6f7b3b05018ab71f00f82f42be46ae67506996c69e94a0cafe1a94987ab0ebb2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Size

1.8MB
MD5

2e6c16201a0611820aae55c7987cb1fb
SHA1

c07f07ccba4a18ee4aac75af14649d59923e4df4
SHA256

6f7b3b05018ab71f00f82f42be46ae67506996c69e94a0cafe1a94987ab0ebb2
SHA512

5199c91bf8845fb3c5189ec87f977b319a3eaa89944c1d15c48db547c6e206ece0310cf692eabce90eb43f0cab9d291e9ebfb5717dd3704c163c3e78f363de17
SSDEEP

49152:uE19+ApwXk1QE1RzsEQPaxHN8EjhMjSax84:T93wXmoKkQWdO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4292	alg.exe
1640	DiagnosticsHub.StandardCollector.Service.exe
3204	fxssvc.exe
2084	elevation_service.exe
2212	elevation_service.exe
2308	maintenanceservice.exe
4516	msdtc.exe
1388	OSE.EXE
1704	PerceptionSimulationService.exe
2512	perfhost.exe
2220	locator.exe
556	SensorDataService.exe
1808	snmptrap.exe
1548	spectrum.exe
2036	ssh-agent.exe
2092	TieringEngineService.exe
1052	AgentService.exe
3304	vds.exe
412	vssvc.exe
1620	wbengine.exe
2176	WmiApSrv.exe
4136	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c1f111ef92844182.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EA7A97D8-06D2-4899-B7A7-E79850B51060}\chrome_installer.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{EA7A97D8-06D2-4899-B7A7-E79850B51060}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaw.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef371f2626cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8327c2626cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000902ed92626cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004127742726cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c8f192726cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005747702626cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeAuditPrivilege	3204	fxssvc.exe
Token: SeRestorePrivilege	2092	TieringEngineService.exe
Token: SeManageVolumePrivilege	2092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1052	AgentService.exe
Token: SeBackupPrivilege	412	vssvc.exe
Token: SeRestorePrivilege	412	vssvc.exe
Token: SeAuditPrivilege	412	vssvc.exe
Token: SeBackupPrivilege	1620	wbengine.exe
Token: SeRestorePrivilege	1620	wbengine.exe
Token: SeSecurityPrivilege	1620	wbengine.exe
Token: 33	4136	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4136	SearchIndexer.exe
Token: SeDebugPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
Token: SeDebugPrivilege	4292	alg.exe
Token: SeDebugPrivilege	4292	alg.exe
Token: SeDebugPrivilege	4292	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4576	4136	SearchIndexer.exe	110
PID 4136 wrote to memory of 4576	4136	SearchIndexer.exe	110
PID 4136 wrote to memory of 2276	4136	SearchIndexer.exe	111
PID 4136 wrote to memory of 2276	4136	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_2e6c16201a0611820aae55c7987cb1fb_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4732

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:556

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4280

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4576
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d36b095ec2e5146e6a24a28bba7d886a

SHA1
1de9748c9c618b9f0fce08321dee9f531c2131da

SHA256
802d03194bc1bece2b3b47ae1c8e11066355788e4d7b8a4a6cd8fa108060bca3

SHA512
0f15d300b772be385d63f814b0ebf73b6a0b81ec1de08fd5e70e2dd094a0d43008d694e2e7ac6f49abf60d80f8b16023767cb7e88ebc42e9a9453c0b06ca2888

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
96a995cf0a2324c8d6a3cbf6606d20ca

SHA1
a4cc74860db83bb6dedbb19803882644325a6090

SHA256
b477f09ab0c79d7d6ac8af15f221768c070d5e3a1fe29e6b5b0d16af45b993c8

SHA512
23bb9c1d035d683caea30ba48557a49a49fd56187e017fd1d9dc028df36782ee58adbd447b7eeddade0190d1ffb19c63af6f7dc06f0e13abe20001b0fc92076c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b44f76fd1060923d124465b641b7216a

