69436b42efcb903d7959462ff61886cba95b8bdda637932d17f12b31c846b6ef

Analysis

max time kernel
136s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Size

1.8MB
MD5

df89028ba17d4e324f5bd3b15f17c909
SHA1

cb0ef5158509ea1e167658016a5a66a107eb42fc
SHA256

69436b42efcb903d7959462ff61886cba95b8bdda637932d17f12b31c846b6ef
SHA512

85bbe5a033d7b7cc0ec904082b3d161b1146e37a4091abc7d9cece310d108af2daf70b500dd0a52448add5dd4d124ac76950f34ab206c11fc483a4631f1a44cd
SSDEEP

49152:7E19+ApwXk1QE1RzsEQPaxHNh5UbU62FAQ228QKl:893wXmoKDqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3728	alg.exe
3344	DiagnosticsHub.StandardCollector.Service.exe
812	fxssvc.exe
4936	elevation_service.exe
2520	elevation_service.exe
4912	maintenanceservice.exe
1812	msdtc.exe
3332	OSE.EXE
4288	PerceptionSimulationService.exe
3944	perfhost.exe
4852	locator.exe
2764	SensorDataService.exe
1580	snmptrap.exe
2424	spectrum.exe
2200	ssh-agent.exe
3824	TieringEngineService.exe
740	AgentService.exe
812	vds.exe
3056	vssvc.exe
3956	wbengine.exe
3052	WmiApSrv.exe
4920	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3917c75792be0f3e.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cbfe8ef38b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036d1c0f138b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084a9d8f138b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee4430f038b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f84979f138b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9e695f138b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d946b7f138b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeAuditPrivilege	812	fxssvc.exe
Token: SeRestorePrivilege	3824	TieringEngineService.exe
Token: SeManageVolumePrivilege	3824	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	740	AgentService.exe
Token: SeBackupPrivilege	3056	vssvc.exe
Token: SeRestorePrivilege	3056	vssvc.exe
Token: SeAuditPrivilege	3056	vssvc.exe
Token: SeBackupPrivilege	3956	wbengine.exe
Token: SeRestorePrivilege	3956	wbengine.exe
Token: SeSecurityPrivilege	3956	wbengine.exe
Token: 33	4920	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4920	SearchIndexer.exe
Token: SeDebugPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeDebugPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeDebugPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeDebugPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeDebugPrivilege	1896	2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
Token: SeDebugPrivilege	3728	alg.exe
Token: SeDebugPrivilege	3728	alg.exe
Token: SeDebugPrivilege	3728	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1016	4920	SearchIndexer.exe	110
PID 4920 wrote to memory of 1016	4920	SearchIndexer.exe	110
PID 4920 wrote to memory of 4372	4920	SearchIndexer.exe	111
PID 4920 wrote to memory of 4372	4920	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_df89028ba17d4e324f5bd3b15f17c909_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2764

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:388

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1016
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
19462ef604e6d69b43eb0aab0f3ff9cc

SHA1
8c5ad4efac98081523cb767238dd088217367d0c

SHA256
48a076afb6c78ee01afd4f5d15c0701a0c25c65f49c99fb77041cce01dda5690

SHA512
53df5bc630124b891935c039fded6f786044919e31b5313ef5e7968d30baa51ffb9e202b0b0b4b78cd785d89365aefcf6daca20790ac027e54962d9dc4886466

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4cebf245aed37f7c07edb3e8f9021e7f

SHA1
cd1c1e869c5b256ba2492d5c1e7ec5652fa1e438

SHA256
add9eb80e82b62b9387e337062c034c52d5d0cd82c69fd663c1deb3a60a11764

SHA512
c2483e4288310e4510b6ee87c8ae4cd1377adf5b77fa94c7079880c8bb60cb444155d65e78d381619209d406961015a0a76526b57ae9a9e5b87cf937942db95e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
418b810f2a78bc4ed983f87c1418baee

