329c616474f9f294acc00218646213d7708aab6d7aa9d1a4ccc786bce8397bd8

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 17:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Size

1.8MB
MD5

57acc7355622403a3cd582a24074f781
SHA1

624f2c8404e6e456241a4ab4993ff7f4b8eb6358
SHA256

329c616474f9f294acc00218646213d7708aab6d7aa9d1a4ccc786bce8397bd8
SHA512

81ef4601abac55534ea90baa893173c08d0526d8a783ee36bdb336b820580e245e57f565733d9be795f70153a20f1f5a2eace90534e01c32766f8e5ce1967f0c
SSDEEP

49152:QE19+ApwXk1QE1RzsEQPaxHNuaB0zj0yjoB2:193wXmoKxB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3832	alg.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3208	fxssvc.exe
948	elevation_service.exe
436	elevation_service.exe
2764	maintenanceservice.exe
4836	msdtc.exe
3856	OSE.EXE
3384	PerceptionSimulationService.exe
2148	perfhost.exe
2892	locator.exe
2120	SensorDataService.exe
1616	snmptrap.exe
2380	spectrum.exe
2720	ssh-agent.exe
4404	TieringEngineService.exe
4800	AgentService.exe
4420	vds.exe
5044	vssvc.exe
2052	wbengine.exe
4280	WmiApSrv.exe
3228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8fc9f197d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e47c6b5f28bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fa99c6028bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4dbca5f28bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000592e226128bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043bc285f28bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f96e35e28bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb6bdf6028bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bba475f28bcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006045d86028bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000056b585f28bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000095f2266128bcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeAuditPrivilege	3208	fxssvc.exe
Token: SeRestorePrivilege	4404	TieringEngineService.exe
Token: SeManageVolumePrivilege	4404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4800	AgentService.exe
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	2052	wbengine.exe
Token: SeRestorePrivilege	2052	wbengine.exe
Token: SeSecurityPrivilege	2052	wbengine.exe
Token: 33	3228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeDebugPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeDebugPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeDebugPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeDebugPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeDebugPrivilege	388	2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
Token: SeDebugPrivilege	3832	alg.exe
Token: SeDebugPrivilege	3832	alg.exe
Token: SeDebugPrivilege	3832	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4728	3228	SearchIndexer.exe	108
PID 3228 wrote to memory of 4728	3228	SearchIndexer.exe	108
PID 3228 wrote to memory of 760	3228	SearchIndexer.exe	109
PID 3228 wrote to memory of 760	3228	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_57acc7355622403a3cd582a24074f781_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2736

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3208

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2120

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4728
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
46ef6d9e19b2242d3808d1c8ef3edc59

SHA1
389e38a2da5ed1f129c44f8e61a015c4a8fba657

SHA256
0ed8408f6bc16307be3ab330d4dbabe22635cc284af0faa2ec54630b6abe9c73

SHA512
1c43fc46546a06d007136f0c03623bc71d27cbffc8aec3158889beb270a686b9387cee8e9b512601a82405c2065dba9477c332d0af8d7c8cf9ef17d4b52c3f62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cec9129c36e06fa9871a3b6f62b45268

SHA1
583fb0a63fec60e2d02d8a06603e2cc60c5300fe

SHA256
fd4f4ed278b18df06c435ee7ed990fe9a499c2daa02dc2ce49364d19a25df243

SHA512
5db034354e9b31892faba07bd1a45582943fbe908cc88dc9b727669a907b72eaade18ec3fac37db64b934d6badc43cc9181534ed8212e803b8274f7c67574459

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2f590836648c9e0db314303a501532d9

SHA1
24ca74ffb94c5e173de613caf16965b2c475f277

SHA256
144d858864c425aa7a7e0e7eb0058cbbcaea7c6736c9d854ce105b62515ae04c

SHA512
1cd825b141cfd7193c8068077f82a11b7cf1edfd72da8cd65c9150d3c884fa8dd0e3a92f0467152bf1da86bb6e4b27d6a27c11a7b3be1d0db3ecbaae40e148ac

