7ca09addf8b14d7523e172c1e1aa1ddb54f5e41b87de57bc50518032b2326e47

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Size

712KB
MD5

be7673227e1e9130d84cb4fbf2c11708
SHA1

bdd1653b83921242ae35e36405bce757e7e35a80
SHA256

7ca09addf8b14d7523e172c1e1aa1ddb54f5e41b87de57bc50518032b2326e47
SHA512

eced12c183d99e3efae822ba81b0dac22ef0f92dfcb1c2bc80c1bc02bae9e2e6c850d19f132b7480108e84d91eaa91e379a1bfb1ce0f6b0be8df27385571fba6
SSDEEP

12288:ctOw6BaEcnjg+LW9GdbKoh3xOeXEV8LkKBAdEc3wvOXpz01Z:S6BFcndLxdmo+eXEVT3wvUzO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2916	alg.exe
3728	DiagnosticsHub.StandardCollector.Service.exe
2904	fxssvc.exe
2900	elevation_service.exe
1228	elevation_service.exe
2152	maintenanceservice.exe
1412	msdtc.exe
2444	OSE.EXE
3292	PerceptionSimulationService.exe
220	perfhost.exe
4284	locator.exe
664	SensorDataService.exe
5060	snmptrap.exe
4936	spectrum.exe
4384	ssh-agent.exe
2880	TieringEngineService.exe
4880	AgentService.exe
5076	vds.exe
3136	vssvc.exe
1252	wbengine.exe
4180	WmiApSrv.exe
4376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ac84ba092844182.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000851ba37dd0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d490f7dd0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004da7d7cd0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000440e147dd0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004515797cd0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cd3187dd0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeAuditPrivilege	2904	fxssvc.exe
Token: SeRestorePrivilege	2880	TieringEngineService.exe
Token: SeManageVolumePrivilege	2880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4880	AgentService.exe
Token: SeBackupPrivilege	3136	vssvc.exe
Token: SeRestorePrivilege	3136	vssvc.exe
Token: SeAuditPrivilege	3136	vssvc.exe
Token: SeBackupPrivilege	1252	wbengine.exe
Token: SeRestorePrivilege	1252	wbengine.exe
Token: SeSecurityPrivilege	1252	wbengine.exe
Token: 33	4376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4376	SearchIndexer.exe
Token: SeDebugPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeDebugPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeDebugPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeDebugPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeDebugPrivilege	4832	2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
Token: SeDebugPrivilege	2916	alg.exe
Token: SeDebugPrivilege	2916	alg.exe
Token: SeDebugPrivilege	2916	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 64	4376	SearchIndexer.exe	111
PID 4376 wrote to memory of 64	4376	SearchIndexer.exe	111
PID 4376 wrote to memory of 1492	4376	SearchIndexer.exe	112
PID 4376 wrote to memory of 1492	4376	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_be7673227e1e9130d84cb4fbf2c11708_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4104

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1412

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4936

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:64
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
61c41ebddf51becedfaeecb281013bc7

SHA1
45a44b6014812b914b45191e179853741ccdaf6f

SHA256
b33dd9a3a6aac7f1bc0b8293cac0f8abc8fe8ec97488a7585474bb1c1daeef83

SHA512
36f75b3e20651dbb765048f4bc6a7904dc8056b401c0c88654e18a15e3dca15032d52867ac619a20ad5a423c3c554ccf5c8460674f2bfed9e26be11828e88560

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
df573344c4138d9a8705e27943ca0164

SHA1
169ed4aaf26c7975ddfd152edafcb18621d557b0

SHA256
fc9e3f024097b50982acd32161a5080b501f9cd9964e380e8708322a3b1d2422

SHA512
2da8914ee8a1888d49d3ab6a3b0291cb5b40fc393d9ea3e2389eb6c5d1cefc545ed9ed8fb7338e77bf6ac42a8fa0a9a0b0dbe1fe80704ff83dcc202155b6bbb7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
19d3763e7ff0771c71f710cc5fcb29e3

