36eb5818340884110f263a5dac6b7a00fd543360827b2bdfa283657bd4f97dd7

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Size

712KB
MD5

a88a8be0a73bb51350a2039994ff5ec8
SHA1

7082b53e9ba374f55d64e7378dc8a07b22f5daef
SHA256

36eb5818340884110f263a5dac6b7a00fd543360827b2bdfa283657bd4f97dd7
SHA512

14ffb74c2c8fbd09fe20bef9c7ac7135c26b2980623b324ebdceb77532a8c0901f3ff0b059cebaa48f32f6fd9e6a4010fbf2daf9ab9a4232a87a0f0bdceecc90
SSDEEP

12288:ItOw6Bav+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHF:26B0UOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
900	alg.exe
1920	DiagnosticsHub.StandardCollector.Service.exe
4300	fxssvc.exe
1016	elevation_service.exe
3740	elevation_service.exe
4360	maintenanceservice.exe
1972	msdtc.exe
5072	OSE.EXE
4352	PerceptionSimulationService.exe
2632	perfhost.exe
1936	locator.exe
4436	SensorDataService.exe
3696	snmptrap.exe
872	spectrum.exe
2740	ssh-agent.exe
4704	TieringEngineService.exe
3596	AgentService.exe
3160	vds.exe
664	vssvc.exe
2744	wbengine.exe
2072	WmiApSrv.exe
2376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce4fed5d4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1c98e9084b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e8f939084b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052f1959084b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d503c89084b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6252c9184b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007284e58f84b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004204a99084b2da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeAuditPrivilege	4300	fxssvc.exe
Token: SeRestorePrivilege	4704	TieringEngineService.exe
Token: SeManageVolumePrivilege	4704	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3596	AgentService.exe
Token: SeBackupPrivilege	664	vssvc.exe
Token: SeRestorePrivilege	664	vssvc.exe
Token: SeAuditPrivilege	664	vssvc.exe
Token: SeBackupPrivilege	2744	wbengine.exe
Token: SeRestorePrivilege	2744	wbengine.exe
Token: SeSecurityPrivilege	2744	wbengine.exe
Token: 33	2376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2376	SearchIndexer.exe
Token: SeDebugPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeDebugPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeDebugPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeDebugPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeDebugPrivilege	764	2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
Token: SeDebugPrivilege	900	alg.exe
Token: SeDebugPrivilege	900	alg.exe
Token: SeDebugPrivilege	900	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3736	2376	SearchIndexer.exe	113
PID 2376 wrote to memory of 3736	2376	SearchIndexer.exe	113
PID 2376 wrote to memory of 4832	2376	SearchIndexer.exe	114
PID 2376 wrote to memory of 4832	2376	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_a88a8be0a73bb51350a2039994ff5ec8_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1972

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:872

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3736
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
296fb729178242e04e92bab95763c300

SHA1
e293ca66f19259aaea6ab7071d84bd055196319c

SHA256
5794db5497368362e84e1714b7413f570e0977f060886e1df501418cb98de09c

SHA512
c770a738ae3ae00bb58a98bf9dc8fb86a23cff7a900295616ce9c13cc5c3f667c236533e536b0eb9e68eb96a679a076924a96a2ef48e1d6bcd3e2b6768a96f3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
bb0dd82ad33540f5d42c5a73f96968c4

SHA1
c1f2e9e639de84c8882510aa500cd1f8df33cacf

SHA256
f54304fd787ee5a1674fc151f582d540b302da2108fe9cdc190dc443de83fff5

SHA512
516e3633c0e6de218a511f15ada4523213fecc48fc5c515a1f68dd322c481f4e48ab703c4e553b132e91a32e842c068f3aee81cb7444dbf320c10ae6d8353968

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
605778b93a7d41a8e4da7c7b2c089a3a

