e491e2514ffd3b21ebf303936df51007e47c7d082523a2e09b7d0d1b7884e938

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Size

1.6MB
MD5

ca654164666027e9e3568572922ded68
SHA1

82cf46a008a73c1c901ca19389cbe2f7c2415349
SHA256

e491e2514ffd3b21ebf303936df51007e47c7d082523a2e09b7d0d1b7884e938
SHA512

766be5e827c443b1b74ed4436672af2359767de2313eed2240dbec389c944f1c6f6b944f8961f64671341eac5855ee22a231d7743ff8781fc99df0957cf73b94
SSDEEP

12288:KtOw6BaewYeskMjFvm0qKWjr/pMoVx8JX8it802q3LZj+:E6BasRjhm0Ijr/eax8JXO02q3A

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2136	alg.exe
3316	DiagnosticsHub.StandardCollector.Service.exe
2868	fxssvc.exe
3624	elevation_service.exe
316	elevation_service.exe
3184	maintenanceservice.exe
1860	msdtc.exe
3796	OSE.EXE
1416	PerceptionSimulationService.exe
3716	perfhost.exe
5080	locator.exe
3076	SensorDataService.exe
1720	snmptrap.exe
4580	spectrum.exe
2896	ssh-agent.exe
2140	TieringEngineService.exe
1680	AgentService.exe
2216	vds.exe
1136	vssvc.exe
1072	wbengine.exe
1040	WmiApSrv.exe
2436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2428ee1a92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaw.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000306dd07538b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a90157638b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f503a47438b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b995b7538b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094b2f27438b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b464c57438b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000563ebe7438b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeAuditPrivilege	2868	fxssvc.exe
Token: SeRestorePrivilege	2140	TieringEngineService.exe
Token: SeManageVolumePrivilege	2140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1680	AgentService.exe
Token: SeBackupPrivilege	1136	vssvc.exe
Token: SeRestorePrivilege	1136	vssvc.exe
Token: SeAuditPrivilege	1136	vssvc.exe
Token: SeBackupPrivilege	1072	wbengine.exe
Token: SeRestorePrivilege	1072	wbengine.exe
Token: SeSecurityPrivilege	1072	wbengine.exe
Token: 33	2436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2436	SearchIndexer.exe
Token: SeDebugPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeDebugPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeDebugPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeDebugPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeDebugPrivilege	832	2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
Token: SeDebugPrivilege	2136	alg.exe
Token: SeDebugPrivilege	2136	alg.exe
Token: SeDebugPrivilege	2136	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 516	2436	SearchIndexer.exe	116
PID 2436 wrote to memory of 516	2436	SearchIndexer.exe	116
PID 2436 wrote to memory of 3116	2436	SearchIndexer.exe	117
PID 2436 wrote to memory of 3116	2436	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_ca654164666027e9e3568572922ded68_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:316

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1860

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1cf9996ca1730932bcf098988cb077a3

SHA1
7784e64f1ddbb6c0ada873bb69ee72401f9f4062

SHA256
371fbcdf7cf6d8ba452e993dff06799ea8be044c97b508a84ca467b27fc70c4d

SHA512
543a040e5db371914684f7f5b6cdb32e0d3f2d71411514b2988ad41414436aa279ecee5cc1b8891a81bbe86408f6820d58da3d5ba412c6f35e515c870797bc91

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
da958033f27ccf7963250b286cbaf23a

SHA1
46cb20894942a9591478254408cd5b6f46aeeca9

SHA256
ff3c8786d7776306f7456f10108b1a3a0a62e0136c5f9ffb6e87b2f6039124f0

SHA512
b65442ed5b552eb49a8b9317753690c3359590c9d04ca270bc20ed681d1e30dda65af5e797fe2aa7530cdbb5fb9d9d962d82219f2db9c831fd1d97d34b7da209

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
313e41ffb7a287f2938c93b7cce2c605

