da95c63c3ee0d42e66d79da42d7bfa8683a2ef112b1099fc865106607e865cca

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Size

1.6MB
MD5

be239e8629d67a9cdf026e5335f43983
SHA1

164d3dfffea0f7dd6d7a04eea9db2d804d1a561c
SHA256

da95c63c3ee0d42e66d79da42d7bfa8683a2ef112b1099fc865106607e865cca
SHA512

2cf704183fe9904e5a504f1779cd0f52c80e211d2c4816c2aa92ff53be08e589fdad0a796621c16f2363609a00df2cdaad8c48c423f8661d0306598603b2a30d
SSDEEP

12288:/tOw6BaqSbwoqg0fitGbna8dQcLk/+cb1q86pJDlAF44bE2cSX:16BAbl0fitGbna8FLk2m1X2D4brr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1440	alg.exe
888	DiagnosticsHub.StandardCollector.Service.exe
828	fxssvc.exe
3700	elevation_service.exe
4560	elevation_service.exe
3164	maintenanceservice.exe
4092	msdtc.exe
1032	OSE.EXE
1304	PerceptionSimulationService.exe
3152	perfhost.exe
4364	locator.exe
2524	SensorDataService.exe
4856	snmptrap.exe
4864	spectrum.exe
3804	ssh-agent.exe
4716	TieringEngineService.exe
2456	AgentService.exe
2904	vds.exe
3720	vssvc.exe
3588	wbengine.exe
408	WmiApSrv.exe
1352	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3e38676c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ae7d25896b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8beea5896b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007434a65a96b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005383ef5896b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af6efb5896b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007d0c25a96b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035cd5a5996b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2907e5996b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea6afe5a96b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e289e5b96b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeAuditPrivilege	828	fxssvc.exe
Token: SeRestorePrivilege	4716	TieringEngineService.exe
Token: SeManageVolumePrivilege	4716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2456	AgentService.exe
Token: SeBackupPrivilege	3720	vssvc.exe
Token: SeRestorePrivilege	3720	vssvc.exe
Token: SeAuditPrivilege	3720	vssvc.exe
Token: SeBackupPrivilege	3588	wbengine.exe
Token: SeRestorePrivilege	3588	wbengine.exe
Token: SeSecurityPrivilege	3588	wbengine.exe
Token: 33	1352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1352	SearchIndexer.exe
Token: SeDebugPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeDebugPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeDebugPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeDebugPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeDebugPrivilege	4696	2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe
Token: SeDebugPrivilege	1440	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 116	1352	SearchIndexer.exe	116
PID 1352 wrote to memory of 116	1352	SearchIndexer.exe	116
PID 1352 wrote to memory of 3092	1352	SearchIndexer.exe	117
PID 1352 wrote to memory of 3092	1352	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_be239e8629d67a9cdf026e5335f43983_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4840

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
252d40b40bd22b3117ac2ea336be81b3

SHA1
f2bbecb1b6fb22ee19b3e549f895561a6bec9b90

SHA256
266206690a0130abff7f7c2d267c0a6b268eb6b8c22770619d43d0e28c79267d

SHA512
a5ed7f92cb63065370e19ec9bfc8f62968ba9ca90724581b375866bad7eb6b1b8f13cd5bb54daf5967da8d80a1bfe139972a1aa09967822510e35da4087786fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
c429852fc3962f2391ff6560f15ae580

SHA1
450ae06ff78ec38081bbee88b257e11dab17025a

SHA256
d64e62b8f8937bb42326e64bf6120065e60399c55696cc862bdebf6356020107

SHA512
b297f65d18f9645785b38026d357c93e1984fb6c75179922eacb15a8a6e606046438f67b5362af1837950f83ab7b2c19c925941ae62c74e76c9075c8cd41ae92

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
06f7fcc273cea4764d00812a391fd1a9