SHA1
13f6b8e09f1de6fcf3736697a9972a5e7c3a0825

SHA256
c872062677d539b0c2b143b1b6850c9e05070c7b628097f92839fcaf671b7672

SHA512
2dbac1b511977ba6d7b9eeba93ac05f945dc727bfa1c803a2c5d4c2f6e9faf3056a0d3984bdee3d652d389e56d92915f659b2a1da162f5f728669ed088bf7bda

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b55c362656978b83f934fd7c642e166a

SHA1
1d222c9f1125ab6d42d0175a7c17ae7919ddda71

SHA256
5d3441f292bb26db930e4b37052f282a1b32184caf9490b3dc0289e9e6b93a1b

SHA512
461bc516f4832c912d98775cfdd62f3cce675e745748b42dc21c6f4cf3ca02b3a30448c0d003534ac2cea59870f3423c16139eb560a762be46010cfbe9804a62

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fc0d1b55a9095eb8f245c9e08d99f84f

SHA1
d816caf56773a25b8a903992ecd98e4a7de3f503

SHA256
af6adff18d51de9a8f684311425a896f6780e05f6025f580e2470876da7fcb48

SHA512
7fa0885c2162433f1093e58ca5d547a41241c68440f06a789278e28c182378ba2f37f9f32f409b8e00987bd2a926da02f3f4ec342807b05f67f04d5cd88b996f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
44a356006a7a2eea31b914c92a27917e

SHA1
3dc70d0ec0b8c31a7e1d8953e1c18a14552057a5

SHA256
d7b93238988e79f4fb29123417050b0d83a448b998d54b5faca5479682ee6556

SHA512
18649a69f418d9cd0fdae9d97c3cb2839b620e221c3b2020bb1fde0ed111e8eab833a6a2aacc78c1d24cceef38d32f81133b522355dc4523eda37682b38e53ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
698d1c20fe5a39ebd656f0081ffb859d

SHA1
2ad9459b8b9284f2eced8b8d961ffa0d3846fc36

SHA256
8b59c52b8e5d41daedeb55fea31dcd56eeb3a3300426c069895839441c72fa24

SHA512
4522fce05f41bc46ff3d55aa9aa039339626673930d803a470ffd47b0cbab4ad31b444e05539a9c973ed739d436b7b60432b53d11cba171f091e56dfcde430d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
226d9adf7f1c20cfc6cba4e6e28c0c90

SHA1
0de31555ce1233b34726d9cebfe93e50c1ee0331

SHA256
4ad7bebf2d41615a3185121039862a289cd16cc376e00ed9f018800e9ad55596

SHA512
4dc1d8988668e3dcbcc653a55cefaf6fa68cbe1b2af6d81616c944aa26f370768d2ce5a8c90f4fa0cf490202b14f61306cadb05480fc2c022896b60a8c94bf99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0c3c27754b609f5ca9d01a5d11c46c67

SHA1
241cb37331fc4e92d807418ec9c1be45104fe6da

SHA256
01a0d22947f9e3cf545263451f02192888791a43120982b1a8f2da165e71dc24

SHA512
2e90f2358d675978fb4ea5c73fa0c276ed7cebfc05850169f60717bebab3ee6734a2481af50a085482013aed668d0ff15e0c4ce00e000e37659d1bcb435e2143

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
371e99f021d754fdfb40063fde49187c

SHA1
02b560f6dc216ffe9f229644bb575d9f370c8954

SHA256
da6063f38bbb1ef03c5d297b5dd180ef9564cd6db8d09ec8b44bb95b561552dd

SHA512
2ed6457a1f6edc0d09536beae4ffdb5785e0b2b470a629e10bd91b0f070258d20bd436d260de5052864010eadc1f9bd7814883b9f40af7585193fff28f27618b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
50324180611bcbc1f182341558b100e6

SHA1
8fc6087bd41f868140fdac3157e1a2b00500c071

SHA256
50414130348f6f8eb1c263cbdd6960dcca9ee72a5a0924031e7cf37ae9e4b19a

SHA512
a03a53bf768363cf7ef8e569f2d110fe69a5c862103449778980d94fcfae7ff793cabc44129230f0652dc18372961bc4fe8bd42c7dc89667c58157f7fe47eef9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3412ab98b0e337aa309d32a1db5ca5e4

