd89c8f4c12998767332665d61a32ac2fc8ead88

SHA512
308d3f023a021d17c6e08879dc5c269b51df46a266d81ef53986c1a5f06aba1977e45535bcb290b2f243d68affc0d1add44d407b53ab1f53cf206c65f548e5b9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
88500b2dbd16eb6ad598b4df80b3d41d

SHA1
7a6337bf2cfc9fcc38f999fc0a8a25fdc2b9282f

SHA256
053de1795e85c5169bc0adbbe2fb19cfd3d288e3db6e7031ea55a1909c121ce1

SHA512
ad50f46edb0cc83a40f1b078a0302851acf2f163e75bfda5e3d0c9f81faf78980a44d43e62f0c3b5083f6f029bc2f01c24ac322b414765babdff0eb42b76470e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a0796ba905359321551020503f5ddf90

SHA1
9a85c63cd9a81412b617a89f6c56dc445a6a4e94

SHA256
ecda63afa891642a533547c53edd4da91b462cbbdc5b5c931ee84f2c55ad04db

SHA512
fbc9c1a6ce1c23eaa165194b10f1c7b3e3d13f86b7b1206dc32738b882bd78d1907569c18f8b6432b5618d037bc79a311c7976a0019b6cf84aebb983859073de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6c3482bc1b02e61aa2b5b4f61054d511

SHA1
43f12c99b5c6e589df395503e70e53c43bb77770

SHA256
0aa85dc0c2b4e8eb145ae4256109eca09dd2b83896e9531466ebeaa322e9aeb9

SHA512
e7fe087711f06bfcc7514ec15ba2232ff00a59e420ce598c2a5492e46d2a898a4d0ec4866d83d082ca03c314b3e1ab3c02baee85ba7a3353fe36497262ae25ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d1df679abf818a8d0f0c93dfea3e79a6

SHA1
db118cb864e83f78bef492604c663c8cd44220f3

SHA256
09e43231767614149fa12e6eb88418f8beab7f42d6a81a77302f5127efd01bb8

SHA512
c38da42e2bc9687d4d8284d78fa19c80b82d0ae6c4e0a5519a3faea6a1f0e833037db221861d0f6830c18520d297bc85360e4ed3ae937204ffca1c65725522d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a8b4e0c721c6f46e269771f21bf2df81

SHA1
546c69eeb32991a825b5396522e16e773205caaf

SHA256
a96b21ca9aa0085b66ef4b77861b18a217abbf89cd19e4d71243a5f7a488aa1b

SHA512
adcbd959d540261c7383dbf29d286186533547b415c6fb7055052468eb46b98879c028371689f712070a9b6031910f1f33df28005710578825b6d3978c12542c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c3140f10651d669775e334aacaee7756

SHA1
004bc898ae8ebc36522e7f64fc9ec5126911fbad

SHA256
c6eea4d5cbf8bb41d835058e13fd84573847ac6eb36e1a9bfae738b6d960517d

SHA512
cd9394ea2182a7c5c86615d5e8a918566f24ce8e58ef3bc6d7b2aad52498df2ab86ff4da34969fb05cdd49ca1b847221607d99d99041cead50e774f0c55d2f9e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6e747d6ed2d6ff6fb1ca59fc2b18f475

SHA1
b2f62550d45971e36be1f454052e153664102c2a

SHA256
2fa43f1a8ebe69200600017ec1717dbbd0f772ad58081ceb8857faf32d7af94a

SHA512
ca2fda131f15ac656880a1ccff8acd9d11c7d3db35fe1cf97d52b89b6d6e2de36d4fcdf4097a28586f63cd9e50f7900f3791ed926f960642e246a5e7feee2477

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0446406d7b1859745f9cc535580dae4d

SHA1
3ff59234c03e1084b45206da5cc4934a7a2ed7e1

SHA256
6216299e4261000ec5e89ec97b2b51f742294fd1bebb726cba24c0240e4136f4

SHA512
a5fab0dca1b0e0d2f38e96ebaca7df5a18ee5a2f648f716e75c5d32321b72971374a84d83930931799dc508d9b9e090f7674ee132b01caf7eef32fe8eb5cf470

