79f0fa3c4e5fb64a202af4add64f4b51e68e01dfd6c60a423c9a6a5171476f71

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Size

1.8MB
MD5

d3053a724b58757c9ab83e09fcc06b1f
SHA1

27ad8f233267f2023b81a7cfd2dd55ebdc5995c6
SHA256

79f0fa3c4e5fb64a202af4add64f4b51e68e01dfd6c60a423c9a6a5171476f71
SHA512

e72ffdffd5792e406a4315144211e6aad940a425a1685019f279200160603d751180931f5e89c86ab8ee60a097966fc24ebfcbb4050a7618673b49b9406c026b
SSDEEP

49152:sE19+ApwXk1QE1RzsEQPaxHNGgDUYmvFur31yAipQCtXxc0H:R93wXmoKLU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4560	alg.exe
2080	DiagnosticsHub.StandardCollector.Service.exe
1564	fxssvc.exe
2244	elevation_service.exe
3644	elevation_service.exe
2388	maintenanceservice.exe
4980	msdtc.exe
756	OSE.EXE
2224	PerceptionSimulationService.exe
4736	perfhost.exe
3504	locator.exe
3084	SensorDataService.exe
3420	snmptrap.exe
1640	spectrum.exe
4364	ssh-agent.exe
4452	TieringEngineService.exe
4060	AgentService.exe
3212	vds.exe
3444	vssvc.exe
3728	wbengine.exe
3912	WmiApSrv.exe
3184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eea87b2575cb61b0.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\java.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000488926e8d0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000133a37e8d0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dece48e7d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4d472e8d0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a34cf0e9d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000901b76e7d0cfda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeAuditPrivilege	1564	fxssvc.exe
Token: SeRestorePrivilege	4452	TieringEngineService.exe
Token: SeManageVolumePrivilege	4452	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4060	AgentService.exe
Token: SeBackupPrivilege	3444	vssvc.exe
Token: SeRestorePrivilege	3444	vssvc.exe
Token: SeAuditPrivilege	3444	vssvc.exe
Token: SeBackupPrivilege	3728	wbengine.exe
Token: SeRestorePrivilege	3728	wbengine.exe
Token: SeSecurityPrivilege	3728	wbengine.exe
Token: 33	3184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3184	SearchIndexer.exe
Token: SeDebugPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeDebugPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeDebugPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeDebugPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeDebugPrivilege	1320	2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
Token: SeDebugPrivilege	4560	alg.exe
Token: SeDebugPrivilege	4560	alg.exe
Token: SeDebugPrivilege	4560	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2912	3184	SearchIndexer.exe	111
PID 3184 wrote to memory of 2912	3184	SearchIndexer.exe	111
PID 3184 wrote to memory of 3464	3184	SearchIndexer.exe	112
PID 3184 wrote to memory of 3464	3184	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_d3053a724b58757c9ab83e09fcc06b1f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2752

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2388

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4980

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3084

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2912
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a0cf466a3e584eb5c5f2e9ad99d6f9b7

SHA1
4ddc12080e25d27a9cb655e3c9052c62ef6a8d57

SHA256
81075748aa9dfbae171903a5875009ebd00efffc11215f6fed01e92f96989c73

SHA512
c966e7998175442fcff7ffe39582465c80d72ae86d1653b6df9cadd3820f277798ae8063bccbdf1d7b2293e772db482655a714c4ccb7b6f18faa3c41bafbc792

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
7ce57e737afc0f2f79da61d69f2b9ee9

SHA1
07717bd4e840f2861486e55c9f425606dfc4e2ef

SHA256
102f62b755b401e920112b68e1f67e592fec0c2895e163e40e47e9d25e0f1acc

SHA512
eabe3f18dc528f7c455a96be73ba17b0b062d9a08126a0bc7d0dfb8cd5a51cf57ec86c5956b278e6db8f8d908020e3d4c123e04fda79be44bfb3b66926404723

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
851061d06b3034841184750a83a27318