SHA1
bdf4eee3941abd11678c3725b8e3b901c236eff9

SHA256
0cf25484e6b198fe2fdc78b049ba7e7ee40c0987e60801e7716d78fe244feca2

SHA512
b7e173592c708735751bde65d06900435d3205c827db9c6c201952107163db8a90a8016098a1dedb0bcc832bb1da3576f5ca99810bbd0ed509fe1c09135a67bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3a6232ef3634a60d0cafd1f9bb814f86

SHA1
2d14af803a2781445ce3ff70565cb5ef6869dd0f

SHA256
44d7e9c1be82f4f5708a725268657cad6a91b1b71b5e6c5a48fc98a6da4cc21a

SHA512
da94d1953ce47f9ecf1236fed11cb58f5d219c7fd025a1817caef8e33b3da6c18efcc7d4384d83ba4cd5c70d4a3ea1984d8cdbb5f04934e550598f58812d317e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6e823894ed5e8057489a54c400a35ac2

SHA1
1a394b28535d8b5db2955f12d2abc8fde05b58f4

SHA256
b35d559d19414394a78e305eedb96b9ab8bcd4a382eb072b35a02944a278a5b5

SHA512
d9ae49e248446eddaaad228725a6b83d99a4acd9c74936490a80022c68104d35fc66b676cbb7759bfc2d38b4af2a050c71c1c08048487d569a8998f9136e3f88

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c4face31878760f3549814a78a755526

SHA1
c0f9a9aed028e96dba24d8fbe6b4957635bd1459

SHA256
ff73730b458fccb52e7d34dc940732de4dd969af3b7492656a2fbd4be035835c

SHA512
c29e112ae761501d191f1cd0bb35939b527c261c0a723c42f3f651c49e8b30006f3092328811da436e99deb342e12498ae834c26cd552688972f4d7d5ef5c18b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e1bd48b001eb5765f63cfab52a39538e

SHA1
82a3cfd373835de7ea4f961af545819ccd8e2e87

SHA256
1658da31110a1cf7d2666c6b62b6be8ecf41223ef062b5e259eac7299904e897

SHA512
6d5ec1bfda97434887d37d4d2f4270c97d4b980533e90b882987c48db6e780f1bec2fe5f8672165a14858407bc780279ed199a6625691ac3d7b3326b502e492e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e1a65ef1c20aaaea2758c9fc053a7299

SHA1
22034ef77ec7b9aa5b2475e6bbfe2e7ff362626d

SHA256
0bfb30f29e31a2953c2c229ca6c317f9e4effa794683124d888bd33f49fd2f35

SHA512
5d7230e3e475fdcf6b97f0f7bcfd4e9c6ca438432ffca366c0f78cc89a4e7542253a2489e8a1d509cb57cf8db682daa1fe676fcbd7add95e21af4364a234417f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3bfb912cf0426b537edd24677d8ad326

SHA1
20935ea32c18509325b189959870b8ecb26dd018

SHA256
e3f6f82e8864f445f1dd3719aaa6a8a66e6eb788388f0bd035b60ed281c0c6be

SHA512
73dfcd7cbe3b3fddadfeb38a93d7f22317017b7d9a011b73c21b065b23d45dbea23e84e4a0c1d5e9a681938d76268b835ba2c7994fb93c5f24a227053379a799

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
df4b269473ff6609a3a3da7d84ac8916

SHA1
d2ae4dbdc28abe0141096a5516cb3d443d75266c

SHA256
e1d8af8e63bee81ab9f8039fcd4986b72ce492e1642ae73c521f0c16168793cb

SHA512
6e8f1bcc435632c5f4268f314b3b32fbc69dbcba1b28bc7cd06f10006bd4b0e36b80540fa616a8a26bc4a6a35173f95b105203baa505eefbdbfbec18fc38d46e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a7836e888e5c964917d64531ba7d8074