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8cd6f9efbbba2c979fe6a62efb7c11d3

SHA1
c9e593f888312550e55de1dced7c36e5a0bf1eea

SHA256
827f2f5487562d378677cd31531e94a5109a3dbbdd11cc177672f48114ca81ee

SHA512
f8470f831bd1a9314a809d7bb044a1066a20af890df866d73760345466d72442210c91f851dd1faa1e1001843085af0bf639d1e01cde338566ad3be89ac3bb5b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
25269bd17f2c8255220f0a20dfb5d592

SHA1
f9cb12f8f14f0e94462c549e65fa4f47296f3ff5

SHA256
51d33b6f99f979b70c85cb76387f4aa280eb2913b40a407ee4f3964e748ae389

SHA512
43ac2b96364185dc1564a8c5f0c5db31efd745278b8994cf283d614f3ef2c9eafc5c31940110d53c2e216a7c9516173c02d57ad1e9fdf36217165e07231ca366

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0eb2ea4fff5e3698f6a0ef365d03514d

SHA1
aa515f3fb77229b48962b204fe0f330ccf7f2f83

SHA256
c56c4e0479e1a48a4a3a8b903ff5cb69706eafde01f9640d26bba54901b8ed85

SHA512
43031964311dd7be0ac5bc8e2d3229d04f79dd51e486a21971cdbe55c73dd68bd84b9197ee681d9a6f7c8b1f999f28f44377458881b05cbaedfb7c8888baaa2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
252261ef0f5b40d9f4f7b7798af25aa2

SHA1
18244d300239687090b94d05bf2588d8c1b8d139

SHA256
ef385238712800b1444a4985bae177d541f064da21addecceb5071ed484eced0

SHA512
0e2947021742f53fc95337e8ae0275cb909b9149a01a4034bd78df35b2d60fb4d3545c82d290571604f6255a66689adbf54d05255c0e432554f01d778d4400f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1733eace561b0fc5f4875ef558187cea

SHA1
26e372cda510abf997908f886e31bdf1c1b9c0b6

SHA256
2d197f7405e4ab2fe594eacda46d520750487c53acdc0e5533d3a93230af3604

SHA512
0d457ebc0e6aebb9c4fd85767505ab52f49b7ff993fdf28bb6436160569a742c64cceb88836139f7eb0e314086bb7011d00fcc2e066783ca34d489b97747bee1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8cf24cdc47265dbbcb68ee36d923bfd1

SHA1
426887930aeba9665f7a7ee35e959be3a6b5e5ec

SHA256
87c148bdf7a192f09c6aa72c21eaad213c9fe9c6e117704234c3d11a3a08b0c8

SHA512
f8b4abed2d3fc133de0d8ddae2125d66aa804039d0c5416d2082a98c32774e0c522f6fb979e046bae0f8a94382acdb046d3eb30288efeb6312103f3251d7a9c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f9c5cbb4d3d3869b3b16fa17e5be62b

SHA1
8f34820e715f98f35bb4ab51b69bcee529f08726

SHA256
5312443c7a3d6fd90c2c24c5fc71fb07013a02fbed1196fa39e9e56efea26d43

SHA512
8cb5b92dd71116249039da95293f84880cedb0459af572138598ab53f8d58ebd177b676151a8f2f72b86e8e09e5e0c4531eb5b7c22cd14432bc32a153d6bfb70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7f286a01d4d69e6b9718a5f5075a4afa

SHA1
6e3139886170844891f68431420f44dee2b2df5f

SHA256
42dc448db06f88497a69e94c508c099b6f1c24bd288d4b4324c3a08b1f6dab73

SHA512
a9ee1d1136a63f4f0219a6a175e2ec9d52801e9fac119cac37a8704013af1806a08eba04281d9999bb3b63a78e9989de7b9181ebc7d093efdc113dc71f5b0314

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eebd0d65b96fde6400516c6e96392c3d