SHA1
2954aa15d9b8362eb42cd53df789bb6c5d36991e

SHA256
e34d31b4106dd9bd8f658fd520b22379e24538809a9b9ecfd06d0c2924001c90

SHA512
d6f67c96093d18163382c880bdbc8e977438246ec6fab2965b5cfd96a0f19278cdc144287cdc4f0ff490286845224c403394ec5e421a881edff6df5b345e7fc0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
93847ffc40a6e17ba7f1945f1da94b06

SHA1
339fe17dc52dcdedb3d0fef5e669410760a4671d

SHA256
d933a97fbead0d397e52ed4d44a1c2cb8cdd8fb8f4326b304e24b64d377b7a4b

SHA512
66b6c05b8900d4f4dd389e361520ea314cf628a354f4927354870a12d9f3f968bffc26afb977dc314408e111c817bdd476884d93d1234c59e2827745be25b5ad

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
db89bb968b9504c82e0c7f54ee442d49

SHA1
8780f6063835e5c009f8cbd517467c254055d4b4

SHA256
2776596dd646e4a7279b3181a374c319154ecdf6067faf45347c901daf0ba15e

SHA512
58931d97fac7f154f596827fc9dc98c921897cfa1c7f52e452dfab636d6884a33a3170c1e73d273c9c453f4ccead040b8bcdb3375c2c0e2f1f48e97acf98dea7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
52a5fd7cbeda736a4bb8f156ad730752

SHA1
86534f33c3a45803d790d59df8745a8713c541e0

SHA256
f75dd9d811b455119a54ac96ab7950bbca7194376eb4715ca011fb1553199220

SHA512
162ff2bc20f6b025120c85c0d07693268d54ba5a8880237bf16a32467a6dfea119f0b993e04f9c1c18301b0eacb92e7346a001159bd29234d2fe57d47a38a1b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
bad35e6e815b37d93e68f9900c589b25

SHA1
ac8761530c6987eebee65c4625aa0750828acbd6

SHA256
9fda99a2e9bf6b11a3f8aaa921ae2dfc467afcf835ab4469ba42f9fe64372382

SHA512
69c7ec365ba383026e8fc110e00fc581112f43bcbb176e4e1629a535f8518aed7ae9dd71c2c801152fa62c435d82e3666167704429d1424c5466faf39afc74ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d4d7e6e26db6c1d35425b4c9ddde3cb5

SHA1
a2ad745e446d5643adc3f6ff58c762ece882b2a4

SHA256
491891643eb45339180ab75ca43ab87c09cced6f0f778bdc00dbbe32301a8e99

SHA512
abc4cc92b95582a1edd702c53c71bd8fdac330b6778e82cc75c8d571dce0d4605daa9bd5fb28d4143a7021b6cbb17f72f9fa194921b7a0b42c795e99953ff2b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
56c3f1400405e0af19de4162d2e70d5f

SHA1
0159c45c9089c4853b1cc2937c5e0a70b1cf2cca

SHA256
89b8a384252ae4ce720da4c9c705ef0ed0fe8d46a7b812f447a36994fc4bdf2e

SHA512
96bab901efc65e37ca3310da525eea72c6bd8e7ca7fc3260fb5c81b292a8c6bca7cbf9025c0ade78bc2e409ee29ed0645aa5e504b19ea84ded61f6d4954cc309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e567e56db6856c944427c23d46b356f

SHA1
863fb9d94200d1d11adab2fb225206b9ed3d0ac7

SHA256
2996f7e34c859a1ebc4857f6a0bb194803a20ec7540a44b37018b681ff958886

SHA512
736a00a255bf8850a36734459e9c46db528cb66544af1f6b1891844a0e08f3d3c60588f6c46573d7e37c7c44b2ab7f017c08c9f4e68958e0d22ded74f1d58410

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0bd5c432bc02f973c43ef1f06e3e1723

SHA1
a3aaaef65f711fda4a83cea9749d396f09625a91

SHA256
9501235385a39890b8d732b94108a8765eb5c0975cc19fb3de425af2e0e0e45d

SHA512
6e930d087dee30c8cbc53f5f547f4188078da3615d50653fd42ddac13329fddd8ce94f20495374faacf984b6e88fa4417451bc98b9827db0de7a190f34d5fb0c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
98e195048705c11b63e3cda454a5dc24

