bccd75a563539987080110b82dc57fb8a5128a7a1ac6a3c413e6a5b28b119f11

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
Size

2.4MB
MD5

54bb9777b3988a4355375b298cc402a3
SHA1

d6c9164b067b8431e033d6387fc2bd4da9e014dc
SHA256

bccd75a563539987080110b82dc57fb8a5128a7a1ac6a3c413e6a5b28b119f11
SHA512

a3b33f2c1c0133f7a5588ab1d600107fbdd4cbefe16e5562386741d19b8efc4b2395724dce2756c8674b81db15f10b4e62437809bcedb1d1c594f3a6625d4a6a
SSDEEP

49152:DaZTsmeq5a9xpOUNNXYrCoh/kUG2SXeKtYQWEclQn46y6UAQgAT76sQuE:DAsq5KxgUNirCoh/kX8KtYQWEcljiqGj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3068	alg.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
2436	fxssvc.exe
1864	elevation_service.exe
5064	elevation_service.exe
232	maintenanceservice.exe
5032	msdtc.exe
4828	OSE.EXE
3608	PerceptionSimulationService.exe
4356	perfhost.exe
4292	locator.exe
4224	SensorDataService.exe
1880	snmptrap.exe
1332	spectrum.exe
3192	ssh-agent.exe
3532	TieringEngineService.exe
4920	AgentService.exe
1216	vds.exe
184	vssvc.exe
4880	wbengine.exe
1328	WmiApSrv.exe
5168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dea69b67240c1bce.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\StopCompress.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5584	2548	WerFault.exe	90
5792	2548	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000988bc4d8a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d281cd7a0f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062f9edd7a0f0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049a696d6a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a80350d5a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efbdf2d7a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000454294d6a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abaddcd5a0f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c81971d8a0f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000840a0fd3a0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
4540	DiagnosticsHub.StandardCollector.Service.exe
1864	elevation_service.exe
1864	elevation_service.exe
1864	elevation_service.exe
1864	elevation_service.exe
1864	elevation_service.exe
1864	elevation_service.exe
1864	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2548	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
Token: SeAuditPrivilege	2436	fxssvc.exe
Token: SeRestorePrivilege	3532	TieringEngineService.exe
Token: SeManageVolumePrivilege	3532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4920	AgentService.exe
Token: SeBackupPrivilege	184	vssvc.exe
Token: SeRestorePrivilege	184	vssvc.exe
Token: SeAuditPrivilege	184	vssvc.exe
Token: SeBackupPrivilege	4880	wbengine.exe
Token: SeRestorePrivilege	4880	wbengine.exe
Token: SeSecurityPrivilege	4880	wbengine.exe
Token: 33	5168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5168	SearchIndexer.exe
Token: SeDebugPrivilege	4540	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1864	elevation_service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
2548	2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5168 wrote to memory of 5656	5168	SearchIndexer.exe	125
PID 5168 wrote to memory of 5656	5168	SearchIndexer.exe	125
PID 5168 wrote to memory of 5692	5168	SearchIndexer.exe	126
PID 5168 wrote to memory of 5692	5168	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_54bb9777b3988a4355375b298cc402a3_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1296
  2⤵
  - Program crash
  PID:5584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1296
  2⤵
  - Program crash
  PID:5792

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2548 -ip 2548
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2548 -ip 2548
1⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
c2cee4f70278ac85ef18c7178c5c5918

SHA1
a8a20c5d27132b38141d7ec15491777dad296df7

SHA256
00ed4edc5a1b33dd7a58a494f40e164c1e8b912dcf7184302e0b27de85b5b49a

SHA512
d6f3f144ff5326df78e5ba88f27bd1e0bba36b14a4ae39ea36fdf25d510c600c0838e634422db35db5f14d5136fc25dec4639d58b91195dbf5fa0f6b2fe02944

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
41900f5f90b8bf7753475a50a1d29f83

SHA1
16f550dd8f70178d0ef17ecbacb6b9750f063061

SHA256
226fc815fc95ce7cbeeb9bd25587245aa3df45b0c799c40bd25d65ad8a8db059

SHA512
51500ec8ffb078842f45eae3a3adf3606fbc59c2792023b027095ca7177d7aa51db059e6f8748fcdcfe356d6b03f7c2045d7ffcc1ceb8cbae744dbf1b4ba0196