SHA1
2bb4afab246fdf6a28d23bc4a36679a6b72f2b61

SHA256
ae0afd2e386a6082aa30050025b2242d3e11ffff531e271da85735657b419271

SHA512
02473fe3d93e0caf92fd26a0401fe851b889e840e08cd3d87cb656ba5d04e30b385c434ecc59d97de0c5df54b764f549557317008e22a1654dfb7678144f6dd9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
87e50987c9c8c8be2a62fcb6dd50c7cb

SHA1
fb02d88a511ed5ca5b682165deae4d3296880db9

SHA256
1029d7fddae1ac1ceffe34efb64bde9522cbd9c44296045760cb747498b1363c

SHA512
0d8b8240ab0a67bbdb6bf41e741104f79e679ca79c2509cf6cb6b7bce58bf35b0af407c608d59e2e2c2a13d8743712725b7fbfe120063f6e4f633ba484ab0c20

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
80861153c6eaac84bd3d75ea7cc0cca8

SHA1
b70d991a82b23b6c147994ed7c2876d3183120c8

SHA256
1709fe02fefc8da232ab806cf32ba3360a7257b4e27bb30155492867eb9d0ee4

SHA512
1fd1c6e9c2b25d45460abd41339dcaf9b26831ad0af1061c5e961a0fc9db13d6cbf6b4f6d2f5eddcb15f29960961fe6dac700748f5309c78aab7362af9d6f7a6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d7721f388097a638d3a64244a914988d

SHA1
a2001ec912bc2caf7a19dbadf027259cb14b5693

SHA256
397d215d094165f5c9a8ddb091686f987a8429aae5a9e61ac8c687edeef1d364

SHA512
5b719ed67dd0aaa71b99ae5a17cbe6245e57d444ce169525c57eb8b3574b93250fc4d23c08941c230a067987a098c9760e7f557b6c0bfdf359670cf19c7b0cfd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
85db7cf70c9a54ae1879db74a6e1c7f1

SHA1
a730eb80d3bbbc66a87f35600cae1cb4d40e950c

SHA256
6b2f12dc83b445012719d5dda799ff8011c346c315ccf590f3ab1b0c363338b6

SHA512
6d0a79c976c6c5d9b4d9093a0696dae022271b624be161b25798d89fac8ca19aae3fe32d7b34fd4bb4e768399281d572e4c472b9c5672d30184946233b234f87

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a09144d69bed1f4420b14d53e5980be9

SHA1
e9621093085817a9950733066b3fdf3ef8469438

SHA256
0ed73010d1133feb2bc3081a1a2b336a618786a1201d98a948b501c998879184

SHA512
58d84be09ce8ef8d08928f19392f166cfe17568b01962907d7c583db23cd6f358723cdef64d5495cb0d38d1f8949c7785e397a1716e6bad86b066ec62ccdb982

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5ebd232d32815f56ef386c96d8fcc7fd

SHA1
8eb22ea23942b3f148b9385f735b707a5efca524

SHA256
94782dd82f74ecea4f34bae71aed385d1113617c6613d97e37a907b73788e301

SHA512
8d2584dbc7f38d48e1d6e3d7ce5aa464783a5fd4fde740c6a690c7e4c6a58e2474e8d895f3e21ed9a29763c62ce89a6f1bbab9a646e0867aa51e7dd7517f2de2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
53037e54a0437b30572637755b6bb1b2

SHA1
8082b4899361b1965a970ff94dcb75f66d33ab85

SHA256
3f28acef528eafcd168e1769786ba6af69ff77f1bd1f91e05ac3cff1bbbe40c8

SHA512
63140fb0bf7648f7643f819156ae1e4e597cf829bdafbbbe312a5916c6b7bfb827e14dfa56d5f32692dd15e9fb64a57edd3432f7d53f19bb0c2c1acc251f9bcf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a9a9e08919c7849d730f8fe1910c700

SHA1
f5094a377378845b2093d6722e34d65b7f6e166d

SHA256
6469161fe053c9698e4fd0d53ecac6f6ae0d2fa59a249958680d1d211353a93f

SHA512
b04294b9dfe4dbbab655901ac7b9d77d379153210fe7a556163248d48cfe8455b71363199965665080ec87b04ff9e821c48adcd8268f1d079981a21832a101d1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0ea07ac381f2d3507fbd9d6b1c42e0f1