SHA1
b17c8d91bdf71e1f961612c3ffc280c93a409261

SHA256
cab483fe0fca0694e2a876a8fddf2cb8cfb4d45dca665421f6b026b4598fea67

SHA512
22df38cd42e5ad06412ca838f41c5f8a8547b79f6451a58b6a4b8d80d12134e4a53b522f66638e1e18e50a7d455987394e4647a68645d73adb4de0eef96cdaeb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b211f71c56085045bebe8730cea1bb6e

SHA1
3598295c0ed1090749b0ab232565ce41b46d0b73

SHA256
18c7c80aa5637965932da56856e132e0f8e7e50e63d05d77a9c644b1d4d1f475

SHA512
76a4d405ed9bc110640931149d735fba7f338b387a8c9d873b840328f235349c9de92d0ef94a9b3ae9ab154c5605ccbe56ae309bcf14b14333af40b69bf6b596

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d38b526330fbfb12965748e8bcc6281

SHA1
6b509cc86ac50482b7b3e429884d823051778499

SHA256
9192f647118a55c3cacc56efac51514fb047e0ca60973b2b15222536b04100b8

SHA512
96a6d3e16ad4210b5d15ba157ab31ad97490d43af7989e26c642020fbe2058fab4962da7a2913980965f0e6e7d1a80439fc3305ca9caf1b15815eedd8efd805b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7c563aaa8028bd6ff34e0d2d733f2af4

SHA1
ec7e022b06ec0f82e25ade220b7663b55ec3d51a

SHA256
4bc063ce8313ef288061d5fd9c11e670bd4bfb95cd6990fd1bf9f839081da9cf

SHA512
abf5ee1a391e749b7239474ccff27bd61d147a3d67302071b861f23b88ebe01c1b00de65e750879d244ab974e34f544412e944e1c9ac0466f77594a66580693a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
241beec7afd70cabd635a9672c61edad

SHA1
63a21d1e2aeca115692a60b524e26f49f361a7dc

SHA256
3819420e5086e0be6a86644982b927e5cd234cedc4666aaaaf70716bf1f054c4

SHA512
1f96d18c36e0e72bb5e00e7e2126442015e1e212011a945bc175fb238811acca66a24d688ea52425dbcb0fabec54919159d48316d5d8868637baa149c570efec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
aa42c774c9e6a8d77992e41cc747f113

SHA1
ba31068a00187634e143d12ce060cb9e37b53c07

SHA256
9792747c7e9ccea1518d9f5cd798edb7738df5aefefd64c4317f0f7d7c313ee7

SHA512
37332f0b836fac171b8b7ea0af1e5ca580f158c4f9f93ecb068d41a7a202488e19e233999b9266981198f7c97b92ceaf74687d4c3700a49a96790766dd32c8a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
1c0fa1f7eeb7fce60e6b2755774aeabe

SHA1
294092ef99e97a384e3764bbf25c8d3655c4109e

SHA256
d710b3388cd95f479f35234e8baae723bd87c0fd8e0233df9e51275e086eea8e

SHA512
a1e42dd6af6e5ba451b9b4ae51dc22861aaaf5adf608400caecbe008c7ff62bb98cb3c5d8100ddcca9a6897066af76c1a8bf719d020e65c698320fb89ec10097

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
068aa6fce39581ef6e796ef00ca80c74

SHA1
fda714d9e2ea870364b4a9d441efc977b7c29c3e

SHA256
20202bf882c3a6809daeff4f86a704ba791cdacd8e1f5e255a2cc26abd393834

SHA512
460fd026b42ddd6ee57302be07250163069af01e21f31e4c63e68ae932a0f98998e308a94aaef0954fe959f9df18c2fced0eaab102e84c8a7a5fd29a92c54284

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f9fc0afd3739b1c90010fe6a77a2ea6f

SHA1
6c71c91ae494227505846df16d65690011784500

SHA256
e897408872140df31331c07b118dc976320719e1b6fc1b952162839d31b518c9

SHA512
7cc3489296101f227be0152b38f3c61687616fa9074d9068384e133b29f21d14f55d87ce84adef74407b579b3e2f93fe5cf047f537b78d678ede33ecb462db4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
01ed6f736e9f5734f0a48a4202c6edf3