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
efad0c02aff5fa12d7062dfed7f6623a

SHA1
c2d57ce2d46f6df02f6e3adbe46befdfad9ed992

SHA256
2af5de787fbce82fd2c2c270ff9763439fdf957d283c89f0282e4a7fc7704a0d

SHA512
fc959ca8003d053c26062bc09cbef9acc79f08ef0ca3cc29c685d4735445806a4c63ec6b4184e678fda88c5b9a49485b3c63c3a62d8571d16481044d19a1fcd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
00184003e4d00bf02af45b0ba97a861b

SHA1
3e030d294072ba32648fdad2ea310e79dcdb96ce

SHA256
30220a2d6334570726b190e592ccc52708193532117596df2ee872b361d2c6d0

SHA512
2afbc265c504e57e53d1265fa39e3a54eb3016ba0e34d60d7d54abb9ac80ec715c3cc5ff83097dcdae48e8fda668ecd48287f4adcdb8c16e2264b1e32bd39fcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
871625b82380e3a8731b9ae624fc7519

SHA1
bf71147b209dd7676df0f66a03361126bf0feecb

SHA256
09500b65d733ca1f839fc33b8ebd49d8b301d09decf529362ec7bac356ea9002

SHA512
446647b211bab9bc0037b57e68721351cab0d06a7fe66aaa35689a50e6731e75d335fea788871f8e90346070c099469b5df6533e6709d3e95efc5656b6f60c1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
42615a99ee4abdc9b5b5318964fdfd8c

SHA1
9c87789f258b2925714c4bd88d2b22f2d4a1d5b0

SHA256
6bb4e4813ba71c5d4def639d838a9d86b2b0c4e88583388702fecfca9d837187

SHA512
c29db05294b73f789e14c195423182630cfdbdb4d3392d4b7125a8eb96582616d93db0efdd41019e000cabbb22cd4bb2fb96e268aad8ddedfc5b06db69762097

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4395a6c10c6eb29b5da76b7f3ee28fb2

SHA1
d401ed0edf5a086cb6d986d934d728be652f80a0

SHA256
90e40197bf26a23e397610767dd45da9bc893275ccea5368da9967e6678880f0

SHA512
71482aee86624419dce3d2609a13d071e94e8524e154542ab4d00db90192a53ea7ba8ab3a2fb92fc352bfa2154b95b3a40fcd4ad9307c8d6f5bdfb49991bc3df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d00d8e79a79fb1c68e855985a24ec50b

SHA1
baa6c130ac22452d05ae2adce7a8372bdf5769a8

SHA256
4ebe7ec0f57c1783457e4b0a383d8a796d0b3b970acece3caf471d8803390cb6

SHA512
28dda5f17090aaf42e61461f518f0d4079670b38967f5bef85d2b6fd9bb3cafd58f6ef7f134ce5920bc4b7710cd875863d5058a26277ee0f270cb9a304198a31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9dfdb20712d6d2b221e935075cf11ec4

SHA1
3fb6ab5de89d65e8c5368319a81a3ade982b8b99

SHA256
2f0b381724cfc0a8c9a54d6a501a9d6928b0b47f1fe5f70884df4df74c346d44

SHA512
fb98ad38f106b70bf39d851dd0b5106d3a5649f9b0651f33dab1b67a8d149aaa797ea2298699df698f2ee82c770b2b2c46d412c1c75f1c2542221074fce195f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2778a9d6ed3f5168a36473a36d87f125

SHA1
3feffb213f0a9e481a58eb8fe18c62b694c126e1

SHA256
4a98d77b5a2eb10bd1c14d88c374f3593f772b556ebc81580fb3ee4a7813b108

SHA512
87bf81365fa64f119ef28faf58c9dc2ab7c91abf288a036f029fd02c3097fcc0d536100f5cbc2b4b8ce5fe0394c22344611d1e9c83c38dd74deec295a982037e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
0cb71613c91bbae4993bd9ea999b9f1c