SHA1
5a78402bc9910dcdd403c4763bdc01614c486bae

SHA256
c73bf9772888d463999c946bd533caa22a3cfe75362af4073d8ab19062343aa0

SHA512
897fc3edb0266da572862df7dd9c8626e597c867eb4c6a6ba5b35e417c6958881a52e0386c4491569cbb85db34a50edf9db1f8d091a35af1e520a867c07ab09d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
63a74c8cac12fe5e606c1c53f4ac5753

SHA1
62513bf09012be257fb3e2a6e0e46aa03877ce3f

SHA256
9e6da2e995b18a6488d605c42c5cd0f40cc3908ce10b2efd6c1fc485f0bbd6fd

SHA512
cb279bd8084e46acd1a21075df109c3ab4c15a734da22b7b335a20966644de12bb802181ceada047c246a564d58af7070eb33cbc8e1f6d919a275f990432ae12

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c70a2ebd74e2210fee0072f58aef81da

SHA1
a8e9a9b1c1bd54975628136b75ddd49eb8e14cd3

SHA256
2b556008a1ba0cb50f89b1aec5e87d306bd4e6a3386acd6d84c12f8c8b15d27d

SHA512
eb578d05f65411eaadfce31f36d4fa83c0974e3e705a40ddcaa25d50a14fee1a22674cbd7ccabc53f2ae54e572aad0fb09fa5ffe6eea5d384ef7edaced3d69e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
819982fed0f946be76dc511e7ac0ad51

SHA1
0cfbefa60ced95675a160aaf7fc03765e08f3eb3

SHA256
e32fbd66565be8fdddb2c8eaaab87b882ce3787e3f5574fccd349b4bbaea238b

SHA512
286ae1be47f044c4158ec97dacbdc073072aaa06014854e6266778a89ca50478790ea78b5f4cd44615af1771863a575c2213e14ab500af9e209086ddea9996bc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c9c609a31b23af9a9cfda61626a8e5d7

SHA1
1b843733995ad0feacb25e50f377160c14887381

SHA256
0400454fb692d3cae68378e1c16668af18f1938d30676f882748a5ed53e05c1f

SHA512
ca9052b69899389e3226b673b2cfbf20f70c9a9235db271c5c381f117628462337ddc721db5e21aca7ee39ef5dbb164fe09ef8c3e0af2a569ecd38fc76b5d2a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a85247ef3711677cff000fb784c49097

SHA1
0835d8a66dd89f795b93448651716b3899054f59

SHA256
7fae51e6f2c77ad7ca9059a016380821f9f0db0f8c274d35d3d45d4ff76b8928

SHA512
ffb098a6cdea02e4466b2754b50f12faf2ddfa9a1ff894e42c981e809ca8aa1f2ed51470715e6cf1eb94b92aba51b4358549f9d9a73915f3d18d1ac29269df44

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a41e161f27125bc81ddc9af51f54fdb4

SHA1
804ed1f01fc12e1b3a6661be42461a32d3b63fb0

SHA256
0aa6bae4af00505c62b6bcbf85e395601d22331f7980a03d56c191f77ffd0520

SHA512
b45684d37dc35b8a473e54c7a73a7e87413f557585e05ff1bd58bd65a024810fd7333d95ba0c5c70e7e7600e739d97c3fefba7f676343862307203d50531dda3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7254148bdc88a2286fe091a2fab5a13a

SHA1
4fa0672e490e775529716926fb50205cdde078e6

SHA256
e37c6dbf5d763346a93c182980bd667a2239ef9f60d75a15bba0b8ca368f3ac1

SHA512
060cd31a2ae1fbce6d36da7597660d44011de7f3b4b8db42f0d5c5e51a8ba9b1271a9c01d1dcd2e01c0e7e31105d5a2d8c6ac9649a84ca885cbdd05be0c56275

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ac95509af622bf1be34692524f16a8c4