SHA1
86e31576c60c676821c86ed4b60f136d9eb83720

SHA256
cf4408692757a6120bb03ba18a6b1a9cb39d8eb781c6f116b61b91009799bc27

SHA512
c6848c62f9a78c93ecf85e71583663550041709c1815d0cf8afe51a66c93ee99dfaec2f38fd8d2af647e3c2cccc4bf82356967c7402272ef3f5afc5243a28fd0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
12f4d5f90992c42ae7e1af90ec21e9b5

SHA1
a05b748fb8e355edb4f9677831bf4de69414a1f6

SHA256
53d95cff63bb3d1b8c32cc063d9f7cee067afa3f4ab73747b642549c267b67cc

SHA512
98aa043172bd34ccabb5b1c7fa774024d41cfd57cb5fb548c3d46a9ef5f7644b80ce1b7e2a4f52ba8c37cd824121e10400561be8d8890b14a88da1bcf647c34e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d43a1bfc7488457b743e9c88839e52a7

SHA1
cdb382ea90700e70b56dda6ce098c00e0065cbf6

SHA256
8c75bd7f39df41a45222a033cb7f4872dc0a0c71df3dd251015cd01585312a02

SHA512
d7b16fb6344c7af640ef62d01dd9d81080ea39ad403c611224d0ceec36ce27f7130889ae92f93e3f1a1978545dfafbccc4690d810a5c8e2ca00cc26ce3ee6bec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4246b1cd878860b8a08abd19fc8c46c3

SHA1
bb8fc494debb28bf0df6d98871eeeadfb9537351

SHA256
2e27e8522c247418b9e1f89bf9e402e72175c1e09485c301cec7564074d7a15c

SHA512
418bdfbc4e726ef02a1af663673f638a875e850cb97bef46556dda9e61e7abd9e008030f6bf29126ac776a8b6ad05332b97904362c97f34e9d31c12604b9831a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7be2a07ab967610ca7616cbb50129211

SHA1
e567e0bff1506d2d9b96570f99d365f50d7dac5f

SHA256
25e2ad82fce975b3a5d3173c134a3df38d3bd1921f725c7e6b4af8c67441c2b0

SHA512
bd984b7a7344558dc02eaa287e72813d0892cc2b310eef70a432b4a6fee782258450975d0a3eebb1496f0d112b17c9171e8155f447499a9a8a1c94a92082da3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d6f1007054147b2036601d4ba093c0a5

SHA1
f09e2505ecd540c8881761bb6d09e9f83e956295

SHA256
61f9054920ff03d97aaf91b82d15486294e98d1281e12be8fb90ad69a66c4342

SHA512
81560fa4177544590178393544e90a873d9f427a29b7e11f3a025ff47b9745048888cdc9de077ba7f0d4944d7e560cce803175186f28cf99dd9fe42d69e8d3e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
99f4cb932166b9ff19a9b893a07ca2aa

SHA1
68a910b14fae8a2eb64fc937be3f226c5aa0b971

SHA256
7b5fdb53596a1d27ff2ee3ba3dcbfcdd97cd45d218411059ee943ec663a22112

SHA512
6fb90604be8518370fef8b4373de47a0b0ed8e4cd633f051b50c6c3f0b51d79b57818ef7c04249a5f01df1462ab73ae6b1472c0fe6bbb223f0861cbbc968a420

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2fa17a27d2707d2ce9b28c420d6aab03

SHA1
9f12f45eab5b10587a90fa5b80fcd5435ef368df

SHA256
f9cadee71d7bc3789922cf8f0efa13cad9cfd16e16afe24260ae3fc85356866c

SHA512
9ea2b52f2cd0eb43c3dec8a3e5813f2491e3315fdd73d8112987c40f6f417ee0e39cba7a543b9d96a80cbbc91437b87f58757eea94dd6eee3228254f8877ee79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
01bf699079457b3e1030f81444aa57e9

SHA1
c48a637cd02984af21d073d47cf737eede8df483

SHA256
10541f150c435b697580d4a243be4bd54868f4c763acd44daf5d297bfb2ceae1

SHA512
f0389be24ba2d09c963de85da4cebdc7032dd3ca8f8c45c302a12dba78fdf20ebcf85084156146c3adcfc14683f16a296727384b0beabcb5df029562ca72ea00