SHA1
f91badbf7bcedd09a7a003670c190e826c3f6cfc

SHA256
cee1b1e55b12ef0d07113bb0f6d15bad07eb59a2e9f15e256e8e5af02bf96dbe

SHA512
474e2e2e8b99cc2584deea3aa9474d4a8dd6942710634cefefffe4aab1518d0e37b2f91308d75b3588d4d304ea662886c5af4de5aca3b366b95cfe7e14764f19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
df3841b633770769c7fe2acc83ba9c82

SHA1
72b2d24c9a2c4fc1a6ec05c9f5b2ffb1e77d4231

SHA256
753103277aa0705fffb30419aba77e4aaf6f5d419182fa8cb8c94457523aca2b

SHA512
652a0f4a71ba5dfa2dd0ad58e4cc2e2747ccdbc3ff62f614d717febd3e0ce4e272d60ac48477edf9f94a0b0dbbf7157215cf3f0241cfcdf2ad65706078c73aad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
1233562bc78036a46284b492b4208dca

SHA1
240fcc1f5cbe4b5f1ba14f71f7d14023a8f4ee96

SHA256
c5dd4416df5174a3eb1ac1a636fc926842b380e40ba69f196bb262bbaf1c0872

SHA512
1c33b7b8a890e1ad1fb616715addb5816f20f0b3944c85208bf9149d7c6fec34a5acf53ca02e938689a391951abdf2c237bedaf0fe3b748eb06a420662ac9757

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6cdaac4159ac394835c003cdce9b5e1a

SHA1
3508937f8be195a790bf4e424dae3a709fcb0047

SHA256
919714149cf04d9fc4a5199953f33b601377f5be3ba2a58080562a5b59ab8244

SHA512
f8c8c60e12753674a9be9f46bfc5c93966ab71ec514693c824f118f4ebcb9293d44297b9d9b7cb98d4900cf4a5d29adb11c79af02571eafa1a17dc8764598afa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b92ee7ba79db906512407e680ec51e3c

SHA1
79302795a516c9623fac11105bad26a87cc4d5b8

SHA256
5470cd76935bf2fdaa2f7f142179cb22d021cda5fc820eb437c14884a6ee32dc

SHA512
9cc222574680fdeb9fd0dd4dcb9187eb10f0f785e0261a5dba61153953de52599d40a46fb06210785b09e36791a94c90e22747dfac634091f7bbfdf0e0a64c2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
4cb73f8c9611a71c557eedc0255ce12c

SHA1
7ace550418d11379b9ccf59f8c7b69d15baace94

SHA256
b5e4a41fc06acdbeb78c747117e676cd17a9514622eed6443b51ad5c7f45b06f

SHA512
8e1265506964cb6a8be2eaa6b77b303249479b4f5e965a626df83b33762fe9f32eb9fc2f9a696e1017b97d7878ce3a1f7bba806035e5922b2531c97c34cf0ef6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
59fc799165df22f7e20f6e92e5574f4a

SHA1
4df179635a6becfb3a9806fb13b942b3526b9864

SHA256
1323b6ee2baac80c73b893450c0ccd11ddffaae1f13af682d17fdff95f0e6550

SHA512
bd6aa4ce92e85d12ac62e3bfb715051f63b23bb062e93adc44db19a71fd166d0392c0f8a915f8c46d32f6a4e53db2ff4b898d12ff4fdae9ab8c9e91f8ec12637

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
a2f95070ea800f3c67f89fea7ae218f4

SHA1
fcdd3184d9bbc7b94094fe9258445808d69a3211

SHA256
6350adcdfc3c39515c1ff2102caf4327af9999975cc8e00fcbd2adaef40bc117

SHA512
7f6bc8aba4565e6d4cd8f8463593b7493a14b7e554abcddb5804d218dff506ff6f36f49c1aeff51101dac2cc896f7652debb2b7ef4820f7000d6a328f087a458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e84b78c5a39e004012ac13c8a46d9819