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
6d06b9ca558b8880a8b5a1a0d50402f7

SHA1
975752874b55e455c0f2e4075fedb1be13faf583

SHA256
9b7b1ccfdf3c3d7a15a89e87a5b97a6c50a0bc2790dcec4088d1486c388bfc86

SHA512
1bf60e68b84ed6bb02f939d5ff75ee27ea6bc599a8cd2ba78c4b1896c3bba09dd38d94095e7fbd46bf7dd859d1317f5a5914913ebc4aed1c0a5af445786c1316

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a8e391b429cdcc3d5f5fde8ddf550dea

SHA1
2715ed64fa18ea8489563972be4894b4677a7605

SHA256
2e5bf11ac9d24c1e56e996658d8d3e7f018f45fdcb8387c23ec19a3712718903

SHA512
04a71c0d3be56448642259f52613858fd2ae5a32c0a8984cf10e609021662005f5758947b2f92bbd64074f279158fd54db8b6bdc7fef30c2bb44b27eb876a08e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
81bcb8fc79aa19f276994a712d2ada8d

SHA1
1a07927cabf05c9a7de998cdf7f64b0b2b07a394

SHA256
bdae4b9ce8e396e1893f8fbf28885f5cefe15cd40b917ab6b562644a5edf7953

SHA512
add89823984d6dcc3e7bc7f0079c54a478dd56b8e2678d43c981265379e464a826cb9c7c9de76bfa065574e9b212f346ef72a438defdbef49bf7f40c32b76ebe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
83ec5cb64eeefb557c7c6108ed01a630

SHA1
84365478a687a558edc0ba214dfc73164df40ee3

SHA256
abcab6cf70da26bb28dbae9a8d169fecd650a1c13efee0353bc4290b8a955e7d

SHA512
8d552363b8e940ba1da862ce6178475d04877057bddd3a3267470ac420a3cb14cc0e27d54c914435ce350cf342263a94e8e462f93abf297717dee301a1d27285

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
4b9b34a1b9990cec2fe166222a46b550

SHA1
9f7ded64304d868ba50ee7d458325ddd2c160d5e

SHA256
cd392c934e56c0d9e0e6ac91c6eb45ca9db32092a1a357da45ada631dba44934

SHA512
8bb0907a72bdeb558ca361a036f88869a49983725ca23e2813e6ffafa55498f21c8b34064316cb80b8601a5c97ed8f43eab8dc4497e116d10cf5f23150efef1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cab5fe739ce59e91d25b56dd549cd195

SHA1
17d20b942c68ef060c63fc8e85bf53d8c36d32a7

SHA256
5258e9a1be5e707ed05ce141ce21490d70e1735fb58a11554883e0f943e76da9

SHA512
49a2be92c1b8f81134bebad4010ea83b1031172fcfe79a303d1791b6323ddc98208ed8bd863ca14c7cb53d948b1feecae295d5dcf976848253b9b30cde533907

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
b2fef07d4e2a2b54ee879afac97ff2df

SHA1
c6090a7fe99a1c154eb3042346ae7572ee6eab27

SHA256
ad1fc16427f0bcf01d2c348d72ff6d12a2d113cfe5116936a6bf7afd0961720c

SHA512
1b16053c86f0d87113ed94ab64f979111ec7408736e0b86eaf7b3b8c56c2961ac8cd484285b08eadcf2392982b725faffbe394ab57b147f38e977f50d21d9ee0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b267f73547f0cb9abc1019d8254e992f

SHA1
4a027f7ecbb0f5cc73f87da15b76e62763dbf12a

SHA256
a9dba189eac237437b389ef78f3bed1aa26210723ad5aa70921222969326341b

SHA512
387db4f3bdd0f2d5bdec12517ef42b10af97897a544d8c02192380d81932860c04ba55da3b3b54c4945bcb9170aa058207027bde3720759128977f27bcb7c8f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
67a3b3c86b19443921af61688a6ed045