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3cad3ceddc9f4763c1583176963684f6

SHA1
8e582d546f5dfd057e390e3188977c1945b57661

SHA256
5066a7080ad8790c9363eaaaa6dafc4dd9a3304b815bce10274db8aa7061d9d7

SHA512
8d82183d1510ac216da4ae43f04ff57737f0721f57c031d77c5e5e7907fb1082b8271e45f8b0716789931c0d66bba5b0917ab8dd25bd67c246fd703ea5f7d623

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
86000cd078117910bbbc3fc87b957f03

SHA1
340e4ca648cefe2285cb564bb32989dc76d7c115

SHA256
6371ce6145d0740d1c57e77f10b1123dee5579af2099c8f757694348a6db6013

SHA512
c692979852437c792f7d3cc7f26156b99f1aaa9374cb4fafb21b82618a380db0ed23ffb8e22324241b788463444ba02576a1ea760f764219cf48a4ea7542ee46

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
007a9039a51daa0e9f0863b02957c50a

SHA1
eae5221e091336fa575128b9bb98d7ef7e8f8ddf

SHA256
7502f08addce24cb04e4fa87a108224ee6a44bbc5c7caaa6a82305e66186f785

SHA512
a83822b49367b9ab3cbec0c940305e13ee776d97e159f5e76e92b9e885723bc6c3542381cefa18d587c95f654800bc3db6d2bcb27567264b3f1629656d3b413b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3e1cd43f851639efd3476cc6845597fa

SHA1
1b5b09a17141cd1afb4e44310c1be410f21ae17c

SHA256
947ceb7b469feffee42797b8cceffa4ca90e2b2b458feaee982e89650b643501

SHA512
8093c0d489602ab20b38e324cba0db02ba33cd4154df3aacd39515fb495c83cf2c72b40c812f30e958a24f9398dbbcfe6b35b41c62e97880b26cc0bed5bfe07b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ac3d3e462b53ddb6889fb18275acce38

SHA1
c7b19a01cdca0676ac549fbb648d5ff5d7cdf1f4

SHA256
97bbd9bd7694555b868852ba9ad3a8d3f01209da5953cb18ae213366e9a377c6

SHA512
0c2294eb5293aed925c94b74226c4ac3268e9808d0f737dda5fab0fe3e91ae3fb08970f96b38585d71836832cfbc24ab5251a4481b8e28f1bb9cd88d882ade4c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8da31e03434a2b9d0977b29c56ea7952

SHA1
a0f4df04c44653aa6359cc8cab62828fc62c3a32

SHA256
4b433e929ed5b4f7307e1ed9fec7a8a038dea33a4effa30d9f5c0cf1a8901a68

SHA512
cf3ea8665226bdc0d28932dfab115604329955d264cd4e5ed78357a958a9c81f8a34769287a53a232da90fbec987a53bb19b5b57f740370f5d94eab80b2f264f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
54a4154f5914651841e18645399aa3a0

SHA1
60b65c169ce60922646f1139dc54b00e21819adb

SHA256
65df5409eb40ff56519ee403de54b13e3d10635e09d1033242576557b0ce4e31

SHA512
b631679da9c5080be47134e1c44ca86b93f1e4835bd6b9078827e7028fa30f0b0099daef1df39c9c43d6d8a76421e5cc945e89e6f97c431567c88b7fff53f7eb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
29c31bbd565481cf41091b3e07609450

SHA1
009dee109cccf11e793687683629be8b48fe9791

SHA256
ad7251483bcb352b88f45b5615602b2891777fafd46a470fe040c7bf83630ca9

SHA512
93b8fba37f9f023d03f1d73d2ad356881aaa324dbfe41773a128db3c4971f8427f326ac7ee2dc6ba68af1cb1d1fec0af9376b4e214a3c1ae4772ef907302173e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4d9b1f3fe6cb2fa0b2c0d7ca4e4d0fa5