SHA1
fde5360420c3a824390c57c533465a45cead6395

SHA256
a1ab6eb040527e962d9a0292b929628a54a508c8002fd4c0b19b41cf1de1f49f

SHA512
8f784003e4d229a284497721f2884b8f33d28c9b76feb2876c85ccb472ed206c1e0b2b2c07b7cb8d0303bef307dbcc7f093e4166789a17ea835128c8edafaa7d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
072e0c0acd3c09df6953b96308b29e01

SHA1
f7e8d9d7a7b301cdfb3919f28dbe81dcaddf748c

SHA256
f8f11dfe1aecadf99bafcc5e3f41d688bb1242affa0952da1ddfda6a3883204a

SHA512
8d3beed574b3ad1a78f9ac5dd67c6f9e8c4476cb4a4d6e69987710a453a6bd10ce02834c5e0af7e18e95b3d4df3409006cdbf3c68865a2377e17c02283e7b802

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5d2acf8951f2fb45e3c233f921f4ed2d

SHA1
d5dd79be363ee2bab64011e12fb3d6f4539f5b1b

SHA256
eeaec668897771315b7e4d5f5682ab9835742c2d15b2c906fbb2d0e4b408ead5

SHA512
22779559c13d6d0fa87b014ea8e9024fc4dc97fb3f898d66cc5efe852b6031e10b52f40001835a5918ee4a105a29a40d4e585c953429ce54df5b8b4222eda320

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2a719d48fe0edb07e2d58c00bfcb8267

SHA1
64c8cd7b91c462bbebebaee21591b57ed77a2d9e

SHA256
3d5cf006cce665f1ddc323ad67ff0801de7f649f0e6b23697b0a2d079f431ac6

SHA512
6b0a1305b6479fe17437e729c505d2b631716caec4f7a4506ac5ffeb136263abd0988f6e02376ea3e5817bffb60a90d22324de1fa71f29e37d0cedae754ff553

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2f750e73dc2e573544ad723e3d472bff

SHA1
40cbf4feee0423b04d833c77cae01e0dd6839ca6

SHA256
5046ff79b1b6f8285f124ffa57f1baef01fe791fbd42aa01319f379a7152ff6d

SHA512
4844f75c4c83ab1245eb714e3da49923dd18cab02f7e2f5c3c20f27f5412d046a9777616e422bfde7e8b6d01b3fc88dba57400e240546306f027659e0848ee21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
17e8ce46d07a15e87a84611767eac2e3

SHA1
59e3dc1ebdc7e8182f74f19bfbdb928b3e272cd2

SHA256
7e46a99256d4ccb7558547955c4af53a373efdcfc79972f0d1580f576f5bda04

SHA512
9e170c944dd33c3fb9eda10c6c70150c79bc09ec04c76ad120f1ab59c3bc9788f52d82319c31d18b09d24f56d74d713512d05a30c29574ac11a2657524a7f1ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
38bbbc0f1c3b482a6cbd25bfac77c5d1

SHA1
e32fb7a4484eaa2d8d5a9d26b1cfc10ceeccabdb

SHA256
57e957fa91fbb55613ebc9c62298800ddd7fe8127b4e83f8f355bb9ddf881055

SHA512
1097f17c797b199a6957abd644981391d8223c4e83891dd6dd850f62f67544b4b0033ac6252d5c3d8cca69071c6da84c3f488863d491be8b772fcbcf46fa679d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b00444e539c1a559a3b369b3d360a1e8

SHA1
53cbc1c3a04c1dde68ecfca13d4289d0e925d0a8

SHA256
0f0d603b55160e742f7fda086b7e7be75e43eaabc96d5ea311a2165a91ee6047

SHA512
e1d003f510b02f7ed6a6b7a2492e9301796d27f4d660bf085f50e3f560360fb0437668abf12ab1bd92b055e5adba012b5dcca56ea575b4d7b0ec6d54f206d60c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8d3d912548df24f401f5dc0e3bffb1bd