SHA1
85a0ab6fd3227677aac25a24709b4032a745672f

SHA256
e81a4acad7f92134b92905ad3dcffe47a9c468d7e82c2d4cd23af03abd655413

SHA512
8f422a9a5b871cd6db0ce347dd4d55a48f83f8f410f8d4ec13470f38d6b645ba9e21e9d93abff8c9f179b7804435f8c95455c0a0a3244ce973f0ad50d4ea157a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1c0e605dec225fb7d405566df55bab90

SHA1
7b86423e8c66befac340ffa45ffe941c5119f4ee

SHA256
f210f384d1916bbfb63e56bd5fb614b33feaa102fbfedb595004b6c6761febfb

SHA512
412719ce9240a8a0307310ce53f890a771fa38a2c04fd696ee4f6d3a12adfc43e61aa960fdae3b4dc78e74fb25d623f028af9f7898dd3aa0792b7200ed139894

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8026b07caf922c486854faf24d2b00d3

SHA1
28c29ae2fe803a1f145fb12caaf12aaaa419b30b

SHA256
008e33793ee99736eeace12ab5e718f3cb7231bd69809b562e4467265aa1616e

SHA512
7de030a5b8dab912def8f457a82a0130ccf1facfc100e04eef2d6b9f8a277ce4d9569ab7ccf7344b539fe706a62afb5b9bedfbd247975d3d60a847deda3d43cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d2c10c57e339d045114129c295596e36

SHA1
54a3bfb5f9585756ad8dffcea45e5b9f9d355587

SHA256
b8ebaa5622237996877ada96438398eaaaa6ea8575777261045f5e31051bd10e

SHA512
ef81caaa195643f8411082b77e4056a198d3c91d6441d520cf6c8dbc0eeb132213bfc3601a985386790b218ee5c8b4e38b4007c95e421fd9f3de218bc76e91f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0052bba1cd459096186b10b93d8b1063

SHA1
b903ff86657c6f5542d88bc839b4196f8c9c2a13

SHA256
5821d108ab96eab15a8b18e29fe90ee07db5dcf884163e5087bb3d0ff0a7293f

SHA512
c8293008e0fc48e5d0c1975fd8c5b8012777cd515970d201ac054cab561f55b77af21fb4403cb1dffb362323e25c7e959945ad11477115404136c9cf44e4cd31

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f4e2c9b3ac7ff1a9fc771a2735f2963a

SHA1
c9ecb0b638ee851172231175950e1dd1fcf3e1db

SHA256
3dfd68395c9a757ea8bc7fb0cdcf9ce7379a1b5755492b0d2140a8a72577179f

SHA512
a09f2a99abd20d6704ad437ffaa5ffc16c3236f5b29ed4d6b4a8569733aa477c46185fbae54b8c981ffc391c544e394faaa1f4de00d15763119995a828780221

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6849b0b428cf226dba719f62612f8603

SHA1
17d1cb000a8e11476e786aa280bca8600b301adc

SHA256
0472afe61b8f60334d54965ca8c7b23afdce5034975246d2a09eed574ba0c283

SHA512
93b1d47ae47147d93b574ea658e3e057f970bc084e0dfbb09f25a802b0b46bdab5ed6563ccdaea60a026592ece6c3e473b2ece647a15da673e4d7b6ea3986400

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4cbe4d57e0bd0c4d495989b8be449a9d

SHA1
266e36d4de53949fb346a93925a116c6b61c9c89

SHA256
138c3428e7cd01f8975fed6b53b8d2278b063bd855d93ee29722ffd5f9fb3b4f

SHA512
f1e1cea9f47b608755b58198b03fa1b8b463b50bd3ff6a4720170933f12a5a4ffdc0c6aa8166aef267f76b785c7001ed00dfa837a332ba0f43282dd70e0e6754

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7f2d3255b71c71a659e6cbaa3b8874ab