SHA1
26503d0c5a17de8890a86cf293da30103440c209

SHA256
29e2d70c1c46d2145ccd54a43398c45a4d7f54eec6a939f40cf42e30d2d69f40

SHA512
3f590c4d3710b3436f51129f4392adf2144eb8c99cd93c6e9db67bcfde132073e5cfdae08e6783b355b4f69f0115f6f8da5f4cd0a7e83c52a991fad50dc17d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
366615af0bb7a0520c4cbd5d3a1f29fd

SHA1
92712948def887ba378f072095cf41bcbe88ebee

SHA256
09bd55439c1823fb8464e6c6c4d3b7faee056d6dd485396e996f5eaaee3497ae

SHA512
589a06220dc9f3226487ef783d74bdcb47dae614bfbf30b6d9db4572f3e15b1ac1699d6fe690bf70c6f4ce5cfe76c3442c36e491ed5b9b2cd92124ce081bde2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6a65e97e8316c5916c667fc7e2c55813

SHA1
5493f267271e59ebe2a1485d5e29d15e8d2ba33e

SHA256
482c24f3df847ce1d365e467ccc6f4a72af484dabbd06dd9b3fc29b0d14f9bef

SHA512
bcf3409d53735aa42cfb3021e3eedd7d51b7e977c5c5024b9a9d166e0e67e3a7cc5f9233ced0a4f057cba36d642e5bd99f7b1e969627c8fbca78c70de5e8437b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cb414df9e74b5f9cb49ef0c8b311c631

SHA1
6f746e799e9a3486928c01aedee3ecda2dbfcae7

SHA256
afd6adc6ddd467bbcc7af680ece9fff4c74108938dab762d8154b0aff9e707a1

SHA512
96b0f1315462d0d88c58398950da2f5c9890902c39097938be533caa7e7fbef64fa5ca3e36349818b20b9b0656974ad845e5323dbdc4d88b2d39657bc7732fa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9cfb7638d76b7afc29bc1de9e83fa638

SHA1
9b75d3c2c07b787d7860b8681bb93e285a5d5511

SHA256
d3078dd5fb34f941d7d0a89d02884ba72545ba07411f2b2a305a4defa20a8e86

SHA512
8a34f231739caa556191759bf9f153701b07b37a421f52bf27e5135ee01f0811569e2e3085ed3c86eed5d1a0ad357a23a65241cb91251345ab8a0e9b9e9e0653

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9502a5b3c205c372c29d84ff469de624

SHA1
60f9cc50e07e155721a99dbf1065c265a12075b0

SHA256
4efaae2698307bd9d045a3a920913f5a39684ef5007d59e943d3883efb4141e3

SHA512
0dadaad54bdaa6a5eec4f1314c9beba3edaf554265320141fe2ae0baf56016bf9854a65bf74d938df74485e160bd6d9ef960f45b559f0370c8219f4fd262657c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e4fa87856f1ae58d8718a1d513ea9502

SHA1
5df4bd8daeeaecea6e7b2c3027ad3632a8f131d4

SHA256
9bfdb27e49bfe91a32c0820dfac60c6f04edec0dea2ba54771ad8021a81ac84d

SHA512
c68f53e7a6e94991973245e3b591d775eb161460697a493cd083c9ad8cef1503abdf6c0ffc6039410a1566e366187d19a842351b8fb48d7af3e50d0cda26ea03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cf2b6c6d01157d89dfcb7fba969f9613

SHA1
7af77e742badb245db231cad8e53b80bec46b940

SHA256
79b63306b2abcc7c7912f1a447ec08b289513147b90c96a7d26342676026a492

SHA512
fd7cd72da3b5ea7aa83de5df6479169643391494c11c4f6bb9eeea08fc47bf63a657d97622522651aeb83f279dce7fb52aa73155e3055a50c5dae1fc12ed9172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0b69708609a57a34365eff39ca1e83c2