SHA1
c5585abd82985f9c7c913ae63fd491efbc6316cc

SHA256
689ff079f3758a73b08b3227b4c0d8eb68235dee2dc533433584c206bdb8da76

SHA512
e01aebdd1a13ac4c4f5e252ec818814c53765969987f3d38508f7e03000c388002b281fd068d77bb541929ea1f02e5e291ac0d428f4c44fc2d2c0497e6760811

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63d0cdf96852e3db01d6a7ff81b92efd

SHA1
133172a97a1b95c450c2ced8d99325aeb54220ff

SHA256
b871ee71bc0642c733acfe5bdf55b1391cb726f58ac969c062d999b46eb15c46

SHA512
f6b7d1cc8572ccf7a1b4bade409e34880c8c3c59f0a8a3aa604f0b0c41ff637e216984d967236481d514f88e5da673a93c5b21b286ce8502e73002ac09d8b56c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
92752bcdba72c9991f3fdcc7be953569

SHA1
027f446623666c36c9a8d9e7e4c078d2dd71d5bd

SHA256
23736905af01f390bdd875166b185b3e7d79c48e63342e1c5a694bb8f50e0a64

SHA512
ff45efd8fb215eb8ba1989ea88d8c5f5e1b4c45ab472e482102f5eafc8756792894f999a809ba8e30e8a5c28ff6c7222691c220cbcaf5132f9b563f3ac759aae

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
016123cc559f094458ec19b6f19d4e2b

SHA1
005c81aa947629202539654c29e809819a0039ae

SHA256
8d52847eeb8997ed3de750314323f91f779a700f6efd48d69debe76d3ce33f83

SHA512
a1d97fa22e9d310a933c22fca791d8fa685b53e2e7ffc18accb81fcf5558b1072f1fdebd5af07d7b30630ed75a33125b4228531e98f455a6f419b667c8608095

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
67a1c23dd781417531f78f77dfb2e7a6

SHA1
99da880227fc0c798434854adee816387b1697dd

SHA256
a3126542281e473289c0122bc1599f5894fa40075e0039dc9a21cdffa37d2db2

SHA512
d5efb728b25aa42227136d32c7813ede50666bf17917bee6f1be41b1a8e6acb1515eb124cd9b408679ff68b0fb941d582be9afe71c5d430153d714f2a8a641af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bca5db7351cf021165431036a423cbc2

SHA1
5df0549a4eccdf7e8266f8fd25a000f861ccd800

SHA256
5fe350bb4d4e4a4a70953e2f145068177ae3fbf9d3a48759593df77054678915

SHA512
ef5f01379bc8f0b2c7036e88dd47f8d679234fe9cc9c6f2eae5bc6c797621f3cd7ca313c67cd8c8cda3624615ce72d8eb275e373d4e14fd1a5a28deba1080e1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
697f1b1ae227be8f326c4630b905112e

SHA1
8dacdde2dc5703fdf5a0ac9baa572a43c7f6f226

SHA256
0302af9bb5dcfa3c158cf4027a76bbee92f6eae4c4a26f1fb5ce6c4257f98047

SHA512
b8e4f90911fbdf0ff0b98846b731c87c0ac1449030408a3c84e38602da36dbf9f77fb9d9f9560eb4450bac625bb5fccaa2adc1401c0070be74a6a6d45bd27624

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
eb7363cd75c01fee12274bfe13a6f35e

SHA1
5f149b72e0dfdf8c57da2df8ea38ca6499c3b0a6

SHA256
00eca40ef967876950f6a725b203133510ab72446ce196c227a78ccc26f5aef5

SHA512
0e3a2784b54d906e375d4395d27f99490336882c5f9d95a00e24021ba14768b300e85ea0fd021c493f17feca6b2d634c1da56c15c30f57711054e6c8670ec648

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d75f347d2e8582f891be0f97e60bc6dd

SHA1
ec77112fea5e67dab71a887f14c583c640fa6e17

SHA256
05b73011dc0854fb6cc6a2e9e1470b544a1fa327d91a42e951a2c72dd169c98b

SHA512
475537873a4a73b32d9f7c24b9576e7af654abaf8a484597e284f7ee60b1114cbe2eaf4aadd7720cafee28adc75ff10e95c888061467eaf01e6d0a9261fbdca2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0c038d6e9dd76d98594714015dca3064