SHA1
697fbc6040400721bd4c7a39412c5a0aa91997cc

SHA256
e699a4cd8ea4b6ae16bf389a65de28f2beac256db329ecad1c1ce98a4b705481

SHA512
101288ffdccde2473fbf38e6a7b336db87cd6a360e53961efc14e786ccf2af7aebe7ea08ad03d3c2806b6447ff5fd785b7a332f65519ea236818bf9de7cace00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
ccaff14c5de6dbcd89024c21a2f284ac

SHA1
4ab1db9ff8f288aef3dad1f3b354e28eb2626cf3

SHA256
030ab00bf059edafcef9aca1fedff308f93db95fc9edeb972c0e4b9316a119bb

SHA512
8fc4620657dc8027e232d5057f18b56cf48545a5236aa4fd97be1de17675d4f1298b827c513770eed5964769e9883a2caa2dc4bc6438231ab9525755a8963191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
98b91cc00e5ff4a082eda945c4350d56

SHA1
2ffcab31e40ddd874ab1d167d786ee6948c87d40

SHA256
2e2706dc9bc7e31847c32ab86a58f29f9d513d4b2d2fcfa6ac0a61966ddf3f41

SHA512
61f02357c9968dced0db0c943299c041ec86f917751b8b9ef5fe9efb005dd6e3d323c7275fea099daaca8e4b7f399fb0ebd256dd212106a1a3c33f42423fcdb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8235d5778135e25569b207a387aaa679

SHA1
3303b0227cbad6346f1e7e0a3e7c26d9b4539396

SHA256
3e3a7a54f924a44fd0e638238bc9b383a7e5316caa6e8c400d9dc66065c7a3c7

SHA512
3f20c424e43babaf44d1775a56eabb878d0a593b61eaa1c94c2286429aa8d5fa06cb0944afe0414098f39c7c2c56b2e373f9585ea42c4710f0412b37adaa2d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
86e4e726dadda8453dea74a9d2b6e566

SHA1
f14348f17d712400c82849d7afeff4a79a628ccd

SHA256
6105777f2419ba4c8430307fc7878abd1a727593782c54578944109d53db93e5

SHA512
89468ad646c45fa3c4c23ce48e8f18062fae09b1e68ea6804b5a2b7037a664945d97c8c8c3f304eb7f9fda757b67def8420afa8dfb8bd634f4b7ffc6d0f42bbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
8e598ed03d0fb8bfc9a99bd9e11e33b5

SHA1
9b727dcdde753aff576842473a9c6ad87c9214dc

SHA256
8c40eb3baa9d642252d26b1494037dc92e4082aecb61e218788e4c8f6a72486c

SHA512
cb301e202cbae54e91f49ec5b566944e7eda281a6945892b57d0c2008dd7de5caa51e5b3d0e5123962c1f6a441aee948303133f43280cfd15f1d3bc4e1867eba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
f4812f29ccb2c1ecfb1bcdc973a13dd9

SHA1
2c3228543152ecc5934844e7cb34932062d89f09

SHA256
38ccac52a30bd7742c51033ede3cb6865abb5e71351c593880ce027fb9458938

SHA512
3f54df1fe8754e037a00d75835c60ef07bbd6b67cfe8a88e1416043dda0af837da8c5e63cd134b5266e4784fa193fb6dde31273a3a21f0176f8ee9c9fd271b03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0c645f9e62d0d06e87191a9b5eb13663

SHA1
9132336ff4df4f28028a90a4e399ae3c887f9237

SHA256
54073ceb80e4e9595e30fcf57d20493bd837193d5a1e2ffcedbe8c19293530b9

SHA512
2375659dddfca900d09cbb9dba57fc20b8c165a08b7460dac218cfed688d737abd7edc9a8aff8f82f66236a6e764f3b2781d06f814b55c644edb11be55aac3d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
c64b1c390ae5cac29b9665b32dc259ce