SHA1
210c2e741849699a1323d3530af8b24198159d82

SHA256
c731777998fa81fdbcb854c1a3813c49fa219ce701c0fd93514096734d35461a

SHA512
9b52b9ba29bc6bb663e116d4b6f77ee94e6d146da7a3df8cac84c470771c3c43ff263312d1556ca7df21f41a2235e71d7ac9fb1d57c693b5f2916b55b9609cc7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
658996eb5c63a1e4de993004cd109792

SHA1
39d8f2a1185d57571a2efc5714dd72c1f44a880a

SHA256
f25148597b4059d8d2cc7919cbf42d9d7b27a4a1c4871c3e167100bc9389ab45

SHA512
c3f56727b99a728a96fe5a2a3b5c30c398a04ba8c915dc4c7a0c8abc70e563e9e4263ae943b696dc08ea84a58b3b379a84f7acebc0d2e5bee8db09323e701aa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a514360527e42996bed0b6d0bb0202ae

SHA1
dc4cc7a0e7ce890896ec846629d16ee8be236446

SHA256
3b496c9a09dddcc19befbeed8d37f4d5079a3c0bad7e22af430733352416515b

SHA512
fd6338610d87f831b022884c42f2bb5e93ea66470fc8e69c0dcfd92e48ff4d5c137495865a4e2f0b9300d48b95cf6d9d2cc9ab3a753b6361ef0b3c5d0ec47a33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c1315b4730c9f8a9c185dcf776005963

SHA1
59dee53881915eac5940efc4aefeba1764f9b8c8

SHA256
932729e2ecb4cd78a0f1e0d2035d20c76ae2efe3b044f3a0454b3476a0669f69

SHA512
4bdfb4a1d793e7ab831ea134f19f60856862711da280b71e99854850e654ca7b7ecc4b346a2ce3ffab98d5cf0c59939b65dd17e188c31e2b8d821f7950ea4dcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
84e7928d2d2ddee26aa0813d0f618676

SHA1
d0de04ef30ec27460bae1b366e5dfcda8953a116

SHA256
3c394f7ea2c5c89210c83a82a4eeef9debe56ad6ac15f15ce5a76052f893198c

SHA512
b944706e9c3e495c5727b0f7ba72c8b3cc7ffd7e3213f9e3f9c02deba7cb307a7f33b48a2d8fc0eac326a3a02d38ec7e63f07be558dba57b9b1ba8cafa473d1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
39bd971f3597db99ef91677374508305

SHA1
1897454a5bc662551595ab4331bf65022ca7cc9e

SHA256
183f9b181caeeb4d152af9b9948674e1dda45cdf1db1864e170abdb945c7b03d

SHA512
9007e54a201798a4cc43128b46e68d66166bfbdfe8a168cf84e7670d3aec2e44ba12a7e2ee53b705c0f4bd97bf638ed3758090a756a375cb40924189bf5a9fec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
eb04807524df707ada4bdca9750843ae

SHA1
4cec4a3db0796a114a70cd0fa4a7c5f1559ea4da

SHA256
a2334df376b73d6c4fb6b9add82cf229668468ec9246ab54d54ffce74ea4164d

SHA512
04757ab31189a4f07d6c8158d31c0cdcfa8856744e5ec01492c9dae3fd9a5cdc361d4d5a2a95a1dc514cb5408fcf1c2f9ee78dcddf7a96483967e4ca3446bdf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a584f48e3b45f68f53a9c488eb3b7014

SHA1
5244728d55fd60655760858ff07e545568cf1365

SHA256
b659734140905deab83ecddb64df567d5693233d12c0e545ebdb7427b078e96f

SHA512
8f9c16bc99b1c81d693929bfefb3faf3557641c467120506878170a810ca87c19519f9ff94c943dbcd9bf850abaf9b7e2cdd41aea9bcfdbe720048f90f5c9311

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
29a6a4fbdf97cbf7b9b12b27c5cf6324

SHA1
45183653b51726e387663b05c2d26ddf6976ae1f

SHA256
e9c2108e02a79613eedc09f597f135cf6d6df6591ae8eca3b949982b4411d43c

SHA512
a0c1cbd47db7dc6d1da2d31176590e84d857d6d2cdaf34c20dcf8e4d41bba8e2e26aa8038dfafd150285d398698dd9eca6c54abf42340a2340e2aa255c21fb73