SHA1
d557100460a3b4b38a2cd9871fd847a4202c0f5a

SHA256
d5aaad43ea21a62b15999becf22c85be1b255c2b902422bbc01ea2b0db7be270

SHA512
b1c909c80751dcc11529a4ebeac4efa9199bd7cc8cdd0f3950f34dd02a4138eae0e6e27b74bfe4e21e735fc4cda7231c1b1716d072db0f2beb08d9d3b2cef7c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2633bc1c2ed62a45a108118d42a8fb02

SHA1
dc0b9441da862e2e101e4d1d48cf637064d6c790

SHA256
2c6374baf0481307657ea84db59935cda51802bada9e2dc8779bcc137d7ebf75

SHA512
927a184517f81b3dca7a7597eb7409f5d4ff3fd9149714b2870352baf028064c2498d0f82d8145bb019bf15a03841562477a46f60b83e6a2f447905a50ecef9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
24b3e1e9c4f9010f9edbc58ff4e38720

SHA1
8ffe9ab4bce862fc0682669165e5d33ae8898555

SHA256
c59fa5150a79f008394a6db40634cd5e38ba966fa12cb003132dd1d3920abbcb

SHA512
900ec627be184793aa90ffecf9363a98e9eb5b78b94a470dbed3e3f447bcb2011c00df753ebe6f354432a2cce7c95230ebc8249361906a83ddce218b958618dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b1e147abb91d15e2b3c7b4cdeba7ff11

SHA1
8a98753000c7793d98ba2296687857564263cba5

SHA256
3478f19c6ddbddc712b2aade7235eab190523453d6fe9759250b52d691628840

SHA512
ea6ee2fb5001032749bcda5fb708e5346e19be2cda890fd04d0c51a31155b25cb3d1a085570d7acc96b87676273351a681dcd5e810a9797fedbd9a916aef993c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1ae38561b08926da024f59f80d5c756b

SHA1
67134e0a3a50fedf2f350f6791a88f84553d735b

SHA256
27ac429fedba03d4555457ef945aee9f033b87332a0e73a677bfd28555a4d227

SHA512
700fadabb94a37342e1b5099749e3c42df8b70ecff53dfecefbcfe91b68ab6b71306dff43ece5790facc9c8c73afab77854db0ad2e1629680f51160bd79e7891

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c9dc70a09a4f8d5a9800cada27efe65f

SHA1
8577cf348010c2a146b186307a4986c086d7daaa

SHA256
55594047f6bbe3097623aabadfbfbd29f40c47c28d637b5fafb5f13679258eae

SHA512
37a3018b7cca1068ef31dedc24944861414869e94833330112d30c138149f2a2fc33920a505ce8274f2a262f9ddb0fb43a06299deeffb024447142d13bc6d90f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
62b958e44dd260af88694aa72f0421de

SHA1
524dc3a2fc89cd461aa9d2a2d7b2fe02d527faae

SHA256
888bdff166687a27f9a3e162580312aec66db85ff9838c2b2151709b4d6603d3

SHA512
de4eba5286d7ffe6195fddf62d4dfffb1bacd636d89ce08ea36306937584a69a7bcaf3bb645b52c04c78f2c0436589af0c2f26549e5c13ffb4838b64bcd1ca0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8d8164c0651fc99622e0ac91b49c02e2

SHA1
4b19be3d0416a69aa67d70c068669e9ec84fd870

SHA256
fe798b7ea5f65aed9483bbafb048b4d27b7990c7ab3622bc96003c04b098caeb

SHA512
81a15dbcb47e39265f754be2482d81caa86d06bc39f73f4f73ab2ecf5e74636403dd92260ecf75287382bbaa213dc21fe5efe6e21fae7e989d47894db6773aba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f448cc494b25650e89cfe7ae63f2c1d2

SHA1
647bb8bbf7f4a764095edb9a4a01fa565964d214

SHA256
0f91c929ec5641f4846adae362a58843a2e7ecf3ade373942f37f9cb9f411042

SHA512
540eeb62937c74a5571d941c25248ce818ae6ba4c5db8f509092390800637c6e75f879192fd9ffe6192cce24f7012b559da9f03f093a65bcccfc442587f20633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f7b213a05c66f5a89af2571d1d323eae