SHA1
995622eba5ba1ef7d972d55856c477fdfda52eb0

SHA256
9900c1ed8a72b567758b802aeab72c200131bd4c885a709e53dcfd294bab7c37

SHA512
40c0163b07d571d87cae42534ca368ecaf711cb0200cdc908b6a2833d471dd6fde7172773039ad494c81c9d70cc1005af014898a4a5e8dbd9fb533fe73a87516

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
30ab1a58f9e49a09a8c47b5e7573f377

SHA1
2a7ea31f5f6f15c92bca9e1f85efec9e627646cd

SHA256
5fd3855188fc8604a5474925e0acc8b5c63a932e8e063bfaa2e2c8e54ced5428

SHA512
120fc5794b88f2cfab955667346ae2b68edd1ec497afddbb02edcb08ff510e64d8dc8a3f1a509150c35ec9cfabd45d57bcd2704ebedfa134c357e6f531bd2dbf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6bb02590023386de48728151ff9eb963

SHA1
9900c4fa0960a702d3abbe5447a09e2bf7af4902

SHA256
62d8ba5ea7b1f7d1f91a3c4189d612cc0d883faeb5b34525a4d8f72e6b266ac6

SHA512
c28dca06450200ec96f1c705352448cd1e735c8171177f2b642f893f30b022aa4087da4573bfcc7c0a4ca74646b2da1bb6cf5db7b6ad8d25327ef33f002f2754

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
83b9e4b471b8b7664124b352e4f4fee4

SHA1
9bee692f8b0d0c20e22a4c712d1d3870055d37a5

SHA256
0a96ad57986ca74cae7d26e26bfd9809f882919d7cdd802da61915c576dcba8a

SHA512
8097b64767955fe2e47b8384f295a38d39c765246708894cab988e054b0f5fb989305256d6052a3ad42fc5cc1952e2d4af1d6812a60ca899429dea069bf16b33

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
af73882f6170cd2b73a488f4a19f3afb

SHA1
4a047eddf490d3979535e1bf168e463efb65f50d

SHA256
55c2b6f7877d9a7be65c9b261512a68d768fc7c8535f84014ca1cfab8b716e31

SHA512
356b118ff478004bbdfb73c4dfae1eb08bfe223be3e2e2eda7f8b9058bc43455d7bd22527028032af67d30818864015b2d0a25b37d7e614d13490ce849f7404a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c8e00b739513de871e787ad6c38a76c6

SHA1
e8a62adeee3848eb25e616feac63908ac8adee8e

SHA256
4deebe5ada8b533acdadde26282e80244eeecf6f3bf758051c237aaab6767fcd

SHA512
e9d4915ee6e7c757e2bddfabaa9418bd8870e0b025a44f67625d8fd057f201594d2762d23ef7b1459f5b9a3e8b066086847ebb1dfaba4eefa223fe8ad08b913e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7b99c4c697997dfb6073eca30e9b40c3

SHA1
4c490e85c4d37c7110f4d6f5fbc47cb4b79f438f

SHA256
aabc8c5061745a4ee7cff9b9b7893bd8a4454c2578bbdfce8045d62a5b6b6b4a

SHA512
113abbeabd56c3d5b71dff61871e4d31e7777bf22c3def181d6c215931bb41be177f68a2eb004c643be848016f5d8a1cb64cb6dcd79dc3ce5b192285b27e3d91

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6f39b4f8ead94ac7cd847e85ea34c785

SHA1
e099efc1ae2980e6a9bce30ba49aec2cf91afd7d

SHA256
456c8d18c651bd2cfe4ab58c84c18f9c45b7b60b93cdd41ac3e500e860e019a7

SHA512
c6b6d7b7869daad9d387d2713c7d5a79e9516ae9b523b8acda5a821bdaeb80ef5b41aff9ec60c6778e81f1a6b3bb8d319cc9aa3be6a1cf085e1b7c9a44848677