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
01b8e4adeaabffa672a91be203ac4d4a

SHA1
fefebab1594e523d81d1ece6a352518282080e11

SHA256
cfb2b21ad459d53bb71cc2e12a8981b1e3780049ed7c326940d4c659e91c4534

SHA512
79ca894b37508eb6fd090b5b59e855df4321dfb4b3bbf6da1c626378cb2dfd01d035d5e226cc923fe18a1b58d182cc57eb9cce215c9a5b3c77772351091952d5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7ff1947c57c36d75d866b505894f4ab5

SHA1
1c9c08c4e1f784b8b43f60e98e7e0617796795a6

SHA256
19154a6c377aef5c9cda7f9b95689f9f8770890a00946fe0ce04f0c65d8162c9

SHA512
5c44661dc6aae55a3626e37fc2e4ff0f4ac761573d1c24126e154a51f1e5b1fa0d66becb08aa3738abe7cf91c6ef031fea6389329b674dcdd3472b8eb78ace7f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
15be9a0c8a46a5a7b3f9ccb8f69cbd9c

SHA1
e742f8e33fbca9df1d7796278866f6a00e983e10

SHA256
b1df3e855a4ed17c48d42c20d9bb389d5bf4281adf1692bc7523620f3a2019e1

SHA512
c2d1f40974fc531cc095f8a016d36ab5ab6c1fab9c040e6acf9e73b037583a34a11d57ee47ca029f064c83d8de35dc33209afaa3f63ca73d3bf4e83219a5c5a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0a73a87ef6e341f94a01bb031a55460a

SHA1
3ff77a51d4ec7000329f56998b9c67da4621e31f

SHA256
08857ace4bc951a3c72f4352c41b298718546f3be5827706822590b494084de2

SHA512
3e3806027da4d992fe69efcaf6546eff3247dbb917117980e630787fe1a88351ee804e1ebd8bba375ebb0f2dca0ebf79fe00206d641ebe15da57e60cc15e1552

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
422ce02068fe0575284e14d79709035c

SHA1
756a046e61542c2c9a3de82defc4093a493b2368

SHA256
61e73fcfd9430f02f2d5774d146c8427b2cf7ab655cb254829b61b4759ac5569

SHA512
1299e2acbfb012ddf7d8d40e124802655f2e2096340319790f6e5b8c4699a1123b1b774c3d339a2847b2b1f2266c274d6fbc0b65b21b51d7a0b90437d67bcc60

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0d3450476392c4efcc575b8c70c88d32

SHA1
564f03c44b9ddc5f969deccb8fc202b70aa30df1

SHA256
03571664b0c5055e6c2cdedd4b5ff0a5dff883fe313d0bb9ba04daf5fbf9da93

SHA512
25fa32f078947442cd74127247a5c36a20887406822116a2804f059c8f6f4ab70b1e24c2b3042f5e44fb2663a6e9ce27a28506ef608ce73e914be593b4cdc072

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
236dc3b9acb6a7dda8c94f59b5758deb

SHA1
0a54654093196736f69d257c062d3aee0d2aa020

SHA256
3effe0874a6b5576430a994846bef135333f0d43a7491644f18157c4892f0584

SHA512
12cce7910b5b2b3f535305177062b49d8242f1a3c03f0070649d6dff80aa44139cd1990846181c8bfd60416bad2c8349a76403f66a7a7d5320b1d41b177aa5b0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d2dd3da71fe1ae41be2005611a92a502

SHA1
dd828b0d7eaa11350986a7060599de55acad89e8

SHA256
c48b2018929f198d6e9ff8e6212815075750028c161cb52830c76ed0dbfb6f48

SHA512
22f6663d9964c7ed6318310620951e8882ab7b3125edd1532d8deb9c26f98b7618668e26c11d4989ade919c3b1cb6b8922f25ce9e48be35ab214f4f4a508a340

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e8bb3bba4482193a35a0d3a277f38c27