SHA1
921f38f53d49d2c118a391775602f27c7b4ec896

SHA256
948532f96312a7945a0093b6ee248d591318f773eb9064432a24b641e31d178a

SHA512
33a4c1a0c5f2fd3ff8e35c4c6347ae9d2c8eaf843e3ae34b2ca8733405294e2071666cca325fc7141cd9268fbf43dfd0219da320279c0927f31b8cafe2f5e06e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c4f013b976bef6171aa0e8d50e821ddf

SHA1
3662a544e8a51945b986133915d8dccccbac5306

SHA256
d155a0611c47c91db0ee12a4db21746f07211e34b5f8ba11c56e93163b2637ad

SHA512
3262291380a8569384b2f38e6c20ed61b4d5a3f918445a5697a6e03179df5587ff2b8ddd20722c576ff134b9009e2150da1f4a8051ac31186455a9c7a2d3a088

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f007b61c4d8f2c3b358ff6f74272cb6e

SHA1
15472232d654ebe53b0a24886d7231de128212e2

SHA256
b4becce3fa7ac13d509557be0280d6900f4854b5ed7878f5cfbd03d2b84e8d6a

SHA512
943467a66950cfdb8149ee606502091a2f9dcf854c94035de61873d05725cdf3899f16e5504ee6050ca26ce5f3487a31e80f9f1d25ef3da54f8d3ded4ba0c984

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9f913d8e0f2f1b4b89b7ea0f2367b7ce

SHA1
c7c595b0a52c52b1cc89517fe4c62478d83a73c2

SHA256
75cae1c7dbe0e19c18f74124e573afc5b36098ee814468aeb903169297259ac7

SHA512
636f0e25a1da4f21d32fbc1e323702e18b624c9d2832ac9c3762163a7e2fd16da210036ec2732eb17e7c62cc5e27d46cdda391c1966916088d8da642be3702c5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
16bd1ed456aae67dac4e02d7ea100b1e

SHA1
496620ab373bbe9ed0a3e03f3872441f9bdb31ac

SHA256
d16c04b9adc829b13f6583902fed2b393af33244866d66cbffc534b9830116f5

SHA512
c51f459689af671e2541fe17923210a8eeaba7fe7d8d6e52cd3665d1645f07285dc578daaca2c9ee069ec1fa8f534d6716923bfb7ef1c5daa73c38d6dd0f0726

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
404f8e4d19c4d6224947fcd9d5acdf44

SHA1
02890b2c676ce0e94e0f61268a90a34faab7a001

SHA256
017bc64670764bf3ef5f5f616b09b3cfa07e4ee0a766fedab043e8662452a914

SHA512
743e3dc5bcaa94f5a43547e5b49a960e82ca696ea0f44d7bf9e63e7e63c1819081e4701797369fe7bbd18606ddf05410941ab989e181957d2b0fb202ae2c0bf2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c5021ef4519d514f8fd76bd479d4d1e5

SHA1
5ce9090c5a0d5b7220d4c6e0e8213f4affb870cb

SHA256
1381d831e0d0abd1d0f9acdeb340cec2456b6f3e020673eb224c2e12fcff784c

SHA512
5e2b938b902452a77dc86b2a9583849f3fd98a91c3d8f85f49c4acff8d8d031027fdc46697f388c9b4cd128314d79bec4e26d702e858a6e7c6570d1ceb839b33

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
56bf9fec227969cfc5062b13c8c3fe11

SHA1
fd90e87198ef91e7305d5822d3e80f0a69072243

SHA256
b4b9c19ea4aade044ffdec5fe46240c3b2cb8e647b233e50ebc4db6911ef5d9d

SHA512
ac198885a821e06380ef5c916ef098e4e44da0ba3ad88997917139d78862ec0c32802e48adf7d5e8e819b93e8fa116827fdd69c130174abb7e0e6092f8807ce4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
05a49cc5c10b4b0c9248eb90ba0d8cce

SHA1
bce88b13f058b356b33310da35f74b93f6f95a3e

SHA256
b78a55c48eb1422588e1ae9f9481fb547efa36129772b947e848e2bb544b2afb

SHA512
2abc721188369f8035f155ab9a51a17b1273335de32fbf3a025b39957f4c0e2d7767bcd427257b7fa9789960062ca4f23a111a5309ca9c373e62c58554b8b8d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4a7b3e1a92bdae103569853f817def96