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
631c06631110e9688b0439ca520187aa

SHA1
58aad3a50e2f01f835bb9453031c718aae084764

SHA256
e6333324a476f06292bae4c2283e39510bd9a03edd71db2133d1e65005cdc78e

SHA512
90e7354a37665b262be15ea50e4d5f111ab3c4eb5d08364bb2838318da73e9644f85b239e833705cfef9d95ba3287e34668136bbc514317f99b6f717e43f4361

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0c5e5d01529073a34ecc7006c4844d57

SHA1
6a18dc7e6bee1eef55890e5f6f151d0f39687ff8

SHA256
0cbcfeb94deb1527bef8fad9bfe596461be8ec5b772aa9548228465940ed721a

SHA512
7dcaba467210aaffffcfff4d206edd9000d340c716dcf89e0ec58e21d7231b52c6b20fc86c9d04de713f527c274695c60f69402a23e2c4ab47f591ca7c365ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b33038f814cbeef13c71ca4cff84d596

SHA1
0c8fdb488fa1a3796f0643fc43024ce27667839a

SHA256
a0060f8f4eb425123970f5b4d40eb234e5cf79de39dd12de9a9c96254b3df84b

SHA512
40b8ed58809359b03fe5e9bf0ebd05a0a66d05c6ea3780c8b3df47e52902863527e3f630fc662ae0409a254364c06b97464f96afc4be57d3ff0e1d2540ca443b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
86dde82d7d156d29aded109de4252ba4

SHA1
6336854c3f044df85e55c58f39432d0b6565f529

SHA256
9e188dde6da911392bddeee96240f642c40979a3cfd0b1b64490fe70f19deaa4

SHA512
b483729e5c636a7c456b7a52e74c91d955f5aa5e3c096e774345f53d048f06de6fd74169b18dce4bd804c514f82215bba93655fbb256ea40d420f2ab16572261

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
347805ed3dc29ea4101a197b2656c80e

SHA1
ea7ca364835558b942053968381baebf7ecf537c

SHA256
227c631798135edbb0e918216c4003f1c04c641a727aa621bf3c2d71e77e29aa

SHA512
a9e3358d7c3d0110e9b4b51e632f7da87a48872cfbd4436444a3730fdaee09ac0a61d3f72eff4a693733ce2968a600108dcb1dcfc92d1bada665621388f5feb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e9917ccf909be8a931b69b6369fe3d06

SHA1
63c842a70e1ad66ce5fc1dd108cec4bcadfbbb97

SHA256
96cec0841515c054e62837ecd5e32ac5634e6d515a3652685952d59d3cb8846e

SHA512
1d60a1fddfa05f6ad40e2b3e22c503a211f0b9d7aa83b510ab188615c34287dac3d5a704b5ff512b61489319c0d9f2af487404c06f807d1a3d4090d4b2190d8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b7c1eb9ba3400778b3e7c36f18c9e606

SHA1
bcd8bb1ad55f81a4387d021af5dae1e90636d735

SHA256
f164a5444aaa10493f97aa7578bd709e92dbff82618e768db78c3b6863815a9a

SHA512
476e11982e8cdb2169ef998787ef0bd4a62c3b4beec7a41649f6b1535ad4488d59df51d6d1b243bc4043e525baa056044f766e6e91b1c37b1ca3535b85df1056

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
1a4f5dcdd828c44920234ae66e31e9b3

SHA1
0cdd0f4869b356b0c46b24c495bbf3f0b63e0636

SHA256
d1c540a1be3a3136b6323a51b4341cdec2c8e4c59f0f95e4ebcebfea9d925ae4

SHA512
7703357e8a5458839fa91f76b7f557d39dc32a208d313df08c9c35082de24905623551847bb3fca2d204fc09be947ac9903ca47583ad24494fd79096929d11fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
73cbc0468ee138a72b324832cfe8f0ac