SHA1
00ce597cecda6e357c11027fa60a967ed60abc2e

SHA256
87e2d88faf46b59d190c4d5669ca4ea3077997d4fbd93172513342a979c24d34

SHA512
0c82bbcc41bceec9c70b3fa44670ae0f6c57b44d7b42356b11d0ecbd53762a2b5aa7747285a3a4a8fc16f85b118c547eef43e543b298e3fddab4f3cb633e4128

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f1f3026dcb7c42c479d686ca185a80d9

SHA1
1a389a9f0d7c6a3f498a2db75b6595a0cd67a84e

SHA256
395b5f2e3be8c2a997237da1b25f0231f5dc6fdb898fd3cfffc1c80e0808c1ce

SHA512
d9b3d03d63a34d23613a0cd8e914a8176b9b0997d27e7e617852255758e221106a2512d402b35d60c0d62212ace2d8b28381200736ec0f49a8465fbedb70a7ea

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
04079bc5a1ed5d290c168ba40625103f

SHA1
ad8655194c6e4dd7ce49f7dd12f44ccb00c5aef8

SHA256
d2a26303131fd73dea6c5f3501ce69be95e8c75f1c7fb04a2a3767977efdf230

SHA512
90d761838f6fcf5a901e8d514153ee5c70e252d5a54603e1f29cdc19c78c2ff077d601b52a40d550419f4bf3f211f514302580920b6e73d0c1c3488730868cf0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d520069b3d3974a72f0a0b3f0983b4fb

SHA1
693a546bd044eb6c99088af1523da211f6418bde

SHA256
8e68c4c49d9a138e02b1f0b618e73d87ad23f2a66cf960ddbf61468fac420df9

SHA512
8e9bf4bb7ea990970ea0a34921568a7f20eb4d471b310d5f27a1637a5a26372829e3d327793d1f089295986c3734469288e95fa652e88bf847e71d026c6a1c21

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
33aca7db374ae8153422b22a03d1a199

SHA1
f0fb719bc94b1da2d0bc9e9d3c443c4025b8ec88

SHA256
74dd1cf7c0ba65133521fdedbcbbabc28f16347ab6f912a5467398694a70839b

SHA512
b1bff30283971dfd8ecf95aa52170dcd550a48aa1a4ae4070eaa25622d70a04d1168fa834d2ac3d54ac630b878530296121c01428246eececcf0ce1146127fe5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1562ae890493eb02d6851c3675355930

SHA1
f5172469f951237109b304b21d26e733b8365139

SHA256
dcfebe2e947f105e42de3efb90bd5e2d2700b46db5f40743b2132688129c3675

SHA512
a6bf752a2aeb8bdbb946373b8404f5f4bd9ea700d997670c95d938a626d67144a67b988d29d57f08b508da103e2b60647061679e6aebaaf054954d268fdb2aa0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3a34d89f11ffb7c0bb03ee6046f9d15b

SHA1
c08f7e4099410d38615cdd00242f0126f3b5f020

SHA256
4eb9babb0c07e4a5c526a0dbf85dee8806c51fc65d4704d982c6159ae1881463

SHA512
62c194419abf44aafed14d35331f84bdfce32bb53ed517e31b559448f6b03dd660ab003d0f16042e11006d9f784b3ad97aeff1085b2b7156c887fc52a44ba24f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
fa5d0c15c0681bd7f519566e175fc0a3

SHA1
ab1062113aec216e6d84cf456c467a2d61f8682f

SHA256
5560ee683a28f2f7d2665e1ab5f23f209bb77c5ecfed66e79d8257ff237243f2

SHA512
5518ec688e994c4b127eca0c1b7779178f2067003229f517ee2a3d1cd6d41523a77389664bd45c48935dccb53b05669c7bd3ae628d1d57d7d487a48984d2afdb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
974c5ab1db47ca0903777d865afaf982

SHA1
4c1238aae24570e35034d1a7e197488a4edecb04

SHA256
88554ebf9e7fc9803bacc393ca14c0e6d234a77f5e9069b0a407e888d22263dc

SHA512
c2ae692dc2bd29f57c276785c5ed4a23a5db714727736422adeaceab043abc2336aac486eec1322f835a62aa68e0748087a4174c0e6efbb2af27bcf8f27126bf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ed7e5828fd5f5c5fec04c597f64f41f7