SHA1
bd51c8ed3c9570cc46a599275f6a4cb7eae24b18

SHA256
1afcd00a2933a4e11ca05516a1e5537653c0cda012ad3987aec2ea276e7a7e0f

SHA512
a9b6c773ac1853ee50b03b462d3ad5f028ecf65f45a2e1dccef355d1cd0cdfb931c5bcce7749e5e075d3936855c7e5e5bf3052e1dc10f1b58abc98f7b37dde40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a20e33bdc7a7bf3d0253cca747123238

SHA1
8d58dca921e6e63eab169f58b09f0a1a61a0d80c

SHA256
fd986131706133c524865f952f1d8e8eaf2799ff81497e777de3a0afdb068536

SHA512
caf70ccd0c8a456543f710eba31c9da923e6c095492c043fadeb934f1418a6244a80dba8d90019b0cfd84d3fdf36c54ec06ec986a47ada15ded75aedece7cefa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
42a6da5b85ee217c98873802c2dfb054

SHA1
67b8eb9df9c969a536dd54a48ee5e87e5440ec9b

SHA256
46dff39a4a89134b65c9a1cb6ef4da62604714d2dbc92f4b8e84c7a63c8785d7

SHA512
7c74f9bdf14420f7ecb27f9a60e9546778f0be3eb78bb5faaea6282271ecb7200128c42e70286844166cf3df86b365af9d08aeb52dbe7f6edb744807f0305123

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1498672f67d080675c5e8c30e51d0164

SHA1
e3618801e722f9b69a17fd2605c4f8a35fbee79e

SHA256
b83d6385dae3dea2bfc984ea2414ed90e62cd8210dcdfbff7f2e45886f6efc7b

SHA512
e5bcb5d9f147cd84a389f0a918322c7157052826e898dc383f494545245175254d2c114fdce352abe85956aa630a1c079e5392d7a440efc3f3d75d007650b2cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2203b176818d5a53fe603494265a52c9

SHA1
1b4244b930ffbc4a804ee9e5b137c77596d79894

SHA256
bc8e60c593fb79adfc23a56cd06517f057e867531c8bf4d8facc3f2f44fe948a

SHA512
74626f289f65b67b071aaabdebdaf3eaca20008808a4ab814a19ca83fc5e21e35c1789cd921319dfc8a8532529607cde2f94cf83efc94878e07b2ae622f395de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7460e0906ee0164aedd09b19da517f25

SHA1
592309e9eb9b5b319f0ac4da162da4647e192d7a

SHA256
bfa2db2c8ceea05b8f89a2eb7ce9fa0c49a510e10bb1445cbc819e264e6f665a

SHA512
e53f7ca85057dd81cff443bb6c651e938d524436bbee8dbd0b2d762a51f8492c11e9bc418ffd957171b502e9519cd463d00c103a93ddcb764cb607300e13f6e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
684ed5c7f975b4e7d2c7a1474ff3c7be

SHA1
72a49d6ab000797df53392927b2ab35877c18478

SHA256
a5a2d2bef8385103c1590d6e577270f66350244a07529d88e0b1d1408c5c49a2

SHA512
8288075060857309e23f90699cb5d171f0fe0f3c81e9cc8c47070d5c4b288c0c600c2e8e9fcbba01a1ba12a52dd0ec2a6472b71c324f6caa402f8d3fe1a90db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b4f98ef7ee0f5ccd16229349886caf0f

SHA1
9cbadcec4fc6731120c55ffb0cfaa22592d945ad

SHA256
57e23343b508d335b0bd2efee7d3e5bd258300fb7023995c10dc55baf3139949

SHA512
199cf0f0c385234389d4ebde9f2a585dad391afa1721cf6a70d82591c5fea38c1cc64441df5ea387ed59132a71cb46192283b634713d422acc0bf6bf3dbeb8f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c00910461dba4805697cde404b58da02