SHA1
c6f7294f918c717e3550765cfac4807dd08f8624

SHA256
58d6ee63fca59a1a0f9d7aa0dc3b7e5bd83c9f263926bc8b43ba45e708a53a60

SHA512
bf9c67d477c7f522cb88985b6c862f90870609eff3ae52d273d3d51750e83322ae17d82588207fa7d0f5fa493c56ddc7745a985025c2754fb32af5f80f138e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6608769663d3c8bd83ffd16c78af7fac

SHA1
c15d204c2e06070a11c2a2a0b773b258b01250c9

SHA256
52cd280c6552c6ceb49101a65dfa99e631a0ea68ceb2ba4d5e66f1afbaf08137

SHA512
8b9230b899f3db0df7d2c3063858c809ae715c0f369ca5a040738c205d6e686c643f196d5d0cbfa73dfdb4d82da5fffb4b2326b4204f8cc11a137b3e9950349d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2032054e59940fabe3103e17a569952d

SHA1
40b700652562977699ffb18461579b04c07d6c1b

SHA256
626e187e8af0fe428d05c8a0d7ed281bd2892a813ececa1673da8ac14187bcf3

SHA512
83a061a7e2031667c63d05e1e9fee51a9fced8938f783b7ee01ee5b7fbb46866f259f256e22a26b0ecd44544ed2085d8b5336765d3ffe9476d788df2f34f1b9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2c32f4657b8c19b3b6baedf71633900d

SHA1
e6e1e45502ba13d7a5f23dbc63e78d78d596415c

SHA256
01fe4839bf9d97695fc1951aa3110964fbbd0fb1cbaf1e9d86e7a375c89d70cc

SHA512
95393dd3077c099e0f6b5810f184816daf39ac3894963a94b319812179780f4576176a4c1b99185232ec7530bd58a13cab0237290fb6f08042e3f097adb66e9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1af0b19b0b218d4d4f44a3a3d6a77f0c

SHA1
80c9832af56ca0d585c27470270fb9c34cbe65f9

SHA256
e8833159669a7ea1e00869dae4ae668f2ac54a6bcc74aebf148cd83951ce4a17

SHA512
eca97b454e5c91e5dc0b053a6759e648ce4930124c499e128c1e446152d816d2d8d0e43b954bcf9098cdbf982ce10231b7e8a21077ba833a565d7119509ce863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
595366d4ed294ac0f19e036745480440

SHA1
74ff087a1b4b64c2c1feea75c9f70841d97cebf0

SHA256
71befa3245db7bb7f4a6724f4185fda1339bce683e89654113ffd12f07bf2aca

SHA512
65948005548ad6aa9c8d027ccd06f0d04a7a308d2cec7bebaca97088955b2cf642f35c52a7799b86a0174110856f9dab631a4fb04c8ede80c9d40e593b07bd98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
527fc774f0057783f498523e01d34700

SHA1
e22dfe495c60b6f4ae1521008221ab5d0bb72c88

SHA256
7c786681ae9812695c31aa90a324cb9160989d1392c0f12170894134e655567c

SHA512
5a544cc6d00b5ab49d6aac6b033c2f228358423f350748b22cd1320a41e0d7d24d4059fdae5b136db765e95ad0496bd135666af72174b011b3c3c73551e7c72b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
82a34d03146c08a971cc99a9c2c40c34

SHA1
1c130482d5774be3102f0076488dee8e73f43618

SHA256
9b2a80b275d0e9fb763cacaf90537637efb61cd2ab835597b2a20089b001f82b

SHA512
9a4917c2ccbc46ebdceffa904ffa278ba6e591fabe3a7f30767ba175ea628ae56c647b1739fe370b5db6cf52c1e1aa7084d240cbdcdca2d689e634816a93305f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d47569e8a2ecfbcb7213c95f2aa25788

SHA1
3e4ba4f20ee02cd5225647080090a2017a734d3d

SHA256
05ed3c2692a2fa664ee314c52caacd330ff6b7f079496744c7b50d1be2650630

SHA512
14118e90ef2095cfed672ce5d3dfd0307b6a3574af56feb24bbcba75c736f9d8346f7514c8fa139e4b12d0812bc355f62a2ed11c89ef8f71160f16dd81836dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9676fea98a82f9b2179ca1d4b3438c8e