SHA1
9e26aa151ebd83252c2febe21d234b595d13ec9a

SHA256
d017cc51ea071ead1f15bdfd49617a985d42fadf2b8813b9b587f4e0c6d9e3d2

SHA512
e54309ca30f73c064a7b4fa37061062b1c8af9584b2c6c73373442f692274089b320e6d77b7e80417e930c888f3fca5d786f6df4590f9a0fac3946de405ff183

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1552d9b3b99c9de1b85b14bf5c9fadcb

SHA1
94124e36ac446d17736e18eed9a53223a436afd7

SHA256
3d63a86579a89207b20a330edae5b2046d13fea36696a0de1a20d9bb7b52d661

SHA512
d4b511d45468d7211abecfbabe19ff48243fad0546191c4be06bf8368f290373ee9fad4cea16a3688c4a412ca338b07f031036ff905a4fdf89fcc619cec366c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b5a27928a678839c89056eb30f3f639e

SHA1
f4181906a7180b4a6e743e7e6ae0c96646bbfa36

SHA256
41d14a97fb8ccc9793082e104428337ca8ed7a8416facd8d87a44b70743489b4

SHA512
500887edc54d80fb6b477970d730073c0b828b4c2059dc83c3f6c4e1b362f29a838219bb8d2c3590067efc773c58df30057955447c72a088da3b1ab400fa338a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
07134e9a6a33c8df0210988fcde6115b

SHA1
75cc0d2696c8d4476957c2db43bce460c5e684c4

SHA256
ceb67f42c95647e691960f5653aa38b26641d89f895fc39f4393cc4dabbe1f7b

SHA512
c9f30d07bb4522b150348cfcc13b8e138e8d988fb65daad64bea6c5625bb1f8bdaec9ea97c0676a85e44fba8c6e707e5cf64254067a11ea95db315bd2302dc8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4956b60ff8019488e1db2b3620a5a9b2

SHA1
fb409dad81739f5dac8aa0b44c512d9fda005538

SHA256
2fac6b94a8f6faa994c7dcf55524c45b1bd01295e5b430e69b1abe1f7274f434

SHA512
2e72c44d9c45ce85985c00bc0f990ff63c97e40c345917995f8d7e9a8d5714482a6a227d509a81173fe34fe9daa6c3e589089229132493b2cefe5f55c2ed9f63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
60b86c4e8d352a632ce394d12cc0e45e

SHA1
cdf09b7c1c4107a63a2ad2dba94efee8ccadaccd

SHA256
4292fb03f3edf29fca39a0e3d989596513ea2fccbd8cf4965b6dd279d1e18349

SHA512
7618bf234f1433e0d77841fd7e6b992cbd4fe13384ab1ff584974b02dc4fbf0f2a026abe0e4b66e0c3e6968a5a822af2ae5436fe181f5fc964194373d5290893

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
831bf063f1c39bceb5489386528cde52

SHA1
15baa54ebfbd6b5f376e6d4e7940a197e0e7e97b

SHA256
00818a87a128e035f116a1b632fd510c173ef02bb8ba81442836c389a734e76a

SHA512
64406e4a340791360fd9493007d969abbc10021d4fe52ae701bd93174f9bb096c5c93a18b77193b1713b5a08a284139d49e41ca8c0390f0b67472d65ffff6d3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
8529dc79b8c3227a35eddeb09dd0aa2b

SHA1
243940596e1080fe4b1d5b6e45f777dea6cc4063

SHA256
d0bc7010aea53caf7983db86da55851cd7e6494c467ab47174294362826b3671

SHA512
c9345db1245363a5248bde878d7caeb2aae6288be9ba34a20876628590cdad534c4c309ebe72fbcd1a064f202010be9cfd594719c11a75f22e360b5759a791d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ca5aafd0655041c25bd6df963a3e087b

SHA1
ac7a1de1bbb070192d0db26d6ff3bea5f25a6893

SHA256
fc9d20c105eab44d42bf1af11ad7c9feef1835d5ce0f190623b13057d19dc611

SHA512
557f2305524968e730dc01d1d64854d255482c0a4695008e7b08df6a726f334a13afa57b750b4f1a86ee72c7aba5bbb17807f76e024ab09ca1049a325e9a5ee5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fe08f17bd29580c5dc781b1dbae0899e