SHA1
9293631652e348752c2d5ec2c2975da8daee6852

SHA256
1f972c5f4d99075711202d044ad15005242a5787552ad034acc704e1f53db281

SHA512
4bf39ff0e98a345ca77908afd80f34f462320346cf491e07e62124c26e28be3874bc6e0794a2d91d480caca2fe550718988d541fab4c146ccd9d5ff4cf53fa4c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2a363c0d89c992239a1042344dd87190

SHA1
4128798387fe9a46c53bc858ee32c84ac1db475a

SHA256
d8404d862d15b687625755e3d22bdff9d1adfe4dabcd88eb2e4cdac8a5c2fbd3

SHA512
1388941669c9cdc824158e6330d8a490a906c4e606c03728c24f4c6ce57041e84d05118da23cf2780d9195947dd2184a8b0264ed65640aa0fd2b8f5cc777e303

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
79a93bdcbb20d28a8e5cb3426b03a9d3

SHA1
d44fb6f7591624f4324bd9a70f692495313b3263

SHA256
8053b8285db9ca50ddf8bda76a609fdcdc51730d230c774c228811de51b259ea

SHA512
27d0158a43798b79f78b2079ec1baa1dabb5aea14e56067b17a14a4e814d6ba20c71e27c8291cda7919a7ef6c99ed3b339f7dc46616ca2ecb2c9c480be4e2038

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f6e6053c248b4a93ff3780b0918a8cc9

SHA1
141886a8801f24fe3585085767b4c602ccb240e5

SHA256
6ecd0244dd88c0945f7481b59ff58143f18b7622ec719545d68bd4bfaa6d731e

SHA512
6c140003c6043c24da1961334159f5e9cdcd281f5ac1f66edee4a9c097c2b8f5d89cf1affe167027ae5165bd93119d350046a8d99dc40e92a61c9326ba22d78b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a6b6668b3af0e410abb020a5bdbb2a17

SHA1
fd1a968c3629660d00902aa684bbb1d4dfd2d039

SHA256
8442efe2ebdba9887e1025768017c0ac53dae4679f4421c7050452dfedcccadb

SHA512
3de79a974336b5d23c10e3ab3ac5cd9038f678c6008b89a6f74f39ae683a737aa75c0327a126c47e4d21a318eea9132ba2de7aa9a08f8ff307a84b6af88fdc1b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7ecdb3f9a85d5fe741c10cd64adc9206

SHA1
421332ab0ef59b147cc142d7d6af57d218c6ad75

SHA256
999d46526fea2dd2d0658a00f9f261db4227f937685b349603d574c71fc8043e

SHA512
8244da2628651358b5d610c3dfaeb5e1b0e0f5a3b38bba0c386ccc7488ff30a34807b63283f3a9be194826baea5a362fec74932a55dd387e59ce8253ef5ec477

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a2a11fdb37c58a700cb637c4845e24c6

SHA1
3c5776a6f5779a9f1c1c3ac71c4404ef769f534c

SHA256
5a2587ed46c2c5a7b159ea75bac7e07481c888dd18c3aeb5f87711489221e8ad

SHA512
90d8b4baa1888279d503faec24281d19ec50fb99d5215b4bf6b46ab5c04af14c73d2d40dd8595e8837270fa07302ec63851fe94079dc501640c81c9e0a44e438

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6de6213589b89b1ee51a2c846541e32e

SHA1
f038de64659bc779556fbb3aaa787927b0922b61

SHA256
c032933f530b9be46e00fe60ab34dc41b479b8b771de76fbe06b9809d5a251b1

SHA512
413de014af41cc2b40f6a199eb5686dacedb58230c806a5080a9e03f543902db189dd4d49aec53fb2eca4ed26042833e8fa68b534f44fcbf917b932fb6144209

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b3eae808076d4b396ce2e949f38eab8b