SHA1
5efc7b1f827f63ba968f2f0e8a5b8726923d4a5c

SHA256
01848a5f888e93a67f9d7f02ebe2dcc185d71fac34579ce3db584d46c9d79f3e

SHA512
660d023a2ea430b3468190c349f2b58ea9a2397fdbab207d7e1879bded84f541a737fcb9d8ab8a8cb4e3f527bf1836720214f7668deb8da239b3f09bb90496ac

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
df5ed7d3a16ee234683dc9584f4d1fd4

SHA1
7dfb6d7d817e4e37be9e88c1e29820a2d1a5bef4

SHA256
218b868886ad6c60e38e4b096492a5fef91aa9362eb92c7c3ecb2eb823c80690

SHA512
6ec6a80072ca76ffa09aa093ada9a7bae877d0807951c671e03584a0199924f4131881e398f77a4ed2db8cb4b711008367c032ef8b9676f673364d9bbe033539

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
69acb5cde1dc2a334a69bd926f2a9224

SHA1
7a0f89d1c6f00b5fbff1f681b755d99e481480da

SHA256
326d70aae41c17afda499b6b6c4d22e7ddc28bf04e8a64e75217aa0ead7b15be

SHA512
ecdb882fb0fe0732931d25d3c96cf5c417a2c53f88c23f7fbaa080bd00cbf0593d537ee7ede474887c9c0d0dfc1e57ac393361e0796c87c5ee4eaa49a9dbd31d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
781ac81a0b9d73ec3559382678713ea0

SHA1
2e3ce6422992710a26dbdd3438ae2b7d2138dcc8

SHA256
12edb660501ad31f06e82630af7811f137b41f1ef622b55131c14020648fccbe

SHA512
46425fc9f32816655517645c4696fddd7ab58bab7562edf612339f2463b68ed0763275083a159d3a86ea4712fb8585b0e5d0b50e02d41b1b26192bd7fbad80cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a8a2a007a50a2f572a70fdcd7be22d5d

SHA1
037ac3a4abfc149b40dc69693383aabf1edb5474

SHA256
cbde48440358370aa2a3438c1e7282a0777bcca6666bd1e639e482b34c4d081c

SHA512
6e0f9579b06577681bd3a73cec31c02db83c6161b9cc7d740965df6039c95b7ac0f40f5f8a7c3ac661b7d9d389b9c43f95aa47afddf754c108ddb0df71716019

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2581beef930f05bdd41ecb32c8361ab7

SHA1
6833668a12359cc7aec5ca52f6110a87b1dffecf

SHA256
c865b1071a38deb2b695a6a175a6c141a151739b91fc47d29f5b03f775ac45c5

SHA512
b7aab91cc7f49ff1a6820b1b392bef51ca51a69f14ab318bde86117edf9952e595584ac1d5b7634b9244357ccd27b0e2b328ea6dc7ca4e80163d01d4d98c80b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
abe5a77861287332e94b1fa929439288

SHA1
ee5200a852f5f6ab3c1fa4defefced8ba203268b

SHA256
b44e71dd13a6771384340731f3e0d8b175687f31d789273bd68ec2fdebca122e

SHA512
88f41084dbf3b2b2753cba39e7f4ab9640bf5b66c3ca4b4c02c090e0d830f57102be5bdc13555c70ba2ea728f0e070b7bbadb4d83df0853b1e3424ac24026c1d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
58055a44281f1ab48a24ab3909f33e6b

SHA1
060168cc4699fb1625e5557c98e03f6bd0196736

SHA256
5acfa0206b51598bfdd2d6f724b0f9dce3aebd516da9991d69d921f8469828ce

SHA512
f4ec368872b832f54dd1b4bc5a0778f711a32636d73397855f5e1d2457b5e7c0826e72610d7984354e49333d3394793f21c05e711d43791399e874e564109806