SHA1
3af01617efdf616e6e7e2caff171444cef1d0e94

SHA256
d157e1492cd76a25546cc1b65834f2e3d70c3f71e49255233cf2ce61b83cdfc5

SHA512
c65ea8f90c78b4c86febfb7b6eeada2af2191fb9034c70f393c21325e51418163005f87988b71aa0903f66ce6ccc07b3dd61ed838eb1214538ac37d91d2f1de0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b33983f6bc29ff8c0c6a7d77ad85d158

SHA1
681c80b51ab2626a1c660fe90740ce066401bf22

SHA256
7aee9f61b62e96fd7aced913dfc577419a85dab1a10110fac4502213dd1a8e06

SHA512
1ce5822eeddae03c3b12da2c39f4cb9a167c8aad4d4a7d8fca5aac3353ed39932927593c783032b7ce639a2c195bcaf6fc24038f50cfe1356e581429642b3a2a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9840872910cb8fdd30d50e3dd1917b57

SHA1
55b20f9914056121b7c67d2d1dea22258e9cef4b

SHA256
d036cf7caddd971525d9b4e26e91da8202a522b670e2195dffea04d4cfe4a47c

SHA512
54152d375fadb428f1141c3451beeaa44ec2ffdb62d72828b3577ac54b50c863f63cc3b0209578fe311c2ee3824d05b73425fb7f19b422128a390e8b3044bd7c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
70c64d3c3e064ff8bd6c710595aa7060

SHA1
398d06314d3d23babe5c2de1d664b0e74b0816b5

SHA256
8711fb1070864c45cba8af260f39f6fd0da789a151c6ee0efa48db26026111d2

SHA512
29c443fbe6d6f119c35d3b483766df13d16b8349fd9cf60095018ad4f2379f32c7692d1d966d296366952d948b41ffe2441709b71bb3cfef32fdd95d6518d156

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8515601652b0ceea2d53858a85006a8a

SHA1
019e2209062772cad912f852af71a07df2cc04f6

SHA256
bd3714653195dfc102cef484789ddd2abdf4c89275b6a75616b322b060ff4d48

SHA512
16c363fe194edc09014c74e74098cde439f1b03b741872b693305feaa9ff7940db391e801fe7a4ab12a1433df3b0626a3425d33cd42ef015669b999f0e56f972

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
63303173ebbb4e9fdc297ad05a54bc6d

SHA1
1aef7c0b19d102125be8e8df77e7f04c8e265105

SHA256
a186bd1eb90e14bc5e66c066f5ac227b0b3d4584c573492e9e5ebae00a122e49

SHA512
94e6eef9809818dc108a0d6c9f6c76a0dd39b9fe607d071c1108857838e033f2f92f3f57d187501ca742fe6b34d7e597d151f597c5d1696e36c0f95947d2e7f4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
2a448b6e07ee074efd8af01c91fb9a6d

SHA1
09cfd5be4595211c51d23c167dd90dc29b8f9e4b

SHA256
e7298846edaeb5d7542b4d2e0a870ed2a47fb190eb6a307e53591f8338222d64

SHA512
5b5b0492150200ca928e7a3f469d8a9ef96f71cc0143c4759a61a7dea3658a74e1a26ceea8f3cca1a543aa9aa541a49334433ccebd8130ac073ac00b17141894

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9d1174fc9fcd8d3fd53c55e1470f9325

SHA1
07595f880921f0d1d8f40b056d0e0fece3d9c6f4

SHA256
00bbfecc3f12e33a073a9e5069be2d89996a815e6a9de5bf52fad51bf192c0ba

SHA512
fe88b231763716da3793fb08e42453ac34594bbc0afed244169fc1440e8fe0496b545596ade42227e66aca3d2247e2e93affeefb93f17555a5fdb9145b43d993

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fe81ea5b8961855b9a7ef2b468dfd927