SHA1
a7db42940dbfb420a2ba86a84ddc2991c79d8ab5

SHA256
ad2e9ac630d7196e5bd5bcbe2c30c0a0916a0390c817839904d6339ffb47db35

SHA512
43fbfcdd27374b9ef0e0e92632c3857b2b1c8c02115c86f40799998f5f746e1b90240f32c22f3141f45eba6f0354e1f8146449f3d49b51a33d6213b242134d83

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5064432a06c31a44c87b5a89cf1f7d17

SHA1
f8ee2214fe86550aeedd7175e9e1ef4725a2e02d

SHA256
9a9493225dbff3fc07ab41ea6633481f05c8e9e92665c6b20fe76832005f07bb

SHA512
b2877a3f794329bab1ea019c2dac37f5e0a87d42b25ff0b2b2a14e3355de539ca2fc5a4d87e863a1d75eb415cb7fda1f883ef2e6c1d095118ef16bde72bc0703

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
982f14a1adb94f92f185b1b0f9cf6a50

SHA1
f4a18e963ad1ad61155c18b4f81342e71e8fb40e

SHA256
435483473348ebf89c5f0f1ace639fc0c792b1f7bbc9640835f2a8a1b58fb8e3

SHA512
91ad2c6ccde7ab33e327186cda2c3664dbdeea452767377e3a95746a6801f1d9d9c2326f2859be53e7d442c719e13ff6d81889f2533a8136ae3cd5b8dc9b0381

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d7f00242d9199906ab0469af127b5be8

SHA1
6314bc906edf1ba9dfbab2e54311c3d16a5f1dee

SHA256
4a54599be6e5019ddde6cfa6f95c6c7d522519960c7ce2cb98ddc9f9b20f3068

SHA512
2d31370c44862f4a9e5c08df4f9ed634b30a8397564e28a2a23e0c23c8774c20557df11b1f95e986d520d40239372528d922d2a75d5077b56b2092293c57ccf5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3b56daa0e3df1fce8ec70505042ddb43

SHA1
dd938f494f79edbffdd502ba2218f6a712926fa5

SHA256
1e03335bc035c9c6cf724797be71faf86f3befb78ccbde0883d0ca4a8768ecb9

SHA512
88bce4c2f9483947602d3264d46a4e6e5d410b6468019bfd440fe2a62ba5a4528eda0ec222235afdc28da2e9f1c4c9b5a8c8687b1525fc68815d286938122a25

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
981c45fd3f9b629e4a024f59e1f3c299

SHA1
0a981b6f599edd0c74657ea7dd2f724c1619ce71

SHA256
1ca02a3d3410dfe0f822e8bdac2a9e03918bfdd47acb77fb5af35a83af0470a7

SHA512
3b759f42fa75035554465c5cf10cc1021c311b94f474e7f996015069c571334db95d6f508c3bb77e5cb046dd23af91e0f7959c67c2fb28bf1efc00022681bdbb

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4a54d6b0f0e0029ade360e2573b3a90a

SHA1
7a5368b9a5b1d22f8f459e5d987f1487e71176eb

SHA256
295c7935714aa3a3dd5e53f27ec01f10900b311b176b53d808e1caea0a9cdfdb

SHA512
8f7388c7d33783da762495ca5ebe8234d25018be43c4869702944edd1cfd01e999569e8019a5115418cec906db7be335e85c00110f24f63a01892fa104c0dacb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9759dc054232d37e787e4473440e1bda

SHA1
c9c261c03335bb35bf28dabcccd65f3525e6dc13

SHA256
9999e44eb4d941c2932e4bf879de4898feffe37dc3419224180003c3d88fccef

SHA512
a204696d4f7fc102baac9018bf045816de0312079e40bcab2dd4a227085bc4fc03f22fd9d866bb5d01d81a383df253c8a8b6c9fd2694d657ba4493dc0b96cbf7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
bcc73dea82087529a58a10dc310d42d8