SHA1
854d85c273e492d7c7944904da95bbbe026eb2a8

SHA256
c12033e23af358424f85b0faba6e188788b41968a330da36834182e9db76c57f

SHA512
9b94ec25c92e377d6b2401d69dfd06c7dedf09bdcb9354ee15ac45367100d3759cbde735f48e3085ba855513bfb054684fb84b9354a88dbf58452d8ccfe4fc42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bcc3cf0d8a3ca54bfbd313564e9c72db

SHA1
e14842cc408c8dc47798ebfed031b8baf7135c27

SHA256
62706372546c786574912fdfcfdda085001602ebb714a273f5b276c2472d8b07

SHA512
745771fa1f41313e1de53be50099780ad0a16baf02237926b455eef8ba0d74f1564d4b8d3a542abd3a61b29fea1b4be96e1be2e25e53d2227703a8cede4b3d99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
84cf808eea9f1e2c98490521ab316010

SHA1
ff2399d22724d4a8b98f9383822ee8fbbb50db5a

SHA256
bd60ba42504f8ab52b9ad11d6412381786cb58c1b92adcfc47e0dcf40c4e3197

SHA512
c08f7b82648f0d722fd10efe3c298b6c2ac2908c91f330a5d0f033bb069d648156a8c455ba2167a7c09f3e365671f16c04d85a3e4b38e8523f09ed30972d143f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5ba4e2755ce7aa6fe2a97363528d6ce3

SHA1
fc591d52656e1ea5247eebbff2ff65d48f8e9087

SHA256
7aace67093160e4b5151a08b8dcc5ed34b52f0360fd40c6e26882c6c269c0f5a

SHA512
8165e399d8d3cdfe0d296eb6362e2e39c35f3a5f6f879f061d9211cd6b9757f318e78362ac65bf1556cce5c497eedb285d083cfaa7dde1d5b53c3de44fa8b933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
8f6522d0fe380fab590bf7769ec6921b

SHA1
172fc1757be41dacfc74739a03beea5ae7d3bcdf

SHA256
fce77c6527624a06067f2b2d41a1c4fb073bccc6030eee44e03641c7bb9757ab

SHA512
fded86fff9bd97dd98426feb0000a2034b3440ff101b398170d4911b89d0044e71654ba9983d3275599f54b8c3a22ac1dfd9e53f77f1671058686f5f9fa6aea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
cadf3798596b21350a0c56489f5a936d

SHA1
7cc6be695a43cece8af618045307068ce692a129

SHA256
23fc75007c09bd16e676bb137a873e40a43851462cad89d9454689b09a0cea2f

SHA512
e5c597de1da702a0de04e67735789927e0df3fd4238852ed9ef7150dc31f1b66792a65b77a9a4210460be16ad3001b0eddf95db5b31c5fad27ce77c121e5ef34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
247ccff5e9fac830456c6de6d52a4673

SHA1
6848cc068b13031ab80b0bd4085000e1b20e1dbb

SHA256
fabef16f5906c8be508c2bef5f69f51fc96a9b4fa048fdf140a20918485aa9bd

SHA512
8254da7503c050a8672c4576ffe616d9669264d8f29e47f851e13b87ddbe6e6ae503092d755e18892f174be181929369601c048e6ca98d4b8c5d6d90bdf87383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f7bece12a3c06627b5bd574996447adb

SHA1
2a2f560fcfb31e5514e6cbbd950188f70e6ee285

SHA256
971f9bc9c81af89bd77af8170bf225f5a38c0347ca701adb93d57346560e5177

SHA512
824ba87ffc153da92fcd03ca6573fda97731d0ba21f26563702cc1c7c5b7204454dd4dbb695899b063ccb226c5c57eb1a57e9e68ebc815b280611d622c07f548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
4b1213ad7097c012210973fea2f1b5fc