SHA1
5a48fd152b2f6bd21ff2d584bc9e6187b1fb9d4d

SHA256
6e3b11ba5aaf947708ebd58e8f96973460e46d48feafdf54107efc5665b71ab9

SHA512
2cec0e1c2a859ebe5c5fa1d6027be65e81c995a32ee443ca954e535661a3b10ab61cfc166a486a5457c6b58c1cef19a80a462af9cf1401014f0d15080f7faf06

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f6702bffd3852f03c90b9b578cf30b9

SHA1
1cb42521ba5cddab88158ad27566fa524dc76d0c

SHA256
9146f8aee6f550918eec56c3769ca02eaf689c14ffd55d3ff2499b51657de9a5

SHA512
4c2ea373948a2ed133fffb5aee62d59460be4f03ae55af3223a66d50f97a173d27a17acce0b46b3a5fe30556be5880f7940528e6e0a968df358c0b59029afa80

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b8a266cb0302ba8e6fab84177023e748

SHA1
e44c201079918d0c1169a76a93293dee83eaf64f

SHA256
2f97db6b0ffc9ea890dbc734fb84c23326752fb501c0f648025d051f38074831

SHA512
b1b19210cad3b52dfe18ea2dc80f75ac529595db1cd481c5495a2a2255850bddb1417e2828790dc27f44ab7d0eb0e1cb341495a5f4d43d3912162a24f4c43c7a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
78614c8b7b76c8b2b4b9c32d9be2f2ef

SHA1
b9be6a570431cb42f6fd95bcc1f0e583c5f5a9cf

SHA256
9b68c5182df1c9e0b0ef3686d93b76362a52d2f22c19b2ab939570d3af231fd2

SHA512
9de5dcf983cd83cb7ac26a410eda630e4c1f306b764e601b636e07e5144e6cf6c805a97afed8dd033e099a686b695d4fb85b45c52fcc4cbec4b0dfb50ee31960

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3a8ecc0922c051bc60fe68f909ef17d6

SHA1
b1439dbe33006d88dfa661e46db20eabc933cbd4

SHA256
54aab6a49586c99dcc06fc39eb6dc6f9d4f40e35b342a9421ceb41451527d095

SHA512
f9c1d6014d8453735ea708553b93aee31d9123d44ae6722dffb5f2a12aba6ba02f04312f156aebe1fbdc6b692083b65e7b4276058aa91d8323757678f9d9e676

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
088ccc025e131a4165d2a9a499063952

SHA1
a2c997319dc530a79e70a908ba616db7b7ec7998

SHA256
53d5ab73a04476c75851be26b71b60cdb0869bc528bcafe28a64bb1aacaf770c

SHA512
28ec24f2e0d412c1d6752e0eb0b087020d4a2cd0413c0c2acd59812bdb80886b123b01f5c8e977e6c6b444efc3a38b2aceb0bd697ce6b19764328f09b8d53f50

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
daa7f7934bad7edccae3a245cefe0d9e

SHA1
36dddc2941b75ebc76850a3b88f5c91529488b58

SHA256
308a5c992efe7528437100d4ca3b5577bce7b82054762ecfcb56b4a8411fdf84

SHA512
5bc0e528091129a1ada67b60edba319bd61ac27ac031547f6234c6666eabdad767c3b8be79b6d9e3644295d5f58689e7ddf74666b3eb7fa0f566185fc341c731

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0d9aee9331c8e4fa9a9011b3a1f070e6

SHA1
af21e4db9f9a2f8dee5b49f6abbba75128f23830

SHA256
17c5ee960878fb130a9ba02377cb646c2bc19d0b753c9d141a1afaab90777473

SHA512
2a6365653cea6b58bd9b759cd116f9adc3441857262b7d426b599808c5ffae9d07acefce2c5f6f3e3826e00da684705ba29e7c6bd20cc33d0a14ac2c17a45d74

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4d3e55cddceb414cb40b1a82ce14afbf