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
42945288b2385ae22098c63b3eed6517

SHA1
666fdc372b690050a9dbc7cb4fd9044ec75d5cc6

SHA256
08f823af0a814323da1c748a9d6075eedf7582efafd6572d8941d75668015e0b

SHA512
36234af2161fd8f762dbd6796b5a2ce707a51553be8f5ecbe6005176bdd23740f67f76509e723989519996313c36ac9c5b75167ec09099821f9d4d955297dbaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
60b886ba53f2444662c7a1743cc43e34

SHA1
a987c1e1bfd4ea3b6574dc0895d98bb865f5811b

SHA256
1ca208823c7b5979390bfbcb1aac75fd9e778183bb48a8645831c33a7ca663f2

SHA512
07749a902812bdd8e4ec5866673a82a109e07351cf1803abd8cf6145dc92ca5c981f4023f18a1e5617cd70d2cb452dc6509a61bc6efd28bbc574e572b838df86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
4fedb7763e44b4e2db0fe029beb03f30

SHA1
45a3e9da0b66d201d43d0a806f19168e7b7f631f

SHA256
58d8d4415cf788f42582f428ca11fd9db253f43f7074b73e024660ced98abc8c

SHA512
8777e51662afa7b2dfe9a39ad82dfbe532dbe011567753eeec713fef84383f257763d66032f9efd68fa1a353b43101dca5e9c45eb6212c14a227283b1810211b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b84a11bcf95a6becdf834a8c53f557b5

SHA1
dfd87d8819b74422fb2c4f36346125514e150a75

SHA256
8f45b67de1f7f80c414931c5200de2ffeb7a6ad2db811e3db9f313539b4b1438

SHA512
41377094bae8b24cfbbbdf90d95d8a86a32ac0907acac415c712ea142c5b542242334b14f1d48dff2168962537dd9bef09b9f425956853650dae04a0aa94ecf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
424f2400c4c08a7c70be0bbd8b3971ba

SHA1
211240ca18ae27f13adfc14720eabedf1d78d29b

SHA256
8011f7bd2db439662aa3b30be1605a290c8af6c97e2fdfe939a0e74f947a9e13

SHA512
ec29cbba9672effa628e02e2e953aaa6017a7cc2326fdb651eec20d3ab57b1c1773b86b69babb0e26e754b98b6934be6928ebce15444cb9f5938c8075a9f60c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
a209b0234f6472a8ae57a415a43c4c99

SHA1
8a82239f17306669484dc4b35f55a8784ea3c43a

SHA256
47d86657f4cd3eb32037b0ad69896ea9f2c83e557f4c1377bb15d0ffe87d77e7

SHA512
1d4d4073d8d31e78b29b8bcdf7ba0c107bc795da66baf4e0be091b13a1ca1cbdcfe49f0023decda0255ca2c22f3c9bd445019dc49aa5981780df64cf3e80338c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
9f534cc67633cee7b7ba7c6a0ad8c71d

SHA1
01a6effcd44716fd8c84bdbd0cba32ba5c125374

SHA256
8f086ff5a8c850a86c061d5259aea6da9521175c72ee6b7da146b3e6e1fc367b

SHA512
f04239a5abc3204308252c775b63a85b0ef41c4d72332ce71c0da0d9054503f778afa9cdeb5851b787520a7e6b384fe4d8a273a61da057b0c3bf818146b78ea8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
eba3f3128611fa01522ace4bc78527bc

SHA1
0bc4ee6fa6ebd92947b84f7524c610d0b3ab2e70

SHA256
346e3b0d4d7b0c48b1bdc384a6dba593348e7a6e9ddc9b0cabe9a4e9aae9b819

SHA512
977bae4536ceeca2c908047cca0d4658c6288f0fe1735516fa0d44cabcfc5bd467c5090c4b78fc178b9b417363b9a3d06fd06104bfdc5e00f01b5336be5fbd3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0756a6b85e2467c86713a2e08e1c6d82