SHA1
c97ed4787eb413ec9dde588f4492f45ac3dcdec5

SHA256
075279dcb5bb6670d790bbdcfb4d7e2157f43e899fb42c8e77c4e3daa49090a1

SHA512
a8c83f525a7277c138489d60128e6a8a84ae0be6e57c03323cc94cb33b35104badaafafc311569af40c5b02c8e37c691e565e61efc9fcfe0348da94c8831f48d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9d9570b6f54ffb19fd27886e5ac8dce6

SHA1
0ecaba1340b6b6580dbf3418e23df768ea237c7e

SHA256
9025a6d57215b6abfe28050d170f2ddcc0c30e36d14a826321f645ad7f9ec136

SHA512
56f1e3cf98ae40f8d12e53d534607bbced31014a4939ee322d193e0698ea4906d15c6a2cce2864a4e43d4e9064ed0c44d52dd2cb4d21851063628fa5c76d38cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f7f1a95c272f2a45551b94ffdf2a2f9c

SHA1
02be7d8fa6dce7fcac3dfe63c5dcb784b1ec80a1

SHA256
c634fab395e6ef12438c027bfa34d54d59e129a0cc99b81d5aeb9fc18dd0db4c

SHA512
cae38d5b29514f4c461509fc61b308c234988fab0083e1342219876cf443912983384559396d50fe1d2f573626e30f164b8a12da87f56970cc7326208807e67c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
69afb2da73a0b7222230483be71614fb

SHA1
74af157f44b3818a325eeb0d75bf036bbc65aa67

SHA256
b807ded8598a67b6781d69737a0bc63fe475ba01e73a75ae063189480661050a

SHA512
6639fc85a5ae95f09900865688ce98b2b3e0a1695a24bf0e86866a61e9ee601f99a5672e1a26b6abc6731733fe42e5eb3433471cbc3d53181836ce3ca7875a7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ca735194c70f3503983a7839ae8cbc56

SHA1
01f14433d35f9626c1aef8f333f578078be44e8a

SHA256
d721440aa73bf67de69ab6cfad4ac18f2f69de5c6020cfe27cffcba7c321c3bb

SHA512
d4c6d013cc981a1fd822318705b0dae6fb8889c57e027a5e49596beff723c88d6d4fd4a72a9ad74ad1d95a63b810507c94c175add928772127416ce2a641b8c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c4b5fd8cc53b842c28e526dde35e4786

SHA1
5e108f9ecf975093d0d7b29d4d4977284b9b1ab0

SHA256
4501237c8fdf885c6eaf203c609c64070345b06022d15f583432351eace387b1

SHA512
6a423d5eba1070f3e50b5db541e05f2cabcaf0a3aa6abb32d6819c5921aa6c904c34fbf492b5cacf53ab57c15759a9655b7af79fb231cdcfead00cf0c1540889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
1c1c14767527a58f4edfb9a45830f234

SHA1
843f6637374ce41e9bbcde18606005f67448154b

SHA256
0880bdd9d3f0309a23498bcca6999d4a5010d1731337598610d7759adb28489f

SHA512
b6f49c50ae1fa34fc5055260347163f677b2db13fd2695ec85f6c7573aca1fa14afe62c7767cdbbfb88cbd0a18bb30ddc5d1df34a854c1615ecefb115ff90816

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
2bbe9083fe9ee7264957c9a6bcda06f2

SHA1
210b44a63885b299f5e1cb662c70e2b186e8c99d

SHA256
b42d05eb4391569fb78655fe9695ccabf748fb41b36a99fc41957153bd943383

SHA512
7195f7ff2b4624f4f8b2f6bbd2039cb3a5ca6412afe5f68bdd05d1034179978ab7fd48c757a87aeb042787bc82c12d55ec95e8dd7bc314a35058d79ad0dc2af9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
f68648a3a3b1610eb964a41d25e72b6e

SHA1
3d7132378d7d5ff8769c74af17fa057df3e2dcec

SHA256
2f4d77d70b7295b03fd32f04e740fd3c8bfcb74c5d84f27eecd3732744d98d95

SHA512
2047488ad7f417b310bb67b08c28ecc8dc82908ea5a3535773e0b864b381d0a63927fe8f75fae9021ffa7ca9f2d40a87f3a2baba9901b85d795fcaea678b5471