SHA1
4a6c80d97ded947a5c3fa45375948d52ac9ee263

SHA256
f2522ab671ef8a21f9f4d95325be19131667eba7faeb19ee56a9098c0252cb70

SHA512
7c45c974ae4854fc0542b902cfb6cda3cb4020a5826ed01455cb0456cea77e5d4673a28dd404ccf8721490f205571b9838fd15676ba261de378ab98d0c79eea1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6d3fc50dc5d8eb1ae0474f8a7e39a585

SHA1
920dd337c44c78c5269287a327d9828d5b5d4ead

SHA256
cedb305c5e2cd64b99c1d956d4b62997dea29e7e97c426cb874fe3dcd2d8b7f8

SHA512
cfa5b25a2c6317fac9217f62f163e64ab1c902dd34e5282c598a8157f851a65d3212607da4d68245eeea8a23f282f7c14a0bbf3e5dda85a41f56be487a594ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
86386513e0b125c5d7698e05745b9bb0

SHA1
766e6bc4bf4f54c3640e071d5c4b4bb406c85c9e

SHA256
a24ae72afdad7ce0fbc0d7ed52a913c0cbe27c313ac03e0556a094abf86b815c

SHA512
a039986336a6413377a4cfa9f9d1b5fb2dd9bea1f8b0322dee2cb296cb6bc3b00c05c7b9520a4e08c9778ae16f6c9880c788ae7a23599303f793f6bc8c87dc41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
151f089b10d3113c8ff8f1b663faadd4

SHA1
5505f935a0b11b4baec10d5bebd6ea9571b0e729

SHA256
92e2238c26020ffb74449edadefd374ae94b96b035406fe391dd214709f4a8c2

SHA512
9958a7db49132bb9644f4ff7d742e86a491871bffc0dc3ed7459dcae0f97072222f60f1b770a5a57f3413ffd37d533626f2b6dc34adb6ab61592c9f1b9c67a46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ef77215b2f5233d81dd19bbdccb8cf28

SHA1
d86e7f869c3d902a3760ba5ed151c7083561da3c

SHA256
a096bbf49cb3ed8e65a018f16ad85237c8453a05265d35f658fde97772a92bfc

SHA512
bdf0f2f3753e270c1e79f552f6fefda28ffb210bee2e2d964c5d7c38fa2b74cf745d4b7d7fc40f02b7370f5d46720d88fd71c5eabfbd6ea7c084978051049698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4f9eddbce19defd3496f1d76aad06644

SHA1
25162af06b1c47fcb4b955e4fc5f67a7c6e360fc

SHA256
ec2246c9a593cc656ce7f2f3dfd404b21f761e6b52854f35b67eaf7b502b58de

SHA512
e3543a6321fcd46246f0f5c9a8e534f2a5e3b0c151396646184187d8213619336c027c9e9ece4606a6e2e16b5a1e42cdb92c62660e93733e4ce9e59ae1baa275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6c78545ca11495655b9b23d26ff82e39

SHA1
9abadf4ae3aa607d5251488adc21050c7aa59531

SHA256
42be333222003c03de41565fc0bea70829df7ef10c95db8f89ea87c89a85de6b

SHA512
1d2118814ccfed7b7ea190bdf3291c94136e3d41af8986068986c86dda39be2ff71172c409efdff13c5697612c92ccdf5a1f4396ead0dab09082880e788a4fad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9e57cb7fa5bd434194b16c603ff6d36c

SHA1
64425627b19e7aaefdef85d4e683d4e85d2218b0

SHA256
98c919c16680319a94ccaf90af7c6cd47f841bafbf68e4f880d6ee60c924c775

SHA512
193621cc5738674f1d240a560e960cebafd552669be4034fcc7c9d57449a8663872e7052eb6186f59ba5fad99b46a0cdf7b45208e95c87104ce6a5a68a242560