SHA1
fc7b155149f032059f89f336e08b56326116e7ba

SHA256
735213857b45e8ec3c74da6beb4c53e1b4a54c9443f105f34e6414946cb85382

SHA512
ff7c1364ca8d7f971d9ba9eed4edb1594d11a8ee54f08903f1567631ba861e37f70d220eb7cc4cd78ba453ca2e85b1e8dc0a13328485ff092682e04597bddcc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
212aa2b32e2f80a2684a44f18f4316f5

SHA1
78749c45bea937181edeb9d44917c1f0238bcde3

SHA256
0d64e5543096ab1ae8a97fe1d469b0d24e00b9bb8b063cb951e23a6fd63fa002

SHA512
853866d0a9146c49b753e52e73dd9967faab138a59f0a1880e857e0915c6e31e47d915390879ef30629128084970b2320769a787098e223999e111687a5f372a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
838f859d58f821efb819bd34b3f0737d

SHA1
eea216067161b779074ed83b7f27fce616c6b622

SHA256
e5a81ca21c9343448bc369bae329c88445f0c5afbe74eadf028628a6cad3c3f6

SHA512
f1b8053835fd517ee0e2bc70b206550917d619f1c20b638fd346695f7e44ca8244de36f1083dc706772ee4b683e9acfefae4007892ddb64ed13410a753c34529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e7108e4cbc0456d2793d857fc82380f1

SHA1
8ef822858845da823872eb1e3156337ae12f8f50

SHA256
aa3735855e8115a6131044407d3f456b60fb6f09c74b22a4d29692e6bfae2dcc

SHA512
70a8fbd5179e650bcb58dea799d7a91c64fedf8a6ebd4da12415f4b86b0334c831cd6c4e50a31d1b42c8cf5bc62cc871740dc3f9a71a011aa87af54c7b5225f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
61fbf3fd9579bd567264627a2e18d07c

SHA1
319d0b1ebd055f4b6ba510edb56063345aa79933

SHA256
0220f3b941ccd43931db4c5983557c5d4e5f4fc717a647e847f9151d9a57a66a

SHA512
dbd1ad0ce445583968d558dac2dfd2299ecf9c5d26442751c41c07cd7fca1700528cb4e3387b9af349f6efe16828ea96e0996d45578e6f18bf3ea051b4304352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5ff4b4e60d4aadb5915f73e0eb0bc847

SHA1
ff69360581c9ceb0fe2045c175cc4675b8d57499

SHA256
27547f98776d63a8c203cbc3ec5f65decf4ebb4eaef76c6c23a7a441b66639aa

SHA512
3b5642811bb0499840f60e0f5f51ba0a546989775b4b137d375bdc2d8907dabdf805cab5ab4da0f0f02e102d3a97f3c8b2d89acc2dc3e7f75330c9d97f3cc61d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
280420d32a333cdd4c49becd4fcfb845

SHA1
85d97e8dcaca26ca8aafca7911a8b17d643ae980

SHA256
8361ff2598b7b920ce7a3d9241376cfbdd562d1e00e5c50267bb477f33bb55cb

SHA512
ea3d2548d73741e46ae80e3f30d535a12d2c422ddf6962ceb6c25598e8eba4869b14adeea5dbad8e57c90afd2761890156adc9fb0ca7a39bd09343638c9ee0af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a6a07077abb2b624af18e161c1b3fc2b

SHA1
14820805129e899d91c643555521b1382440af92

SHA256
9d0209faae0bcfc9116dbd81d98816f14131fd071aae40d5623c63213aa7f8b5

SHA512
4cc0ebf8aff012982df33a1aa2cc22b8bf1814364712797fc18f97eaf9f4d32a3975aa12db0a1c2a2b838c5562f1540e399269b4478dac985926389266d7e6f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8a657019e4819de8b4c742d84b9d2102