SHA1
5c85b7e8c26225bdd583666a395b6ada6dcc0256

SHA256
bf00397f8d81777df9cef4f0985ec65e859502d6427c00628ed3b9aa165c3043

SHA512
7eb5aa4564c9b60ac9f47cee95e4c57585208be872d2ef9522ad11c305d28e2e80b20a448b9019fb41efdc7ef52fbf0edaa6f3548694e904879f9aaa90990774

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
a929a18a92fd6ff350f99f595e6b5dc5

SHA1
552acd052d52b7515043ce7a9de1d90697ed5f4c

SHA256
28fc3edff4a7e37835fe93340573ed43071b7ac791580a005d80be880fce063f

SHA512
62be4d12bf8094a1b42af55ec23d64526e6b5574e11f6a8bc4fd2129d57ad5c70eefd4ec03ad0c437c8d96fb5285eb46cfa9062e0f618894633c033bf4768db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
018a961c5086c45d04c04d5b7698f410

SHA1
551519162e19778935bb510d8468753c2119ce8a

SHA256
6c80bc920a12bbd888ed9d3d0954ec0f5be35ba9c0a2a8b8f8bdabf7afdf2ab0

SHA512
353c2e0241463d677da86c21d4725bc088699b179cfa54b8fbcb7d27a566e2d00488c0c07bab8a4ddd4a15736d65013c3faabe680147d52092503f0dad842904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c0d45e3b52d54b746473c17749fef31d

SHA1
fc2ac0302cdaf2a1ad88060e1c2f26bdb03f950d

SHA256
79192f9adb8e97470a75fb93add9838c70770145ff62574fcd615283ad645128

SHA512
a333f20a336e1156e6b94fc0c324f43211e803ae097ac0b3575398d86ff6b0f8ebe58a676b4386112471fc98a9498097f34f083a9a50bbecc4d876bc2f64ec77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
7851db997ddc19d4283ddecc54b56c0f

SHA1
ef71c8cc616fa6bfe71c05c0faca822af0deeddf

SHA256
cbf16aebd20eef72f31ec9e19c5fb7fad7013bb4b27d6168c35ecb3735e6efe5

SHA512
67e02b6899ff9e46ab77725f7dcfee6fb758c1bac3d98833926f0d9d715e23bd90100d5ac6a9af27a5762952b7bf71358a09ac855cb807a6655e9a71a1f8498c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5ffd09831fc4e0cf79b8bd8e8dccb95c

SHA1
15d3880d0a2d28b2998ba64e5f1fe7a284cf758d

SHA256
11c8609110ac3b1b540ff9a832d6ced3776311648926b7cf2af8e6b66864c168

SHA512
a818f0813aeda78e746d6d8effa27de4ef905ba4e683738b0e5ea60e333c27647e64eb8bbaceb3b618b877af8f4bef4a7a73492de34f5b9a92f46fb014b616c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
6ac3d71e536e76c6b1889b051f63df5d

SHA1
af0ebc5f3a8ed62c1afaa430ad8cac29148ad7de

SHA256
e75e85ad6e36cf397ce9013a17210c5ee1145f3d3b63a438444f7aa4628af245

SHA512
addedd2cc9418174c4775d33095493d18ccccfef47cd14686a7ce1720a0718c9a5aa4868ff0b4f0df42e1ba46eb9d979df28e5e0974e973f489ae6931ffb900a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
096fb6eb2856c70c9829b1660ffb7c69

SHA1
d7266bede68c17f93c89e131325d579e9841ff56

SHA256
7cd9b3e23448ba375121c1fa2d59513185c190a8758ed492fe508416c8554309

SHA512
b84699bddd1ff07d402a2a47707557d579b069440205b119a485ecc4e16fa81bbe9f36cdd000f2a3738222b7aa0c1bbbf8e1ef6cbfd03f1dbd36ae5ffe99aa01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
98328152c649998ff63aee2b75378e7a