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
89c063dcdf45c333d486ae1bfc3afc6a

SHA1
e95cb36a3522a4929cc1f6c3283741aac48630a1

SHA256
0661377a4a3dae35bf22c2fe5b42b77e5bec6de86f37822612171fc425117350

SHA512
31d83278cd8aaf26ae11b150b48ee431f49091754f696e5c646726fe2094616efe504dcaa92a5d2a16935316c8777fde143a5498b514d7e7fae899ab574cf3b1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a27d1d62f0ed59233d98b2a8b12ac67a

SHA1
dad5de0b108e42813320371ef88fca503d863198

SHA256
9c5873707f5cc5f2c621df7715d6ffe18b9397ee3f80a4ac8216d11dbce31c09

SHA512
c40368b54f964681ae67bc1083b8821eec8fb4a7e1c02e959f55733ab7d6017dd2d8041f1756fe82f8104756318c0332c695fa76772afa0f05c6ad38bc940d78

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
c4f9856cfe763eb30e1d68879c8b448f

SHA1
d0d298c18efc26e540979516aeb9e9461b10b9be

SHA256
db1d6f5a1aa5cc4504e74052c5fea6b0df2f746f9550ad3a2139ea07b465e552

SHA512
907a92a1a9f736bdb0c1485013dacfdf9862a432ba0c02c8fcbd1e2bb920c30037ab93388ec275d5e2976367adb2fa985698acc523b6c712f5d04caa13e2b23c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
aa70aa24a2e7d7b9e23d6a12addbfce6

SHA1
ce9923d0e95727f53893e78422597364d6ed03e0

SHA256
7540eb02e18857bba4a55e8e6dac1617a9fe8d602050366e952352602b467f07

SHA512
93ab6286d51841a5fa477cc23cf231fc3965957f1dd766a99fa88069812ac6f953735aba4428a95de48265cf93e94580b5bfa3939f63e9cca5376c4ef16da974

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
545a0193f3604971046c47675850c753

SHA1
a8b8b380cd21f2a9fc8d8577942b3f5e50227099

SHA256
134feab735804535197ce1d9a40bf02a31ec85e7c82d04017099731cdd87e410

SHA512
7530370ca8e6a2c64c47343cf0eaca3aa526bc3ddeb0f454fee4110757e12d9483b8e633484055ce1532cc4b7ac47010c69c4f1f8a2afc68abc475fa161f4045

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
eb0b56e91b629c77e7c72bf377b7ef9a

SHA1
291d27868332b40963b79d0afd3e066c68274457

SHA256
755cf3a77099c8c595ee1faeaf0568b5fe71e597d219f49f524fb24a23655102

SHA512
3f44b36070781e77974b8caf230177d95cfd007ccddfca48a210f90530e2d711fa9fcc810ff1647d83fc3a0e6e8859ad1b15ccf6b64460e7bbbd23c7fb339503

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aac22e69f81f5ac41147bbd834d924da

SHA1
be75bcbd41713940153615188a1a3f6af2a6894e

SHA256
56df9cc132e41250f8c477fbd951778d7c733ebc7cb4ba0f67238cd81881debf

SHA512
990a25179d13410be83d7775cc625cf7c360bc0d4d6ef80574b5ef0e19b18f0ff20834470ad55602cf5954abb519aafae979a1471435683425f5b9ed258456a1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
cc910258c6f7bdc3b00325488dddbc04

SHA1
71e44888093e2882059bdca35cf86acdc5336499

SHA256
8010203ea4793d59b5727ed080319e5f04ffd4caf356707c536eea1f79ea128e

SHA512
39e583570d5562b110a948c2aca3c367deaba52ac37d1c8ee5137754d50920d4212c563de8d083a1b80ea0a34462c3422d3de4ff126f92f88e116a1672ea1e3c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d4ec65686b9e8e9ffa7729333569cd88

SHA1
938da647bd1e73c51c78ec3589c9bca4ec62aaae

SHA256
10148f9d08224e8bb2a5a1946526c05e386dbaafd8de131b300d107be147e0a8

SHA512
b299408327fb4534ed88f74a43ee048a03297bf64d4d21059bf4cd60eac2c734cdfbb593e7b8f06545477ff805cbcddd3c030a4d293c224f175b395ec32a0b51