SHA1
97f9f58cd1af5a5c942c68c8112c7393eaefb0dd

SHA256
f5cd4cb469a516c7eef0d09f389d30063908f04cbddd9ee7d6d3456886636463

SHA512
50e290652ccbd1835857b343c22aac6602c4f04ade471608612b79ad11d832234f49aebac91c44980c30653b05361fc25539eebbe91e9b1f0f0a832b9240aa6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2326ff50df307770e30a323c952c223e

SHA1
a23dc0d988ed4ebe0fd1ba1d47a22d59ffa5b59b

SHA256
53717379467f0c3f01fae7ebdd475b2835053db4c9f63473333faf8d3070d3b2

SHA512
73d35540a3d9e392ab9e49cda689323454c1d9779cbbcf2b16a1ad331efd6be850c73a8b6c89099bf30a4121981a422bd626c4e397c4abc1fb423ea1a45a17bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
269f63a89884be3e9d60cbbf4969fc5a

SHA1
d0b849c4c3a1b0222d85def376d85a299a91a74b

SHA256
2d18041f0f1c21a18583116f17a6abf4189d9dcf2c1c40708a6403c4dadc4365

SHA512
d1ca816241afc90ec4a94ca1abf0aa31b72912041742d2eccd6ff8a22a32f080ef0bb1e2fd0e8fc507e915354f7e1453ce2b67bb6b1a2b8ff3b3db0153ced02a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a0611dad196747b2fa9b8d91c84b6839

SHA1
bd2b5cecc0db80afa16cd2a0dc74a899a4710bb4

SHA256
13a106cd6c4f97bb21069e2a54284a8ab84de76dd6daaea977ce6f0ee20834f4

SHA512
af5181b29f767c8e376d559351bd4a57f1c38bf2c1139f87a79a6b58cf5b32acfc3e9f6baaf4af758afb86c09758026b46886fe026b288b8ee9ef8f2e0a9070e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1bb46fe3223ebf0749495d9b991cb940

SHA1
b4af8963a487c26abd62a70fe714eff49aa08a1d

SHA256
19e63b0ecda85e296a9e8837d8096291006e5d9cf78481fff8f2a7d6063344a7

SHA512
0f71cf1238367e69d544ad0709c7270eb6d24177b6ebc6cc30102f7a8419c40ebd9f540e46194dd1500d61a8e9ac69dea27c619c40c490ded034d308cbbb66d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
537d47d1dcb6812fdcbf1ea562df60b8

SHA1
09c3063f5cb772e27dfaef3f3686f5f00b963c78

SHA256
7a079b707c835adc248ddb97a5fff00d59876389e6400298855923e6578a62f3

SHA512
4d3fffd0fcadf50c02d6f0c723cf251a94ced9cdcb568eade6037eddda5a05e9b5acb724cf9ab9dbcdce3c9d7713e247d258efb8077d7858c0a59a2b477766a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5ce0f897823a5488bcf025bf67cfefd0

SHA1
467781c1ba93ac7045b225249b563c2950f02dee

SHA256
53b6950e5147680a051145a25607bf584bf2c9b6e891b705b7a8d753aa0eeaa9

SHA512
d67c1147c25595ee81e9bb8fc90d3d147bbc8e2c9cc794e34c92c1fcd997381a29ff1511c1f48ad44e85f6645caefab976d61c0b147979c40816a1698fc08d7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
705126c74d3afdd1a32f09a6b97738e9

SHA1
229c21ff3fd0bfa5905fab400cd844277523a74a

SHA256
f4c6dc0551b3d0203d570463a736fa9641f244b8183b91c7291ad83d76c3f8c2

SHA512
7ae9c486f9bc6a087054dcbe6d72e4e6766d9b4f06253263ea35a76a42d10842b6cac1b45023a82f98d25994c607fd48ff51641ea1fd0fda85f58661ed4153c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9bfd6a027d875c55af58a2111005c70c