SHA1
5d9f25f8976208ad8c1d038a3b3e6f19dbc00679

SHA256
376993f00e838c418027d3248d229817bb1c0bd786e8deafa0ee2986e10286ff

SHA512
9df699dfcec9a3685fdd3cac6768c56627c6ad5ee80662ad52bd2d33739fb0318dd90b36d7ba71ca97fdb9d7fb5c71c6030dc50497af7520fb74a376547eacb4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
597df68991fe6ab20b3f9ad1e68dd32c

SHA1
13b30890e212b85e2bb78338a50c148476bd8249

SHA256
9a1103d90f04ceb7586ff1732f46cd2389c414f8a166262bd277f984e9735fb5

SHA512
09aa0ce324bdb7959e96f82fd219cb8370f19c38f0cd961595a5852f694dfae328f4714fab1692e1c2f921cd765dd7122c5216cb939a0ab62a3e52e2d60cb79e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d9688575a7625a6deadd4dba1d2ab352

SHA1
f5dab9b313bc456d7463f92390ca3588fa1895c8

SHA256
0a22adfcbb749882451fc3ac5bd14250885f335f6f1051e76766485ff66999ea

SHA512
126f1bd6222c75f9d5edfba845ceacd44ea963e4be5f599d16299c08a9f3156e775b32306b6593a1725d39edb0ab6dea8aa346d694009cc7625d349df9fbd93a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
292a3e1345a3d71a50feb2d6b8ba7038

SHA1
06667deb60fc5a6ad3d958eed0181f48b63dfb6c

SHA256
0b9f430a6a7d83d131b44b201ccee06bf8c3375465584aeef3a24053769bf91d

SHA512
e3343c7754418d4f25ce10b4957dc4cdf47255358289d18eafaa77c59f9e3f431375c2d45b36051434adf59d7b1a9ce2a94e389914fd343a929bffbabd05ee88

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
54e13967106f938f6ffd8686f4a0eea6

SHA1
e7fe2c55377de6e73ed7ca98aacb89cb9a8fa55a

SHA256
76a177536ea10b8fd2589766c68bc017c4b601094d59140e217ee1b8d85cd351

SHA512
30e3d856cbd73eefd1b807566c300fae23a10ac3e8b4b94cac8154644cc5a42979f0a94883d1440a8217c969ec229b74b75a279e8bc5477f9e705c8dae3bf4ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b0ba214e009bec8329eb65a3fac1cae

SHA1
769970f61bb3d6313fd61dfaface7367ed858d8a

SHA256
aa66c36a9b4ab68ace4815cfac1bfce802c7c25d1ec2832ef9051b979f740ba2

SHA512
874cbfba94c09ae745b0294992a4937a8952d260d1f867077f5b36f218c7670c0feb64ba24f87ce7823ac646c10e272760b47be3e7242772cb04dcc95a2031aa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
70c2e1e76f360cc72d497c230a40f251

SHA1
80d4200b03d51a1fb7ff643481493e12949e1cc1

SHA256
156408b0f1c73cad5e94d9526ad27ff73ac445b8d388eca88e9a2bb47f905024

SHA512
7be0b122512026e24797cd97b596b7fb286f813a321b8132861152c58f7d97b5c6ad2d89624e01fd286ee551bb43ed768f48236ccf0044a3c19c301b5a401982

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
631b961baeaaf1b75e61cbd85d2a47b2

SHA1
cafb52f7c7194149697ca029637cfaadee1287b0

SHA256
6a782f4d5a3a47cf56b813fd674fe1c5d12e3d6c9d10a513c8d33b771fe15bcf

SHA512
70cbf1290f929f5f722ca5d4c01315d7912f39b1d9df312d0ffc8a9020c73bb62a241cda3db4fae6908d781865471b6659bcb7adf656c29bc3f4c715f9abcb84

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3d4705f91928a85e31ec518e2df32a87