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3ebcebef7fca8f1ec4ad9d223c2aad70

SHA1
f43d158d2fe2e65a9169403fcb9de231291b8a2d

SHA256
34e2249bcb415e3418385dfdd4f805b5fb0a7df19c5dac44b1358a21217e0266

SHA512
1d4c31316f776d6e074eb2ef1ea8806249da38b8fab8d78e59fd5ba519a4bad25e120c33213009336a42410945e6c2069a3cd012de4ca640664d3714e55185c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bba5de4bf59842bb31ac28b91501016a

SHA1
f82a8621a260cb6a5cce8dd85e1a4a466dc82117

SHA256
aa30b2bd57e624f94571f343338d0e5fbda322a437c9a17e5d0bcd808905332a

SHA512
15a505b71223d9ee4136929492dabf38bdcd9a014716a292ca41c286a9842a8629d447294b844699e8cb1bcc95947c50512e36f8a889fcaaa75f1692b4abdb65

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
64210e502d2c089c8cb8e8f1f01f94fb

SHA1
ed0f6a8c2548472b5a34f69db3497b2d64da478d

SHA256
a49695cd9fe13b28e6d454c838d4a797c88693fd5d7bfb7d6c940e11f07f65ac

SHA512
26d8cadb696936aa4da8d35a7467e5482019dad01cce79a856bc7f80595fe31c7d89b24dd595660906707963204da168121afc08566b97827aa0545a82fc5d41

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
529416f7bfe945c3529acfbe24d87124

SHA1
5075e9396b6cd00d564e07d4086b4c6ba9017d8b

SHA256
e6296d1af0d369fdd48e91c1d675f42caab0768e4025c984bbe878fd43504486

SHA512
7be56aec0e79eba34d6da278cf28d46934d88fbc8a34b3ed97685d5638140fdda1470b8b9c8be3895cf99ab603bce0c2193f5492c67d4282146fab38ce14f694

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
332309c1be97b7e9fe4aeb6c3693b77f

SHA1
6bfd46e78ecadf842f1a0038c51903b7347001f0

SHA256
4f1be85a37a0ec13a66df0d0f324a6613c9fa9f07f50d6f9c6173523d1b04a3b

SHA512
f98ba6e65e59447a95930c712342832839fe94349cbf869945e983a012c1f7a482e63495922d75cb8b2d45a0b40f6ce7377edc119dd65ad4824fd9f2f116ae86

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
27a0ae03e63d0cd87b6b77efff787c5a

SHA1
b4d739f3703144b7ee39d31414d6f6d546500475

SHA256
94f0da5bdb3ef1fe707d012eb660b18f99963f342ece3045bd0adee0658df5c7

SHA512
4d28ca69380e7e7f4e957d9f9244220487a6266d84521a59aa53871dd427f252178e7d960f73ca2aa595b6e7d70d4236506285c962de843140d1ee5d9b7674e1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f44e30210b31021500f60496a03c3f5d

SHA1
5d0410a0028ac0c5a6db8f1b69c7df1f7fe29f32

SHA256
dc4f8e6216fd6daf6d2a1a64d173cbc0ded176d9d354dc51ee0dc58f7f80b1a1

SHA512
a142fed04be26c3e4ecfda76c5d59cd803c04f6a810418e852dbbb1651218c0d4e92e747d82eff0bd4a3b193e6dc25de8b22617c6e1a63cdc88f413f8ccbb77e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3a304165c4613984abe4056a6bd01ae1

SHA1
17e26f9002f7acc1131f624adc4b75681f094598

SHA256
315a8d841370df5c816af646b6b097de84fc832183bb64b13d811f6408fdcb3c

SHA512
3546175115b50295b896f67009dbf79a0537bbfc62040862789df325aec508107409c9a331e03a9bd467d05a6e90ca8f0c5d600ffd5be171483914ebe8f44b57

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
558b28c01401af89820df4687f2d8cdd