SHA1
c8e39d1f8223993be43112f5388a944bd0363b06

SHA256
4926e20ec9761aef0b3c48a69bbf2931a254bec636f3734cf634c3a31f269b29

SHA512
4752697f8e3d3c3e44bb2256b193e5307ff4225e5a86fc1a049947907ffc4d9195635598bb2b019645e39fc8b9602bfd079dc63d71e0cba873d1dda6896a73a1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d735c89016a38c8bf494a6d36ce6cf80

SHA1
c7b18840c463563de36e92f1c30ffa1355260268

SHA256
26c0424e9a3b7cabe02d36717620fbe051b7d7bc5dc9e16590e05c01429f2248

SHA512
629d343de185c09c811aa69658f45b99daa296b1b44058a7b3d35a25c1b674dfe13c0fed597d9ec83a7261859e33ee4c33ca5860e42752f816c47cd587fe2082

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
42f4e9c4bb5e7b271a1baa6d36b2090b

SHA1
b81725eacd6f34e0c4beb766990b172b11ecced2

SHA256
694ef1a85a0e9d390ff376e428164f5184dcbe2f260d03f060a5561bb996e04e

SHA512
e873d4ecf34ad84b19ea25db541e3d052522e8228449b9d16cb247c86a4375f4944a88707a25d2fdfc8147678242c4825d41e82900c284ba939180eb476fcf3f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
16572d187628a13ccedf397caf5c53f1

SHA1
f381d978dffe7d818f821ba9ee40674813b6f50d

SHA256
2ae2d3923204505bb5438ce0b9a4f0c3437ed933d0c3b98ebffe7a4133832f06

SHA512
b64b66de6f4aa5846dae1488a4727a55a67bb47889e2d1ffcc068dc972ea0419dedfea3c098bf91bcdd7bd5ba7156b7286eaea63461a79973ff4afb16418148c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cf8c9176c11defecb964f7a060efb0e5

SHA1
1f6340162b868bc00272e73e6ca50b03a9544b54

SHA256
9e05c184a4be15e1c252701c40eadd5ef42e2f7a192eb4d575a4982338453dd4

SHA512
e170a1eed117988bc666c6869f060ff9d4a933d1ac95104073c5730800ad622df5ec753131f7862a29919b84e1a5dae692b792a5ab6e44f8be5871732f6605d7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3ec6876d3348cd6e9656698dd48ea1b0

SHA1
deaa5ebf791e94706cfbcf3ffcfbd76a5c7ec78d

SHA256
726dc7446e04f155da71fe7459c4f3b15902237999bd4345d0f521fc0c862103

SHA512
6f65ebff598f84c43cac380fffee64473ea5bb0436d1b7aa616d2f1ea0d39875a9c236e7e9dfc070d3afc392da1b6b37aaa4b73d50d45c637ee8da767f821f7c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94a95399056734d6f93e91dea42ed7fe

SHA1
ac75fb17e5982d63ec7c62dd0cd9da30525b5a06

SHA256
101aa87db9f352f7368e8b8b99809835ce4e600a36a3ac6f15a477d3a979ebc8

SHA512
3804db5247b6820bb770ac05e2b9aa563795bcd518f95ab9b040273a6407458c52be32897f584d2195960ebc7cb47984b9e4566e5e514d2f42986aab2dfa4ac8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d11388268841f4c8331ffbe75e2ab394

SHA1
72daeaf104be9f4f5178318fecd585fc37a810f6

SHA256
01fc619045ee2cf2675269469544e9547027cf069d58ff9ed5fb5a0ecb44063d

SHA512
0635e81a4a486320c4a34af7b399ae04847c8bbb1fc723d5abbd85c1cac6eb425316d58e6c9ea8c70459be83ccdebb44d73997323e46c831da819a831e16893e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
28721754d215b42205ac2ea31b7c01d5

SHA1
c8e2abce2e565b51bdfd8b00ae46a7fd3ee4f367

SHA256
fc11058a667252e23c77b04e0d869f360fa832481a837ed1ec9582b9ab24ac47

SHA512
713d60d154236b6e244536fffaf14e3b6c6cd6c8be332b80cecf911f6545162508318899a7ca1c319cb02290f2b4af7dda049eefc60b9c4cb81ec0cfdd350cfc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cc75d80d26777b1560042e5a6d132b45