SHA1
ec6774af50c2a84d95f8de90d9c13b80e5c04c38

SHA256
d4ddf8deea03a31099b8c5e22f4cac4ea25c19b9a29b7df786f2355c1d3cd18f

SHA512
7aac7a2ebb10922ca662e96c9747e0a451f66f3d5a989d099fe4d77f56c191e1cb327af12a56a2566696020b837d17580c03462e116913064488ed63d7e03228

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bf18023b5d80f1393a0ad02c7342c5cc

SHA1
8dbb7c666b066b739db23e9b0acc891b2f34457a

SHA256
5b7f40c8118521a55e38d9c9ce7b17e5265e93fc6229bf3bab815d0b597d7873

SHA512
2c3650f12c17a85e566d0b4218c72ab574afb8a4007bcdc303c434d5be5c4c8983de7f2c6c5ccadc3d909b693e79594af0dd4d8d57c0f3fa89e6a21e4534525d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7cec4277b422289369ebfcce6c7d99a1

SHA1
48ae967208bf558f0e41b89ec54e26d1e7df679e

SHA256
ceca380f5e4d30761902f9d7dadb8089a89d3bcd73b7e0fcc85abff2405952bd

SHA512
f324e5cd7e2d21472324d69c2da0fc70151010e06c8a749b73027db8dff38cae086705249d945dac0ab67edd687481764f8a345c699071119f67abe85523171a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
faded4fe4f3e2ceecf8cf410a05ffb2a

SHA1
1ef4b2ccaaa5dbff58a792909c6777c484c8d9c3

SHA256
c4804ce148c995a0991239fa878bda8b4e860fb47d75e0599dbdf018fd2e572c

SHA512
b4cbbd74cef154ecb654c8e4db8ddc1f2b49e5fa1c6d4cd6d948e733058a29c5b12d46ebe379142be16bf0ebcf01efe57119b985ce84bc513288928cd91bd525

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b6e52e588694c6bb37f9cffc4539c875

SHA1
baf38aa4983752d6aaa8053900c02b27648fa0f8

SHA256
d76140377f63d6e373408510723846f34183a2d4d0192802649c91e035bc06fb

SHA512
98a31aae18e3ae20e3622d5ce5f15caea289b4286e2739b156464b4e7c19e21cd281a0f4ef4035be0bcfc7e5c5ede2c9f46bce30471c41f801dcee1c9cb63555

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
296f7e5c390754a4628c514a0f0933e1

SHA1
992fa8b5f026d1f8a880b6ba3ffa2a68eb24f3e6

SHA256
70d24bdcfca978537d480fef7e46eec9085a179d1b56fe1199ef1904b028a754

SHA512
e5ba374fb3a86e615d53592eb06864686c31dbc485912281ae66cdd7d4aa462856cd7259fa7d5a5ef97c14173cd1d2d1109ae38f1e0f7cc58c0db31c3f2d66d5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
91ac22c330e8ec7c732e55113d3e3316

SHA1
86d31422e30ee64e3210aca24ef89e854b1cd5bb

SHA256
28ad33222786dab5776f3bf2ec3188dd9e1a86dc3101cfb84bddf324ccbcbe49

SHA512
125cea213306df58e9be340c6f4be826a57494cd8590973742cda1e03f61fe5673deafcc2b6b9f734d00fb783e6dc44ba28f7023e07d9e3cf9c4fa7fc3f0785b

Download Submit
memory/740-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/740-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/812-525-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/812-43-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/812-45-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/812-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/812-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/812-37-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/812-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1580-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1580-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1812-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1812-87-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1896-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1896-6-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/1896-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/1896-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2200-519-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2200-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2424-467-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2424-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2520-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2520-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2764-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2764-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2764-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3052-531-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3052-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3056-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3056-526-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3332-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3332-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3344-126-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3344-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3344-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3344-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3728-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3728-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3728-122-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3728-18-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3728-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3824-189-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3824-523-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3944-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3944-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3956-529-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3956-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4288-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4288-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4852-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4852-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4912-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4912-78-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4912-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4912-83-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4912-72-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4920-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4920-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-51-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4936-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4936-57-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4936-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download