SHA1
33a3921ed0384b31e71008c58d95ff4d60ecc287

SHA256
22d06814b7004764d061f8d88aa89ab6a3e562d56010f388a45b902bc07c1f7f

SHA512
8633637a819fadba8a64dcca4c27655c8ca3226bcd7b8fa8eb190e8030620fa63b69eeb90bec8deb3253c19355a8b8397bdf2804c068387496bb097bf149208b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
714b1108beec900424311220015b4dce

SHA1
f9e3d5bfc0cc6db7ce2fc73e5f866c1324e037e7

SHA256
8a460e14fb22c7775dec5250313f9c858ca2bf7aee674b79ab0f4b94c95cb069

SHA512
4726cb3652244069dfdfe8d0e02e24ea639236a7bcd1377693bb58854fb7d47d21839dbc4187648c9a25312cb2ae3d61ad7d6c1f261aa4cf1cf48ce90417b71e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
363010bb8c4d0f8277583c1fd37ad552

SHA1
81b0753921e2c418063ed6c7dc3ee394c6070b1d

SHA256
230e4f716b429befee4e83ad15005fe9bba5e700be3519f3d8c34f58423689d1

SHA512
79b6b6c327fa8dadf044f036750394ed8f146fa6939d38a36e31c79ec4b5c5eed5246546d525e7023f159b62bc5fc4bac76279d4ad62b4bcc4740ec4a69be8dc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e8d160e5db85dc43392f3cddb303bb23

SHA1
8daecd47748091b471836402c0bdb82afe169535

SHA256
7e4550926069da16e2191fd50fae5902143c90759969161959e4f18111f186dc

SHA512
18dc00f24ec3cf183aea4edf41a543e2bad8003e7ea43aa96a1bce77a46a4268cc7fc1e7be0453e3bc8c216e5e2e3d2198db9dd95b45aa5b6bc0387c2fa3551d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
28d9f69aff05837c6d2eb5c530969cf5

SHA1
1ff67242f194f5730214bc546cef6045555fba3c

SHA256
a5662be6091a9792a6d0d6709f0733436d6a04f86e4b3decf96dc2771dc09beb

SHA512
8c742bbdc6da916c71dc14fc70879a315ef797a00811f59b0c9c77678b974728ce97ab9b6525a4e5e8c445a635bdd22885791eea35296eb8bd0b1bb3768643ef

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
753fe2c18ccb08f11e94d8ead4d12779

SHA1
8cf055c4e60247fdaae907f4156c281da9ec8034

SHA256
b88f3f7e8b80e48dc60f95230cec363fe856c831a27f2728e16e5863b7509b65

SHA512
7eba02d75f08b61c05288fb6c31a0ebf3c00671099ca01625aaddd55764a64ceb6b5088400092801d60c29656510e1bb33968bae3ef922309e99845c60ee9ea1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
6f3d3de2a82709c761c28170a35dd446

SHA1
448f07e2fa870b5bba6119b89f871885bb3beaaa

SHA256
c8967250f6f661432850c8bb399b3be3c994683cc579c3af4658da7fd12d5e9b

SHA512
18d506615893cdfffdcd13abd2651bc1e65add5be3c662d7b28951e7b742c7f1357338f9df4155c3af04e66dd017afacfdd4d21bfa6161b27b8595c6ba970485

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
cd4af4d288bf09c43fdeec32a7a72abb

SHA1
02d43d5b469e278ec0c82fc9645defa9f6890650

SHA256
6eacd17178e8d57202e22f9fbc813f0845ae88298e64fc3876740f64ecf54b22

SHA512
680c04146a9196b1b55e851e95d8be241ec77c4d8551fa5a2bd3196cb1146c18b1f8a3b7600eb64bd3760dcc4359c98b88a73be0aeb7388314130fe7c335917b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1cd22dbb315003e16d4f84327b087bb3

SHA1
d8119e1e9421d3b2fddb8d5478ea9696da099000

SHA256
e9f17610af3276765282aaad3adbe9b6f094c6e9989c79a77d31d7bc402fbcbe

SHA512
75bafd9a5b8d4517849a55b17d8134ff9ce3fc5cfa5fa03a00d8b4a8d1d83ac1dffd352a7f2e81c3d7c6e19b8affff1b3e49872ae3b4fa3968a50299fd0a2c46