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5ae813afdc72a11ca9af4ccead3e0176

SHA1
f6aa22dc53ca75154525ee4bcf1f01dac7f84dde

SHA256
83841b92e2132573ad0a9995fd6b770f44bb728f50e94635947966f19c21b61c

SHA512
b96ba1fb9cf11d3f467e6148c607cdbebf009eaa149c2870d51409c83d983962a92dfba3d6e144a694fa51f1258d9352fcc0ce71d7ad971a5a7c1e83b5604d07

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9ee169120c1d9965d0746e9cfdbe8095

SHA1
7df2438561d834dfa10bafe6d3915b697ed59964

SHA256
8dfa022cccc973cff6b1e9a7ba71cc7e1d49939f72a7493576431038e257a627

SHA512
bcb0f606b921349ad4b5ab3f83990d8b1b6c78e6733e73087c1ea9f8af21802da67a79074924659ae0d9d3beffa77f1c17d3de0bc8d54390640c9e563a480dd0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2a6170d8d775eb0f3b42900ee519e2f3

SHA1
2d4886532d2f46f93075c1922aa3a951494fd027

SHA256
40adb8ec493989327bcac05fa0f942d7bd4528384a3e2fbf0789e35ea819ede5

SHA512
19c9c6e91638049fc2a09af49f01e9767c6b6b5dfa907d6b610d203c4d90e2ba440724eac7fdbb75a8e00635d1531560fc213c0839419b83e3d3b0fc3eaa889e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d3e84eab6374798dacd80deb965d521a

SHA1
2cbf1a358d7c08fe912af2c3ec0e146513f92aaf

SHA256
62ec720a0f0e45f3b203532c1156c022428d736ed886f8c1638a6ea12c5d97ba

SHA512
dc816ac25712aadf99b976a7f777ee8a4870fc1e23aaba6eaa3e0ef6e334040974b464c0cdf8a902ae59ca30bef43eb73db6788a12235804352ae9aa819e9cbf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7079e2e83da7a32856a1623bce1b1e62

SHA1
4aeb67fb443c0f887e04ce9b061534a03bd0361f

SHA256
53be67e4f3397bc46ce0547f4a89bca39f90beced48a5c0035addb066683bc61

SHA512
469003236241e7a1188303f17ac9b7a140a630719d217f23f76ddc9a38d62d28e30f602a2a534901c1d1de06ab221672e6712724b9fe3f1bd2826c7a3a353bf7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
06a777983361a9d8360da6fad0a6f9ad

SHA1
cee35814313182365c824fac7d9680958da6ed27

SHA256
f491f82ae690b0011a55e2d953259017d632dc95157ab90912df6904e2290089

SHA512
9feda89cf3b577378312a713177be13c15e7b7edc762e2e42cc4c65dbd8e656235d548e8d1d751686a6236be2e30e926f6ab4f0ef0cda9cf93980d29c86ccdea

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1503cf9a2b45f8d2f91b59f737fc2086

SHA1
406f5fdb566962b865e2b4f846c42428e0751351

SHA256
1198cf7f2f3da3395218debcd8f2f05ee12ce662bf500dd57f62f59e05adfaf6

SHA512
507fe772c9207af9b38613d45115abd038fdd2c6680e8e02bac6c5b847bfa6f6f3599305cc3498f23d0d1c5dab71c51929e2e51b5b029e393b3ef83bfc2299f8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2c001a3e12878a27178e08a782b50e2b

SHA1
3b054651d82b50ce7efe639f41dbf41e23426d5a

SHA256
d5f7cdb0aa02bf6b084cdb89e91a85cb1666cdcc320401e640255da60f24de49

SHA512
7471a412e0455e4ee13e4261a1f8a1c796ef5e170ffacb856a6385fbc848abf9caa3eb179d3eec0257e55c56c6b0c2cf1a509e101cf04a52e9e3eacace3002cc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c899b2a96f7300d7eca6f7379795a041