SHA1
67359bf3a36a7c05c5cbcf0ff72c60cc7ed68f54

SHA256
8c53fa94147f9d7321dfced2b47db8a598814a65ed8bc88ca1d463b3c338b7cb

SHA512
fca1602bf6a923ddad07eeee6a4005a42cb050af06dc8d16d7aeb181be099119011fbf982d74d7aee79bb3428a05e163b805c951fb3e73be26bfd053f7e1284c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
42ec5dfaf5a784c78fe0a150e9b010d5

SHA1
b1ad6006951901059c0a43669f0238e7bb91790a

SHA256
c473f3c768f1dabf4e3b97abc5951d073a1619f2fcbcbe9a2998dc906ae70ae9

SHA512
8f9060164c24970cd3782f7844dca02cf65f401719fea0e66c04e1a6f576932d44f8f047bff79d4a95ca8079e4d9ff40a56979a328470a153de4bb2fb6ce91a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
e9dd364c713bd056a5c0de24a2663a64

SHA1
a111f09ca76e8c22fb3a7833d2a21b2d2b35bf66

SHA256
f27eeaec8c1a1a97df7771f7e69205dbcd2a876debef8a4e96c6e9e063c91b3f

SHA512
275e4f6de3d7fb31666c1040621c9fc99e8e2b72a3e4b25c4dfe416fa23745348e713487fa7ca39205b4fcb30cf495cf785ce17e3abfe0eae107b915b7a88553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3c9cf66ed64daf1bf8407cb6f3dd7e49

SHA1
85a0de940cf548ec9a45455806a9eca484cad6ce

SHA256
02a9fcaebe839b8554f9f01988c03aa77a45b255286b22b31d7563b4d137618a

SHA512
03684c5004a111d3549b272f67dc84b7b2ab9ea7a9392e2fbd1eeca31d71fe1a837a9b3147ca004a7a714820ff3b350c55e4b195c67150440f5a9b28277b8953

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4bd972aeb263f0cf9221b5d82164d982

SHA1
67454e9b05ad4678b5e6e7319f15d9d03718a558

SHA256
672c61aa64ea1ee348542cd0458b93db7e63a02a8cf93efeb858e3229f99c3da

SHA512
049dbdfba093a625823a32d4088937d0bd01567a0cb29e36e974227c78536f2055bf40aff97a9374e2e2a3555511130a8268c41dd7270e490b12c36f61a42d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c6363cd8f2f5f7bb0977c0820357e0e9

SHA1
b6bd4cc54e301574821893732ef2124fa07b15da

SHA256
545d6f341ea270680ee2006bd7580b544da4dc04f985e591d67635567497f189

SHA512
71d030343b59f63a9fd8dc0e8646fa1106468fadfa28f119e2e8091b16e445ff66760ccdeeeb97f1190715bebf653842b8e0342fcb3af4f65c5fbf9e2450a576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
b1a70d395a91ca224e17824087c77eec

SHA1
4ac43b10dfee60e3c848601edb22bb19f4f2e3e8

SHA256
725b58ad6b0d9afcfc29f10e1105eef51bbc279d47bb92fe398e622ea2d1162f

SHA512
cb261219b113ad4e842798f1a8e33fe3c850e3039785411330e1e6ec3db5b9044e04dfaa3da627a7c2771e11b1acf0365e7baa6acaed427a44a9d1b795e6a2cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e81085e9c8144d8b4af9730b72899164

SHA1
24a2e1316630bd5b04240353124367a87546be6c

SHA256
c0ee21d55e8108c366b13a79c8e60b12cc721aff3ea995f94a7c17a2fd35dbc7

SHA512
49792a1e471797fb733d3a4803126e81e85ac08454465e52ccbcdd99b800d936f836c8d6bcdd1c294abf3922ce4ccfb8087b54e24bb9f11cccbf4b5bdf7bc425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
92b1a90d189a687b2ad4863df5220310

SHA1
8563bec62226dda5633d490e3fa60c17463c7593

SHA256
c4ac4d9bc37e5cbde3b130d90b1a747d3961306634266bf733da0e08a39706a8

SHA512
3d7adeef93f39b8ea42587373c7652919815fbf52161081b529c3b24b357397f811cd5cbf144fd80b9b8d2663d73b3f6ece99eec36e79b6c509dd0650549fe33