SHA1
1604c736a118bb6bfe80eb815b8034b26be36da1

SHA256
2cc77df342fc942a281f37910e8a882e7e24a3ee21949aa9b67af28cb537e73d

SHA512
dbc15d0b1bf88fa8802a223ebefdc5f124504789fed5d9182464c20176ea1e535789a0dae101fd10de52eeca3b603b447419864246a96fff3850f9787e698349

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bb3139e8408dbd054c4f9d6259fbf228

SHA1
36b426108bc7bf8ee8d32113ad96d469db983d54

SHA256
63561c79a2410b1a5d06b430254b46039bff2314f62c25b99abc2a55618e7b3e

SHA512
10770ad92d0c651f26bd1cf2139bd3c94e1c46ef86a0ee6e2293222b73bf80c2c3c78453cef1af3fd05b2f8c3a013b0b2568aea0251f48adf371d40dee719ef9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1f7aaa933f1b1a48a94c46adf45f79ec

SHA1
ee05d82243241a6827721da950bb83541dc76f77

SHA256
b9236fa4d2f46d535ff9391de56a60180d340d6f9834dd18c830b3f2df06ddf0

SHA512
8f60221e8e1111a4ecec9627e6ce204ddbdacfa631b0f203687915346abbebbf218cac3b66c9992e198a036351f2638af95ac16084ac22495b237b1f63acf7e1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
347574148ca11ab41f35eccd56219b74

SHA1
1d1819afd229524c7d11306a12df68169468996f

SHA256
091714e8db4872f2f0a369824643d82ffb94cba3fa5bf14adbd036b67e08759e

SHA512
6d45d06c36a0f53cc2e6143abc156680bd814c87fb629eae7a7632ff810be8bc35a10e3a5f8921c6379ee7259d508d7f012079acf08ad6bf8ca1b529b123ce68

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
51609b1d833cc96747abee8a42c6ebdf

SHA1
d39bcf32ec85f84ff4caf8820e5635689e32b84b

SHA256
5c8b745de5d65bef13e0e6c28e7d9a5f708ddc2461488453358ab61bde8dc566

SHA512
20c722e63a7924c360020712be3ed7a7591fc9b8887901549b891bea71db9ecbba81e92e49285b28e8a716fb79aa36cbbdf3c88a5944ba8af8eb3b590b5cc266

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c3d2c957764c5821356069114e57bf28

SHA1
85c2a30309179e2d75816876ae3aa40470e2a7ba

SHA256
d441a45b5a706199ee2d0472524c05d53cefa542a9edd2d383fa27282f08bf66

SHA512
d37168eb25d4af3d8bd9c8fc00bcf134c3e2263fbc83e876eeaf748b41ccb79c2b1371654f1ba37c74793860a6649c4c08abc609411ee2606d06e933e63231b4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
fe40dcd721d00fafbfc3a7b701d8e0fe

SHA1
c5f833fd0c79e22527e8dd9930b99df8c09a79c9

SHA256
b6ef7e890f8f6d20240dd796ee4823250314a344efffa64ad733de185f2f29ac

SHA512
963ad822690a80c164f7bdfd1282e9dd46e249ae9a7e47c7913b57c1262e13ed0f1687e12ea8e3f929af0dab662280ce7e3f4047f8c902396dffe72375bd576e

Download Submit
memory/184-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/184-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/232-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/232-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/232-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/232-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/232-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1216-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1328-545-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1328-166-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1332-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1332-132-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1864-131-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1864-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1864-40-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1864-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1880-241-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1880-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2436-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2436-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2548-82-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2548-258-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2548-8-0x0000000002400000-0x0000000002466000-memory.dmp

Filesize
408KB

Download
memory/2548-0-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2548-1-0x0000000002400000-0x0000000002466000-memory.dmp

Filesize
408KB

Download
memory/3068-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3068-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3192-383-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3192-136-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3532-151-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3608-90-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3608-96-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3608-89-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3608-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4224-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4224-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4224-357-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4292-115-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4356-108-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4356-103-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4356-162-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4356-102-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4540-101-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4540-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4540-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4540-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4828-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4828-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4828-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4828-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4880-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4880-512-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4920-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5032-152-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5032-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5064-135-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/5064-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5064-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5064-44-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/5168-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5168-546-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download