SHA1
e9b6815e07d1f857612d6062a834dd6b4d905305

SHA256
d704c95b09ada0b3ad3857c26efd04566744dc3d93f22069f5fcf5c059f71a55

SHA512
72d3b8341b876f7021beb30648fed24ad5ce03c2f35f9dfbc22cd9142a23c163a4d535abb187d38117bf30e3b118eac506252f1d1321e33770597b87b6e846d7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
edff75b55195c59717efb2f8711b1e2f

SHA1
edc632cf9e69c0ad0645e5ab2c01e55b92915492

SHA256
6cc47300d2536a56464f30f32c4be01a76255734ec730612389959187f2dfa8a

SHA512
364536a75bde4d7819a1b647390f4efa9cebe2d507b88874e1d47f2884c225e26541dc839918b1867e77ee6d607ca2e396e1cceaf8a0a8ffea6926c3c0db6c61

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
50c7194c7f8ed121f9ba1241862706d2

SHA1
021b72908034ae9ec21e1a8937cb0302d15fcc6d

SHA256
e3aa31dd3b2b4ef139d5e5262a642f54584217a85bf81cb182014240e78548a8

SHA512
fc1268aa013034cb0f7c0e330b81703826db962ee74ece5a7fcc7a39b14ccad8040df5856a07061942270fdd03e293355975471afd2b814dec6c1972b7f8a396

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
857f51a00cee5202bfe136366335ae06

SHA1
1a6ba92761333deeee471f506806e39ad1e6fe24

SHA256
651ba71f266fab0e9f2dc13076c5d9fa9f48b6890d413b7e2c50b96930868f43

SHA512
dfbf797665715ab02778486d36d85bda9e2f395a70a610928b89764ee340cdb58c86fb046f80dfdedc62cb97d756d9163f1b1de7b9be737a102f39c31de512ff

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
54e2d73e745bfc63d4b0223feba4abe0

SHA1
95c74909b2555f249c380d4462457bc3784e6a02

SHA256
e5dd91324561f54daa3c7086b2309ad8799fb02f94ec7d2adeb77a9c18715f51

SHA512
ab70a54ff4395d46b5635955cbdbd1354fdb66b4e7a88c337a02f9524293217ef4d249a94c12915921b1865af775475314e85690f5c63635789904210e6b67c6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
661abf5b47e24b07b554f260359fbaf9

SHA1
a5c0d2a7e6e0544eda1eabcbc994486c5373c494

SHA256
397de5ad75c13fe0e9226d89bb4fd7bc60e677f6d516af2186a867ea5a80c88d

SHA512
245bfaba4422cc4f6d87854da3df91c9dcd1fe181c1bfc3868c03dcf7bad30e2161b52f793123b1b9cbea17776301b61ea56263cef56a492b060be250f504024

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
885cbbda5ed5afbd4d5ae473597d33de

SHA1
ee3807dcb154229381409b7b44805f31413a33cd

SHA256
9068d2a7aadb0f6b512715e8e43c6194861dd1a2426b4d408e0e93d80081c367

SHA512
85c27ccb6778a696fdc484f9189db7a26ebec07ae13eeb2eadc30a5da37072044de05710110afedec43a503bc4e7e4ca510e92e7351db87e9fffc3b19682b300

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b248e4a19876d17b43f749fce516037d

SHA1
1b309f66a6f93042873bcdf44fc29f7cd8bd669f

SHA256
75bc2d5081f23fafb2fb1d729565bb7cc0191c90f8a12c33097c757ee63b9802

SHA512
ec265c88adad7e69119725b5a69d8cba1219e4e87ca87231d35cbe848d47ef0c19f0fb89116ad3e2794d4c7dee295c6580ff3fdb9e96321fc0a1b82920a63ff4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
710b48a1697f5c37386f52ab56263318