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e81ca983f31deabefd24120046434483

SHA1
8b7564d6f624df069d359cb5c25134a401798fc9

SHA256
c7c17344789d1846183cc235aa510b20468e8c7fa77a84b511c4aaf06699d834

SHA512
a81057a1f07a040fd4c5bb5c3beba76f18fc7674fdae3ab0b96d49b8a1c35695832b5fb6875cf9a2f64f9c439e13e749185da94a76d7aaed111a59b47f5ed1c4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
61659c8cedd1a2260505e2c6397c2900

SHA1
a585fa5e882523a3813eeb83835cef6593214f63

SHA256
3670da0478c0a1256f6f5c48d90103b118c186319a081ed31e7d2d9401ada311

SHA512
58a835c9513ab1a281d315a4e9c60c73f66eb880205023a10fc5dee23ad928351c6a5bc53115f7193b251a7e06550116c1aa5540cf3c2dde32a20925e4f7848d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
632637fc7b50302e7a4d91e33876d0a6

SHA1
70aae5c794c64f998749cd0a2dd6d2c7478a10d6

SHA256
5cfb789d48771d91ec2554a42786ac04331c502e303b6486c2a9067a53f3bd59

SHA512
b1e8eef0ad2bacde23c84400992bfc28f7d5d2ca62edc097342c5d0f6f445b1e8c87c0385f6e63c39917e2fe85312edace96d3f8042e404180b3cdcbcad69c6c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d2a850cf61361f30f85c01ebb598cc49

SHA1
8978ec2c27da8558fb754692dbbd3fce136e14ad

SHA256
1787ad7dbb390c611ef931b839cff105919264ca9c7630c454c4a149d58fb06e

SHA512
177872f1499cf2880437db3851d1a6133bbf2ffc4c021d3a303e3700eb2895ee08225400ca5a6d8f6059f031d9e6e55059cbe114f294f989e443832e19b83c33

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
607ac7513da9c70714994a3f21228266

SHA1
64dc68d704bb7dc9a0103c668f585a7bc15f91ee

SHA256
b9c1ecb03636f5d14930b258a6d9ce975a680d2dff777c4bf5752ed78e934326

SHA512
83d599c5a933ff9a1b15d503a0a2911fc566a6d75bb3fd500aee727481e5a004cbe66eb77cb8315b56cd1e0d21c22ece63ff88e32c94f761825c2fda165d1efa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
3e791284fdaf16df0493e2bdf0d74f17

SHA1
12c740bc9144a557f99af431a26753a7720ee810

SHA256
d1c3ac57ef3b2460518b8ee865241c5e5e05bbdee0a40e1efe642d99983821f0

SHA512
2036fadeb7e58de94f1740a4ffb93d3fc0abf4d5b0d0ca3e133b157b48a92fc424ec58194743cd4b8edbbc02f1e86f420967d804d7f6fafd8b4271d66a8f30c1

Download Submit
memory/408-254-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/408-567-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/828-47-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/828-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/828-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/828-39-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/828-49-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/888-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/888-34-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/888-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1032-223-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1032-114-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1304-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1304-229-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1352-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1352-568-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1440-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1440-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1440-128-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1440-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1440-18-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2456-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2456-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2524-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2524-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2524-521-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2904-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3152-129-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/3152-241-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/3164-85-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3164-87-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3164-75-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3164-76-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3164-82-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3588-564-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3588-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3700-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3700-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3700-53-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3700-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3720-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3720-563-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3804-188-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/3804-524-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4092-210-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4092-99-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4092-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4364-140-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4364-253-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4560-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4560-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4560-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4560-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4696-90-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4696-2-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/4696-1-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/4696-8-0x0000000000800000-0x0000000000867000-memory.dmp

Filesize
412KB

Download
memory/4716-199-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4716-561-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4856-155-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4856-389-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4864-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4864-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download