SHA1
9208c7fc59e3555ed48d57aa872e393d34ea87a4

SHA256
43a9af945ddd592a7fea1edbeb5da6e6b7460f19cafce1707c3018217afe160d

SHA512
f36d1163e373e6ec2d566c912aa226865f0b32b0f6dfcf7aad7f47c0de5a8a0c23a5e1ebfdcc182e0e2000ce8c8c7edc9576c6b1b69c64e97a6cd44a37ac3802

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
aff15f111c9cd97eb9eabaa96377ae2a

SHA1
53a3adcac98c3274386a2b1ad02565943a649a64

SHA256
8f8d15501021461acd20ebd2d44753a84e5778ffcbc0f2b3e39a37a31aa67c93

SHA512
bdd1dc99791d4ddc143d728fe52d4d5497a389893bf19d62d85adfab21f3fdc5fde91b452678780afad7133e3f7e56ca5f2e1a3566248264bd4fbb0b073b3bab

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f0be6d5ba96522f745705e2a2f9ef2cf

SHA1
f8dca6ea11cd500b52bba56f027c2e57e08f696f

SHA256
5a4fe8e0b905105f79c25eb5d4b4166ea9cb45d1f857b2d14ab699db5ab16a58

SHA512
9da67bc3164aff49ff8779b8fc41df589e48f46bd8676f70342a7eade4618fa28863189e40e136315a1872a7a645b851576ae181f0155fe1d12e7210e3c65ef6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2377692958ef31897ad0e464c22254b3

SHA1
d21b0764a783d59e94bcb3113b036d448a04dd2f

SHA256
b699ff79ee1fb3874aeb68dc9c21731094d87bae0af15b9deab76ad87969cf0e

SHA512
895f3a86a70ce7f23e9f563624139149148a10b399c648849462c760a9e286f9d90dabed9e6cbd9a48e8e751aa6304bb6c5be24348bb7a834d8d5dc1a30cf2cd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c5987ebbe838cb50d586c544c1461879

SHA1
86e90c5224127973f0c485678bf84564fcade3a1

SHA256
2e8b17a37f593eae8fc02616201aafb1db63bea0e8599e56bc359555af103bd9

SHA512
873ca34f906fd004e1e8822eb1c9be4367653f4cf53b66623a7091e714d36c0d1764f26a3274894d25e40326e667344294f8ccb3146599d279034461beb9d929

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
61aca2df22aa14d6ba4b7bd2642357fa

SHA1
a1cdba601385e5654bddd03b15eda26763d0b4cd

SHA256
d48c4616a32f6c514e25b7759c4d3f55a77086fdc61f76757a4e6539bb414d41

SHA512
33e1a146d789abc12df1ae5dfae80189f7496f3b0cfaa17a8dec41786e3bcd3b18bd361bab0be0c46fca28b470a4e990ff1122b0b172d0b7960861b55ea2bd71

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4e088f6536361e21918871d9b5a2e96b

SHA1
8f7edb82b0d8d5fb95cb5c7b7facc1db758ae95a

SHA256
b1c2409c9b8e695a0485c56ade52c55f2677b48052927f94b37af7078eba2539

SHA512
f234c4781dd199d42b3393fd105a8e203d53a16400cc847bf1951f53edc16c8cafea55788e50b554c45de508c2686ddefa15f52f9d7d6486297c7047e5f3385e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
59cd39c53014931335f08648f69d4d59

SHA1
118baa29971aa719c941be88db2c53ff9928f9da

SHA256
913b09ec674e9da004893d6a07095f8276f130e68da58a84d86340847c33ce85

SHA512
2cf94c4134554a6548e8815f23122c77f1c661f749dd107a48b1d0b7b69ab8f05d3353373ae8c72d4079829eaca17bc5c709dd83194f651a53a8c9971d078c61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9177914727d1db8622c55a2dc507f7ce

SHA1
77e8fa8d352fc68845099bc2112d3196879db7b6

SHA256
737963b1aeba41ab77d9760babcb5ece58e502b642327036c0498dce82dac2bf

SHA512
f860e981f388a43fc825329a851a5d1b5f09df6e642c775ddb6a8175a63a2e6d3ea408bbef52f92d266842999b7bcc2bee2b8a56ac89613709a25167b47d3c7b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
eccecc6189e7b002e794d0a6b8db4bec