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1508712afd20ba718971c907ad632bc8

SHA1
96b78a7afddab2dfa0a26aa11429b3271dff6283

SHA256
c1d2b99f8cd92234b94cbf7a31fd96350b7a644e513be37b53608de53bea681a

SHA512
02cbb262c7b162be6c89b07694eaa0688c0c92807481ca9abe6d1f25c799672a9ea0c18de2feb77e2bea910d24683c5c4dce91bde060a153c1b25e3fee4fe592

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
db984c2f51f9e048f2e1c66a96e22c69

SHA1
002ed81f37f495019b274190002f152b0d079db3

SHA256
5232cc055eec34d8568e0b311cad1348a058910b3008fd63c589b2d16e182fdf

SHA512
388bdbacba495e6facec5c3f80441449eb8b95276e25fbbf88e155a36e35587257f09039b1b60bda99070c4c4981ac69bcfe5918f5afe4b4e791bf90abbed555

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
01b7e88a5a3850973969137a0ae323f8

SHA1
f647632d48e1352fc5d08309b63cdb295a4fa9a1

SHA256
56dd2fc75db0bc0f59766b65b489258db7156dc21cea64d7bac691af9f60ce23

SHA512
99dea2ad2539851765b3530e2d7251e4190e9b38839aaa9ad9a897ecd6d790425b1866a152638e74dc5ab4bc7896d6e24049549e6948c7593c91c9ea25672a1d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a948a5fe5495250516bb3ddea2cfa067

SHA1
fa73e09cda29e26d1f51a479bd3b66299a48cbdf

SHA256
31f01c6af345d83eb7e68b2cfdd82e93a57665315e86e5bddbefd1fbe8ade6e2

SHA512
d1d6263fd672833ed7950122852e7ec707efba34ae35974d141d30e270b0bf432bd2b93c817961802c238db55c27ac6a78d41b375fd4ce1d109066220eb308e1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a7ff90d901865711b5975c54b3e77868

SHA1
f152aed3cf4c485e05ca6f6be47f6d91ddde51ba

SHA256
ca01aaa8c819a0a214a56e3dc4e897778b8dab1dab6f2759a2f7b80f9b9b4edc

SHA512
dff34d7551bca92d49fdf28385ad2809a5328964c74fc85c4e09026df81bef81b52e2f0da561e8da70b598454e4671838eab376ddda29e77cff8c857fc404531

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
201b626d3788331e1590c00300ed8000

SHA1
5e208cadbdbf5310c899426753a3399d51e5d805

SHA256
68a496fcacba1ef7907051358b428fa4e9dd6cf9800e296d3388457e5968ccb4

SHA512
778d64deaeee6dfc3c354dc84e3381af601ee91b4714a29a0501799aa6d4c3ef25fc6f2f4876a00fc3e06e094fa20a4e23919b5db67eab033de2dd423b1b3b02

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6365f7844e265edc3e63b5fbaa2d973e

SHA1
d650404d8c9f1e02c8d9ae677ac59784775d11a8

SHA256
5e505976da5a5f179dcd9d1c940cb64200253526ea94167d674a9e2dcdf6f739

SHA512
72de0854d3cc76299e35786cf5d42adcca5dbad7f38e15cf54533e2f9ff61c7d48fa9bf7aca9f7883106778a4d36d64c9d3179432d08e3b533c832fdc5547efa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
dbfc9f21602fcd960569a0ac53dab895

SHA1
4267155fe15765f9fe0b41b46744bc1740ffedbd

SHA256
2131df3c82c26d0c1d87f9634762a8429facb282874b2d324db3f0839fa9f3f3

SHA512
37ae2cd63951639531b658e6bd42a01663830cebd43c47c935a5f423ef147df0ab93e8f44441d074f15ac936fd48d6bb4d2e57e558c32aae3a474f12d7d75571