SHA1
d044871a2be108c76ee4ae00e6f99c8f0dc93dab

SHA256
df81d716ece5953a383f3d9a359406449393d40063f717f767a0c1b5e166ef97

SHA512
9b0ff1f6117e3f25bd57a2f502ee21bfc2645eb2f3fc734b82dac8b23958ea20c51234c22197dc04065f0fa1df7dfe94dfa55f5c806a75bdd0bd91d290a46a8c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fa88738991a692827eb969983e78278b

SHA1
3fd3cfd13cb91c80240dd2bc4f0e0cb90ec67ad7

SHA256
7f9cfd607e55a9e19335b8e730fb7af876fa2d2e8d7f2b67f4484a7fd0de5235

SHA512
ddb631a26d9710140f220da32b033d9eb8fa7015f1ac91743208e996b5020e35e641b561355af652e76d68a1b5119a91ecee7343cdee1d13307244efff05a095

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cc26ac09464f80468c69bcd5703cb584

SHA1
de451be02bdac5d8834bb5b68ac3e7006088b67b

SHA256
4c893471d3e9cd8bd766516688c5c40832efad784226c301f84295dfd1f3fe30

SHA512
0ed8bda8be6cfe80d77b86c1c496ba2b4babe5731b066a9fe0ad92731e0eb74a7171637ed3394d42fe2f345cd5543b759e64bbbc09f5ebe76ae5e191a931d810

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
406a9b9d578abc943f74922d9d95ffaa

SHA1
5ce64e0f2e0f14b7f8bff3842de91cd5fb9d91a5

SHA256
55cdbcdab359b002aebc7f7d14b046bef13604571ba949d6d081ddd40aab043f

SHA512
6bebaa0eb3849730df5c2ddcab5dab45bc6d3e6dab11a6ed125357f6253a66df4d118230c42007c9bb710c6aa8a82392fef1f690aa9e2d4dec1ea585f59d406c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
044e0f0f904d014b71e0cea4181e1e8c

SHA1
9126207b207e1c971b92124f80c2e445ed99ac5f

SHA256
ea1f84a72cbe2b8097699cab353d2cfc26c4a842e99e461327469a0dc26ca964

SHA512
b8f613c349c53c15aba0bc166431320427c77da3ecc0d0d285dce598226eb5fe8639942ec97428d3243e08487dc1f8802b6d91fd78045bde9a86f357a241495a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1cd6b3d7f456c786932d0d63297fcf98

SHA1
ed79399e928dd64b4b19cf52d2d9f90073ad649a

SHA256
6cad8480773acba8233c7343c60a8a5a36835a0aadbc612caa13712f590619a9

SHA512
0b75e8d00003f1b6e48957f479d494889abadb772c29e0e3e5525c3a5941244c9c05cf586e70949b0bbb85b830439c714e7058400261ccfe31c47adbd0b217fc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e8628e8f42eee877841eb409d0693135

SHA1
2f3e5a591b42df926c85bba06b0d584010f65bb1

SHA256
61f111cbe3deadcfcf1b4acfc39c2181552c8b22e375f560a94d4ec08237af1a

SHA512
2513b1926f21e8f524024235bc6ce36f3088eed69f2cd28f32b54e60cd1ef50023d7ac3fcf7364fffbd54d2b90c77668ac9e3662852e407d4d513ce2decce422

Download Submit
memory/664-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/664-641-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/764-8-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/764-74-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/764-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/764-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/872-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/872-488-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/900-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/900-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/900-105-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/900-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1016-52-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1016-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1016-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1016-183-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1920-117-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1920-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1920-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1920-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1936-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1972-91-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1972-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1972-216-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2072-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2072-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2376-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2376-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2632-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2632-252-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2740-633-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2740-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2744-642-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2744-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3160-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3160-638-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3596-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3596-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3696-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3696-463-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3740-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3740-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3740-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4300-44-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/4300-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4300-38-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/4300-51-0x0000000000E00000-0x0000000000E60000-memory.dmp

Filesize
384KB

Download
memory/4352-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4352-240-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4360-76-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4360-82-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4360-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4360-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4360-86-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4436-636-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4436-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4436-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4704-637-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4704-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5072-228-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5072-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download