SHA1
53ec183212cf6fcd4842fcac05af7e16d9ea8729

SHA256
c2c284988a73687c24c36197c320633325ce01194f21698e18d8b5827de339bb

SHA512
18134d32eac798cf83cd7b1a10a63f958e2969836d0f33cd09eab8d42c04e290616b5865b67a9eb6ee1df9724c6f6296a49a950813b9d6e4e8e2f5b8bc6c98d1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
254fe2dd409e16713102e99962b52d2e

SHA1
d5a01f9506119ce4d17c06176fe7a2ad903a43c7

SHA256
c237d21a332e701ee6413caec88adf8a6294b4814bfaded646db2cbd282c4596

SHA512
d8cfce83e4b0d533eee098125853245ade17e88822dbb7631943c6e166f494db41be04969cdac54afcbcaf861f48d80ecf74f172d947ff2c05ade0f7d3e1f629

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4384dfd7d3cfca7d7ad6270902e42642

SHA1
e0f1f37ac138c9df0bc3d8b8147dde83c57b4785

SHA256
270fc39062a9242683ba856a53978e3df758e720d9174dcc66f6e42fcc55ac38

SHA512
ee318c75a0df6be73810ade2f1d6c225e14887fb6d6d1c7919df02cd1a64ec6b4c9f8e36c11caa12f390c7ea1cfad26347dbbd9e051287f651eb94cf6e810473

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b55c24011bb999271a8cd0f24564b835

SHA1
204003aeb2c7caee29aa850c9a41d038d439e8a3

SHA256
c1677fe3a7ceb5ef931ea646278ff6106b3a47a8cd3b61fa5e0c497b9e9988d6

SHA512
9fb2cce6b9af1d027a9678fd3ef3e7abda46c32fa05201e3681441ee0551f59fe0b99b8045f3438a44fb4202f7659dd978b87a289223abd954ac038248bb2627

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
448afa432c11ebfd453db6272d71ad6c

SHA1
2d90f968de0cd0b273dbf9828732c477a3284911

SHA256
5b5740af4432a59c9ee6045213d481b883dc5b31f7d94e909e81aa00d74fe951

SHA512
3e8636007cd08bde763efa4ffaf8a480758822f4366bbb98bd05b7b939fb3a4e206c70bdab73a8b80bc781e183a6749c7343860099783d6d17562d69ca744395

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e271b0a4a2d34ef4b4f6b738770302f1

SHA1
e8fc49a2b5c8c7fcda3548e218e1df18a1bf8d1f

SHA256
9484a7e86c081752b0696d759082d17679aa9577b5c821ab403480207d233e95

SHA512
37f3bcf6c5f96eafd8befa9527ffaa2901587a192b4dfc1e1f8524a9be8ba81bda07ed6d50b234cf8aa4c12c5df1b747204530bb07ab4b03661dc1da94f76e0e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2b41b213623a3ad27ccaa908de8b420a

SHA1
4145c78fb68d683a58da796400b3bee399eafeee

SHA256
8a0a0424bc9386d45631324991a3af0ab1eed6fde73b82b403d9b5427f20a95d

SHA512
5eb9f10dfdb31b2ccb3e44a98542f6321d9a26e85f8fec74483a53a78133cbd8483e3db0d7ecb0f3f57dbf1a667f3066fd2bb63369c5b06d97b378687eb91447

Download Submit
memory/220-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/220-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/664-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/664-586-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/664-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1228-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1228-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1228-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1228-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1252-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1252-592-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1412-91-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1412-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1412-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2152-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2152-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2152-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2152-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2152-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2444-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2444-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2880-587-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2880-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2900-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2900-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2900-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2900-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2904-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2904-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2904-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2904-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2904-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2916-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2916-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2916-12-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2916-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3136-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3136-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3292-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3292-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3728-34-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3728-25-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3728-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4180-593-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4180-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4284-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4284-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4376-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4376-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4384-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4384-567-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4832-89-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4832-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4832-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/4832-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/4880-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4880-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4936-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4936-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5060-437-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5076-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5076-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download