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
2eaae7945eb702f90c095915b2c41d6b

SHA1
27203e80b45051f256150b2eab16f6b8e131791a

SHA256
af103f78280312c25850bc53af22a48e4a64e005443c468cef710c11f02c02a8

SHA512
d6de6972b249d1d886d9e37f3b29af0ffc9dc737c7920b39349cd7a96e3bf50c1ac8c9640f1f728f9fc2d006ea17bcb82293f9669b3d28535c559a37acd5904e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4571b3f56ecabeae2a13f68e6c1618ef

SHA1
c6b2362242cfb52d762c4d0577bf221e090772f0

SHA256
22d3b3427b1a103043c7e4c543137f8f00c758538ac5d7ce7a0c96f55e37e1cc

SHA512
8e59e6666cf5e876f7ef1f97c781d61bc191408b650b2d5deb00fad04c98f8294bff57f7131716edd7a688f0eb6db93e49618700e031dbcdb064e28c492d8dff

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a0d375b0d2e491053317741573644435

SHA1
732e6505408a7f62306c786a917296de6137466b

SHA256
c185eac84b3aeed78e812da4ce63d03461e1fbbfa0417084126c5dbea2dbb963

SHA512
355cafa38d22ac448c7cfe020055ac3cac986854a8f88044fe2edf5f5b761a3dfe7353f0b71469092b9e3533102aea6d1ed096a948981cda754e693b83925244

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0e2043bdac90d8d4517f72c2e834ef08

SHA1
14971b07957966271056128642a5734a4e7ae798

SHA256
6efb4ef80830bda7c93300b9edb767cf03171252102433a5c5bee5692880c453

SHA512
6b6bb2de5228cfa4036f378da5817979b206fb1edfaf7e7031773bd28a14b3b7692876076bee0d70a680fc91386aac750862971096b9c4268301fcc055de545f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d3c3a7e787d0486630e4d10118991344

SHA1
3a3729691ef30106ba3d28b309e980b8732daed5

SHA256
a4ca0636674eb3395bdf09ec9c68e97fbf41ca85823000e927ed42d6edec1393

SHA512
d411e7543c3e4a9c644b764ae23c58bf02b6cd09ce6e52c34ebf3eb2b793bb9e6ccd1cba7a6e593a1f0bdd16f46dec319e2b4853429d0fe737aeb0fcfa3fe17d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ad9db454a10ed5ca8a0fbff873c02006

SHA1
86320181fd34238b2582c374f8c8dc928e2ab4d9

SHA256
ec0a020c9accd34da2d77b0e12c0497561fb66cb1007071da0ca3ab1b953abad

SHA512
2e20b213fd97c941264116bfe061c189a025cb19745624c3adcc96d02401e3742c318f3b3d78d5f3076e15ccefe41a784f0882a29b6d885d484adf8e5684a2a9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
632fd5ce0d42b284486b9611029c1096

SHA1
634c1e6cef8355caf136628856256cafd1088ce0

SHA256
647564eefbc14f18e34f8bc9b458fb1e493ce252ff7d84c0b26df237fd22f407

SHA512
b880485e051bf6be0060f87bc446ed7e4c93079c21031f6e12ee024c4c604e0f8d9439a28ee5f235a9ecd770528019eb7bb5b865bd5144ce072f191664267fe8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4faf89515fda62f7e74096086385d49b

SHA1
11ad9e25796cddc3d5b6720e0b528528ebd91e9c

SHA256
898e06cebe795b3c8e81557c8f5b6a40b987d137b8c11d226cb73437fd0a2f8b

SHA512
f9b22bf97f4ac69293126b248a84e564ccae5403918144dec1e396b800b22a3aaa9a83bc1e491e103a2ffde7ed133bf4ee54890fb19933a6e4fb556e833e30b1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d623442e433db05c6265ab137db13b53