SHA1
7c3c4c0dc10e07ea268887c74bd47c51a2d94a3d

SHA256
871bc3e7a87e090826a9e71cefb25c46c44056a47e88246b7d09ef501c22de74

SHA512
9c43d8dad1e4840ee91d927902aa0619afa98c5b2e27d61f9a1fea8db78b223d52e6be226c3f35c147de53bc91e674a8376887074558368ddc905474d06ae0a9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1cbcee76b0c1655fc45a223b2ec5a22f

SHA1
3181d92022b6e7b6102fcd646a1b08668e39499a

SHA256
a4af092daf9f43ee3733c9c6ee62710614ed97736bacb0140dca7f2636492995

SHA512
fb22f215e13b760963276f16fa0ad81e4f3ffab1fd6fa1fc478b82b424093ac773569f0058c05ef76bec442f93d646be3f36cd4d135918aaf08d469f73240a69

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cd0322770a14a56a34b847e2869a675c

SHA1
c9da2ee26763ca21f0d37f1bbc8579adefadea69

SHA256
e5b9a1a5a5d881cda3260988804dc7f73a2be8b3e1847afe5ce4eff53e79fdc2

SHA512
9aad26a4ae51c913cc7170d4f5dcfce336855f340bd725e9412d86cb666831c99a4cc0324ac4f72358d973720913b0567d0b6e641bdd725d4ac052b1699796ee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3cb0b9b32579bcb4b0eaba5afba17ff6

SHA1
45d12d68dfcab3862f03a104183b6a0cf95dc73d

SHA256
e604ae8f7255366e0b29a10bfcf2faca55b44a8b390c4838a7be04993814ba7b

SHA512
4521706f82dc8964c8ef76b4f4e218a225bc35cd59cc8c096dd75787bee627147897991461333f54219fcdec042f10a83d685eb6b13d3c40caa21bd2d49ea040

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dfb63364eae47fdeaf0430173ba5c748

SHA1
4e7c75be8b63ac380f3f0c8d4b9d27c76fb27e38

SHA256
3646e944d1241d1dac1a3e2a0e64c71ca2c670af6908876f4de91724faa7e537

SHA512
dcf52297b60fc732782f660fae4a0cc877375402e99904e06783a4befbc8ff3f2fb80cc83b4546c5e3a39064bd1bb687b0fcb005a4b88a36145667d2fa683c89

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
520962549862baba9b62f3390343331e

SHA1
5e19d6be6a0fa7acb2c47f285236adf9d3d975f2

SHA256
af483ddd65220f0444d11bdc83afa8b62bcfb7636c228cb5081f397b10ff7b79

SHA512
aa37dd2bfa89048604251eefa2aac5efe5d6fb0912b37cb0eb3d5f2319348231a57eb58e075e95c5d47b272a989b3f83348263a331323e08eb86c54190027c11

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
899b768afc07af941ca59fcee696f730

SHA1
373644b0cbcde87909e19ff0fba4c7b1a2973fb1

SHA256
bc715e3d09c17cc954efa451e0bfef450e21087043f83eb1506870202e0c60b3

SHA512
4c82722dd397035708e236e54a8431b1f3014a6d9daf744bde7e187c8c4e82a3a47f534dc0ad2f1fa8dfe6897cbc478f3c540579197a2c4ae18539d71c70408a

Download Submit
memory/392-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/392-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/392-90-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/392-1-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/408-130-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/408-249-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/684-588-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/684-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/908-476-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/908-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1012-261-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1012-140-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1368-117-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1368-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1368-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1368-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1532-210-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1532-91-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1532-93-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2156-587-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2156-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2172-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2308-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2308-53-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2308-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2308-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3144-163-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3144-376-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3168-75-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3168-76-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3168-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3168-85-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3168-88-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3224-199-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3224-585-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3308-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3308-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3708-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3708-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3708-54-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3708-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3900-591-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3900-262-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3928-237-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3928-119-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4036-586-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4036-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4336-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4336-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4572-33-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4572-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4572-118-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4572-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4588-188-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4588-562-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4676-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4676-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4676-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4856-225-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4856-106-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download