SHA1
10438e05e8f45ce40c75d7247f54138e0f80f4ff

SHA256
08d73b191e04c79aef8d93232de09da1f27c648ce9092fae3b3647a9598d89d5

SHA512
ba1ecf8f245c9164b936dc2b3fffbbc4592d92aad445863f21745c3059dde16ed006d9263b575afba22389620695e8d10d9c48653af84aa0912b3fe220261422

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7225f0d293d7b327385c5a79339253c2

SHA1
daf8a19009410d252eec84fef81655bb69531fcd

SHA256
f7575d64bbaa21f82f7298491979270d504a49529374f18cdca579268b602f9e

SHA512
e8cd096a7e062fcedb5e36269a479c9f0f6970daefd41bba488c0be007d9a6e5509bd48d9a938a725d1d4149f441984226f8f9395270aa16d38fa2b4d34b6d77

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4f9674402d430232ea64d889b6e73950

SHA1
caa26bd30f62cd7b6c30cef215122bf52137aaee

SHA256
5b68e880049fbede6ff96d0e2cde2d10ac6fc930a87aff27f7e03e6e8e16b62a

SHA512
11883e18e2e15c3b98b2f5557af8fb773a533eda05aa8ff1ea294786b82ddfd2161553bc35c7b971ff08ea62e1f5965f7ed3f7c6e72e90da949db94492efba24

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf4a11db33d496accb8c37692ea4921e

SHA1
4225d6ff0e60a9e4940489c5dcbcd4fe79dbf37b

SHA256
87091aaca5c970d85d8fc82fdc04175256a2b0eba89d90cfba358d1b5682a183

SHA512
1e81685df5cac703c9cc57a44ec17cb8b83cd2d068ab9b6fb704cc2e1f54447040f7528702112bb2366f24a6f0672f5f864e6f9e28587108ed22dcdc76b5737a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9afab5189680a16bc1d19a1ed08204c4

SHA1
94e4a494aa57ba30bfa71aac95b6a3f8ca8ceaf7

SHA256
581f78d35e93ca074b08de4e39f2c5944cae03a6010e95ae754b464571ff02a0

SHA512
30270016d9b3c4c8252f92c79caf38714b5d755a1075943752f8f9479623ea636f6e46646e7f1a0c0fe3b0d0c1fb168c7bf0e6028afd3d2177303c0145cc4298

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bea004de6fdb7cb34d0f6a06d9cefa76

SHA1
45b3a0494d20a8f0800720167127879a2cb8b380

SHA256
1a868764b28f8dfb0a71abb5d4556f64e0381d94a7be80ab769ff35f747c6060

SHA512
8f5e55d77ae8856c4073a2e71aaa3c972d06b209e7e4a7888823ccd8d3705cd23fe14d55f52c20507137d5c77e9b705b4b6c9046b683f563399d9c9808c641b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
72bd4e94bd671374d484eb12cd12948b

SHA1
ef0d5f304056cc8c0a22131587ffae9144353596

SHA256
5885cb3675ffc18ecb77119cdb18e7a97d5766b2544460fce6c27924077a47e8

SHA512
f79db1871a9b6ba7ec0491f65230c8445789e301c25c29226ce7ee45fb8f525465a066108cfab5d0af6d6bf078826e2195d997b0948e81df633232a5fc5e3722

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b1033442fba0697f7526a7e4ff179b56

SHA1
18fb3cc155cebf5a14e02653d88eedb38f5a2f68

SHA256
3679fa786c8b4148aba8ad7ab9be8030d6f0f363e372b0d41a7afea6cbb740f8

SHA512
f16a914ba57e71fe593f23a1f85f370f85cf0ea78da601ab43010809d4937db4e88516daeeacc1d0fa4092f1807967f37998b8638e98327ba5805148a0ed2023

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
55317fbea240db58dedb588f5eae80bd