SHA1
01ab728270474cccf978d256d21709c74f829fb5

SHA256
59e868ce75ad5590f51d0c17ca0da5d1c57e3ddf3f729d496b9b27ba271b359e

SHA512
569681a810d00a15668c3cccaab4956cff4a58ce78ccb22506d4fc340512d0f7d53b63c4e821cf19ce0d802835d4f5d524cb36a537204d2cb4499d1baec67cdc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0f6db05d6dff6ce1d62705448f8f3133

SHA1
5f9736ed3a6ebad20afa16e72d4c95e9f5462d6c

SHA256
190bdc3a118411db5a770fa8b3cc4d36a2c314d7049f7ed75893d658fbc2b318

SHA512
e2b01865ff7841c6ea8bdf31db3c8be0b1a35ec5929f04ba0655a5188ab816f05003c7ffb0289cfcfff54295b89f4dbb55b9a08d05307eb61501157ffae4c40f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
929e471e29406126d42292a61fa211e9

SHA1
ea49ad1838e240780e89fdb06bab2225142d5a3b

SHA256
39b058e99b721d6c32f0af142e415f6231e1018c75c31dfd9a5e1e4d80726fb8

SHA512
2772604de1926525f2fba8d057b80a31f2aee2eecb2992b139bbffe55eecb8ae66ec1cb96f279f1f8e9bc311a1a8160913dcaa2022ab78d1998c438e25927d99

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
87242bc00faaa4f7f5045241697deb76

SHA1
9c339544fc1ae7ed554fd8ebb67c329d69ca21a1

SHA256
7e2fc511b7594c411bc1fc7a6618c5948b9469fdca6527b7fe67e7e69f51d4ce

SHA512
c82958963f7ef1f23f4c7758e191cc527d430e561256cae89730a1f711377e5faa7cc564c65f6c73922ec0faf2a0fc3400b5e71dda3a12aa462f5646bd34cd5b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8275148906f546c54399ee93749c470e

SHA1
bcc7b689b21a573cc353b396e409cab09ef34b8b

SHA256
0a359ca09f06a584ba639a16b4f4a8584ae49a46bdbc4ec67d33f15170863be8

SHA512
afa0999b1da0004eeea5619e9ac34192ee1b21bebeeb1332fd15c8fdcc5a3e3a7c086638d4cb46e9bf4a865585203f4571d2a76e910dfba11b5692d50defdf94

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
994845579ef8fbd8fe458968ad9021ca

SHA1
2f99ff73b6c5c7a553d46ccc81d992ce4f2f8543

SHA256
7ade1b4e39808c868c4bed3d5e6e037729def4ebc2ef0bf93da414bd604bfdc0

SHA512
48482a4396f8a908f3f506c796c3af3dfeda45b1a8ace4ea2fc3e545945c0cd5fe6875e1cfa710b6e298de3041fdb0042065a876f31cbd5e7aa869a871ffad80

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d387fe0478cce95aab311303c2140879

SHA1
2c82a274ecfc17b69164e266e855263cb2097aa3

SHA256
e159009d610ae656c76b850f46c009e993e5fd9b798eecd364107a96d4b7eded

SHA512
a8aeda5b4109ea7fe4f6567092cadf9ecc6f2bc8af5dd125c7d28289b6f721325f5ccf24146ab1f54fec46059860bda5b254e4abb744d0819f7e00cf4fab6da8

Download Submit
memory/316-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/316-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/316-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/316-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/832-6-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/832-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/832-1-0x00000000007E0000-0x0000000000847000-memory.dmp

Filesize
412KB

Download
memory/832-82-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/1040-532-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1040-252-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1072-530-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1072-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1136-527-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1136-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1416-118-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1416-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1680-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1680-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1720-155-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1720-411-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1860-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2136-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2136-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2136-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2136-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2140-524-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2140-199-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2216-526-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2216-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2436-533-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2436-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2868-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2868-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2868-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2868-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2868-60-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2896-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2896-520-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3076-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3076-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3076-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3184-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3184-97-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3184-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3184-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3316-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3316-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3316-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3316-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3624-48-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3624-54-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3624-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3624-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3716-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3796-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3796-216-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4580-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-140-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5080-251-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download