SHA1
52beafb288b252eb215a4ec65035a5ed82b48d5a

SHA256
38c248bd8a65dc352f573d039b49d6f88e3081f02e9665e9febf8a9522a50900

SHA512
34a66b05eb2d56d82290bcb20c752fdf514bf84b9112b68ca530328af99bfc9b47fecb57b1d062098005482cab60d1a730348d8db5eb269d28f6aed440beb40e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ac4c3eae5e13cbfe69a99ce69cf5875c

SHA1
93329cd104a31052b01582bbeead102445ad3d02

SHA256
b6ea849b01e9302ae0d1e03bbc17f898b1a976b3f12fb76253f75c9b35e665a5

SHA512
cca830ec53fb6bc52aa433c19d0d1d0758f7514bf08694505dcfa3c74b5865e15095fb989a45dc2e5a0511fae7874ed51d79c3efbd9c36663ed2b6f324c0818f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0e83bd6a4c550e0f146b9d07c2236aae

SHA1
216718fa68b240ae8543ed113a446fee1d188680

SHA256
c3f05de585cecf491c68f04037980df9c53f15cfb9cbe1da4771c673ca538fdc

SHA512
0f336f2d475c0e999c98e1ed4b3ab54cbc6aef3bc8b97fb7d13b4f96537b77a8e2d7db99241a5cb378269c407c6e4a1d5448c76043e5b01dda2c12d37ce9c213

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d77c4a21e3105d9889737725faa4bb31

SHA1
6a1c3840f5d5a035c8d0e3cc84c4a1300ed57f0f

SHA256
d64298c8265d1b474c0b6139eda371cf42735594bcf187ad1099be6c1bac0511

SHA512
322d15cf8922b0df3b5d1281604856c87df5220730155aec0c865e8860906fad20e3890bcd1daddd3cda8320bb4f9ae9d31ce0c722b95e1f6989582dfc2d9d0a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
93d8bf2955c7c2164430a87dc7f3ad81

SHA1
2422bda4b6a6c068f46521f68f214e5c0357a8d0

SHA256
b4ca4fd2fcd4c7ef511c5f1c8212779822f41a85c3767f67ba7d9de4e7f2f6ec

SHA512
ce80929959135f618ebbe937be735a3e0ea82e4a2d014c06e8ba9c45e27dc943b6aa12015e9495f80d48aa7fb5b3d3a6ed4ba8e90fd7f8df071c942d139f8afe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
836b6cd64a2087f1b702b3bb51d29214

SHA1
177b53b20a463c5eba5d1f9033dd4e3062b51aa4

SHA256
4422490a9584b32fa1db39bc78a6474f0093440cf5cdb68a3c0cbf89a854cd56

SHA512
ad1dbf1b80418513fc6d88cdd01896adc30b4f07eda630c58b77ef5146800ee311180c3de9341f9a1284270f3270df21c1d1f8bac15cf4b18f1283336dfed4d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9de8893d1d543a32888a3c2bf5b1a7eb

SHA1
ffc0dbacf2b6e7670e2928abeccedfe198a0e11c

SHA256
6f1f467881645cccf70bd8f96bbb243dc16f48f5e16a119dc6bbfb74dc1df137

SHA512
82f517f9a8ae947afa64c09479daa57f0cb308a69dea406606818cc8ff25179356a75006c9cdbf345d02e901db7bcdfa61f14a6ad63c7a9538a0e060e08c86a8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
842e9a7f8009ba64842ee0a0bf2df51a

SHA1
7331080e2740c122660f828883b8f6d71d343e64

SHA256
050cd5da15a63392973899fbe36a234277f55dabfcbb24015f56767db74a191f

SHA512
1a242e2a7fdf906d1313c3360b7e3ba01b87124cb2c93c6c746beb7d3086ba884267f193401db6c43b9aeabf44e5938f212ee10ffe9b27650d6de36d08f8cc2c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1a69ea1166114bf8f85c23bcb80d3484