SHA1
bcfdca8790a54563d93097ce08b31773a3fc804d

SHA256
8dba82253ea7ce6e73648b707cb3cc81b819e5046a997475a54be6f2d0e01637

SHA512
93cd09a302edc09517dfd8579e1e5660ae1e05458e4467bbd13c96ded0ec511fb8d7715b32a296e244ab092a385bb0fc4d91040165cbe8cdd3730befa6e32102

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
798cc0a75ef77c0b582095985393e75c

SHA1
9fa1fbfcbe1707c8f1effafc2ec239e5d26171e7

SHA256
ff2c5d5eaac727d24119a575995fcdd55cbcfac30e0c8a3bdca421740c55c99a

SHA512
c76b020e8f363b78f08ed47d4c670e8af81839ee463a782f2d35cc02400cedcbca55f70ac85e30d51fead4d114dfbe85a5630f34caf0348b300546c73a278743

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
bcbf3e63a8dbbe7754ffd055626062cb

SHA1
a3f327c098a0bd0d2fd9cd4eb869e83be29a360c

SHA256
07144feab58150af4d615095947e5c2bad614a95b184c59c5d92d3f9ab2623c5

SHA512
cde9333a4d1b9f66edd3e25b76cfed883a7d80ac7283589450e7f0023c08ea76cbf50a2d44297409657571a8ceb041da271fec35c5cc42437ffcee850d4816bb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
be3d6c0b6df3e5aeb8194e41945970c4

SHA1
fbf033c8c7e08114a1d2eec6f4bad2e087e69c29

SHA256
5fefb9c3d9da5ae9dfa75a3e5f1b62ca2af68463aedf2ebf335aa7c4613a6499

SHA512
9f7b42d43a720e146234945f6ab7e65e7fc4929de17fa5c9d58f9ec283d37ebdb26842e7fee889cf8afd6672796d08ca066f972f351e980fb323f03e8a9e6f36

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9e8cf2de8cd819e7abe75139eb919142

SHA1
07eca4da8f3342e4567f88f1dbd86845ca6902cc

SHA256
fcba8360732c23af1df7bcbe85e188447b4283b2445d2de859c05b621b6d3301

SHA512
ad0f233ca153841a242b84b73afde6fea811aef4fde0d4a0c1f925848fdf982a3b1cb2f63aecf94d623d5c2315b0c3867b179911eaf50db85180815e88cb6d63

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
535bcf19e76ce4ebfc901e624245b64d

SHA1
6c7527ae8c1cf71d075348095d726c0548a122fe

SHA256
66d305ed53e1dbb070c971317e69e86f83517b9e8206a1cae0855fcac3639f27

SHA512
1f3edf3e7397d440539f92a72d085c90600bd03b4bb24440882537daa63fb4879a80e6d0c952a652f8c313906d1bec676fb6a7f140999ff7fe53a7b9554aa1be

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
797b60825cad889d5e44612c772ee568

SHA1
f355628ac5f01b31aa3613c05940f128c4992b96

SHA256
9ee7fa5efaa650bb8fa044524063a52a30021fb15c3c88161cab6fc0ae538550

SHA512
c974b67c41d6f662692e320cae2a3d18f3f75c051dedbc4bcba0f8cc6c58ae02d0eed8ebd87c96205e713a7b41d7c6592e1b3bce81e360f464ea75cf53d40261

Download Submit
memory/412-667-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/412-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/556-658-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/556-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/556-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1052-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1052-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1388-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1548-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1620-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1620-668-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1640-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1640-122-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1640-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1640-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1704-227-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1704-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1808-374-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1808-162-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2036-655-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2036-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2084-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2084-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2084-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2084-54-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2092-661-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2092-198-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2176-251-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2176-669-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2212-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2212-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2212-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2212-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2220-140-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2220-250-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2308-84-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2308-73-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2308-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2308-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2308-79-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/2512-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3204-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3204-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3204-44-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3204-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3204-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3304-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3304-666-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4136-672-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4136-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4264-1-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4264-81-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4264-6-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4264-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4292-15-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4292-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4292-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4292-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4516-89-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/4516-201-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4516-97-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download