SHA1
078ff7c37da8258d115bf6dd7bff62a316adac9d

SHA256
fe58ce2a932d9590b50ff3f47fa1b491aecf40afd24613829909ef31ea80cfd6

SHA512
c0c4a0367aa99bc7c4007aeea14d6b64093f453ea9e94fa79294d0400479751049f56571c245d6d1cd75406619a21a07e81286a6f1325ded671247b1fc65f767

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c4c25e2a1fc48993154b79a1dcd3255e

SHA1
d59f2d15306b49f19a1a6bf1324534ca11debd13

SHA256
0196ccc45a5fe067752423f149ff79a69dab624b89f0ed1e2c7d9558e1c407bc

SHA512
b6d848b2023549bf128b51ade3626c4b7a49f0f08a2a99b916fa7344a997aa953516a7543783e8b1dd0d695893af9f3c0124441bb8705a3e9db115590badc2df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
849c0574d1e653ef3919fba99178a1fc

SHA1
c1f692561e24f8bd9485a16af33fd234c72f5b95

SHA256
2c9b224335a02d5e02da261dc177bc56d6e6556c368cbd0c2d56b5ecd2ee7e01

SHA512
34959e528536add58b40a81533c0083309ada94b25a646da41c2801114617110bf7fefc4d7acdb6eba765920ed47b1c0dc82d64affdf829369e86fb74cd4f04d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f62ba9180bd797617d9ade1f60c2e6a1

SHA1
023d8fe9b30634525cca90464c3d713bec2af454

SHA256
28b2fe1d133214652c9a84f62db40c29d083e3771335af773b2930fb90ef2350

SHA512
aa9dc2fa72676125b57bca478ff974e028ef60a3ac5db260d55392739c3e99084af8a9436fc6891567481c45b0a45fb6d0391ffbf3bed85a9be832687badf8b3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd024b174c65db19ac07a90390c42df6

SHA1
0e20d615eca6b22fb5bb06bb1801387cc1821967

SHA256
6c18f217cd20a2237aac205e9e0c704685c160fae8c12dcd3f1dcb06c350a8e8

SHA512
afb0abf5aa9429629621cf3adf7e0574c43398ffc8a6bdca6ea4d0ae43ccc46bfdd759be7dbabf85785a1147b64eaf063b7ffea80e0533645cf94d248cb3237d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a566296027a20facbd72d10faf207def

SHA1
ef5e739e95431f0294f19c9fe390590d801457f4

SHA256
d1b535ca7222b9ceb161306f4de7b31e48a16b4be35c521786e5c160de84dd53

SHA512
6fc16ad16bceb9975cb98c207ae200b5b882f4d02b87ce8efba16c6e6c6e40b20f758972260e3d4d074740fdf4ab642e000a929c2bcdc1aa7654d678ea23cdc5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
01b78f3dbe9006c523a6c3d5bb8e6d45

SHA1
0926d09bc267251e3fa2fdec279e150564d9ec2c

SHA256
f2b0fe62746b0ab17190ecf3f1417acd8085559b911c7b609c8d5b113da29ae4

SHA512
90b16a13a6332ecd067b9db44bd6593e882aa77503eb35d3e776daafaab065452addc2bf9535a704a11ac029b7477b563bec8ef4ed4048fafbc931c84746b54b

Download Submit
memory/388-91-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/388-8-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/388-0-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/388-2-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/388-6-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/436-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/436-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/436-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/436-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/948-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/948-167-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/948-60-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/948-54-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1616-446-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1616-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2052-564-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2052-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2120-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2120-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2120-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2148-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2148-242-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2380-503-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2380-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2720-555-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2720-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2764-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2764-82-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2764-87-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2764-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2764-76-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2892-254-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2892-133-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3208-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3208-52-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3208-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3208-47-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3208-38-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/3228-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3228-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3384-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3384-230-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3664-35-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3664-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3664-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3832-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3832-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3832-129-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3832-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3832-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3856-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3856-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4280-255-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4280-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4404-559-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4404-192-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4420-560-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4420-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4800-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4836-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4836-93-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4836-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5044-561-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5044-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download