SHA1
73a9b437041dea09574f76a2a900c6ba9b869f76

SHA256
ddc469720e28942bdefe2dbeac96188798a992ea81655862cb38714c37810cf6

SHA512
24dead483fc33ba2aa1b7ceda9a0f8305a2a13c6a084c57eab6ce204715084cfba696d4854d6a9f90fb14c7025609d6d54b5748d7671ce3b011ccad7bf66d4f0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bfceb55acd1004bfe43e3d44a7bb364f

SHA1
39b4cd7ab5b7316ea0c6cdccf5fcb15732b7079f

SHA256
04664cc7b705243b797e595f424cc7b111d33005800785d0cefc6649a88022ab

SHA512
4761041b1be3762235b93df95e259ffc4ac73e0a51554ce2e658718190a5effdc47cc4ae802206dc7045e1537bb409c05bbf0e2d1abd0cf8a76df7d9dbf5b4e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6c96fd2419dda2f91ddcd39f8a1a9049

SHA1
9979e6061912ad718a561f806b04a9c94a298483

SHA256
c298c79d9d7db968dbea358b1a384684b136ca7537a129812ac9832ba27b3f10

SHA512
482cf0feaf2382e3562ec21d5f8772e272f3d8e0d9ffcf56ee5805c253cdb283876beaffe53b4be7859b8d1ac212df7f4d173923fc7227da996242dc0fc4c25d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fdc47a30fefecc2e0c889b7197f2f310

SHA1
d9f20f185a97147ee33c21a5599d4a295f14d933

SHA256
5dd0b488eaf7b3bd05bf12179f2de8c23da036053db3b2c101e56e9569c89306

SHA512
25e60babdf52fe51be9336c5dd998d87ddc4c5a75be97a6945a9192ed4ca540ef5e8e1a0c319cdbe1824a064397f12f62bcf882df8670d7e4f2a805c19acbf20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fb68e7a7d8cfc0dfb72f68b2ece3d1ed

SHA1
8561b69ac7d10de0d404daa3bf72d95041028603

SHA256
3653570c56043d0b6d248c82e3ee057eabfdcba459b79a3f0dc0e303a5c708a7

SHA512
01b5edb622b1791e7d910ac66cd77249cea92a99db71aa8113a735af75a9a20416eba5a13704e80c7d8ee4ef4b22454bc190e6bc6d8ed85be7aa0c15a8421f43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bd1786f408643cd84a4e6ad6397918af

SHA1
a0ed4be62d8c87a662a7864dff9633b65401a910

SHA256
999edc7b5d5e9637edc2915c1acc1742abd4d1bed66b1a153781ea7144b75700

SHA512
00eeb93973175a9acb6ab61efe6e3a9b1ae01e07157b69a7c9a2c6bad5556907746579ea407a335697f0a6ad95071a4cdd01467dbbc7767fc1ae7d84d2ba86f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ab8214585e61e2141361ef7a6ff109d1

SHA1
bb30a483c993a477a3f5af112ab409d3b9f01240

SHA256
51202d324c58ede2a37c01c1e246b1aaeed4122dbe32a79d4bd71c297b631f2a

SHA512
d60d001195b67da1068e5751656481991b491ca9ab8b9c805e4cc5fa8e34c7cd55504f28ba3a6c99c34517e8c84910809c5f7af7e0b4ad5f6868fca11e9245d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bafa186411606ab098f52b5af198d9c1

SHA1
7d6f7b5df1baa43b0a75f0b9a4794c03007dae73

SHA256
1c5906d0d4db4bec557ff43403188640a57432cc8af47ca147ad82fd9cccdff4

SHA512
115401ede47040b1be4f6f2f372ee82d365ff4a82c172bcbae7841e0b8c60a0958d58e6f798774dd4d1bcdbb366fbec02f5a5ddaa84847c1eea18e709f448118

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7746596e793879d46f48a5b159657980

SHA1
b057eec493e40473b21e2f6edd2e3c2ea248e125

SHA256
46450d6862c0b46519d92c4a0d396da84b990a86e5445cf6d017657d302b92cc

SHA512
756b0c0ee09ffd244bc2b2e16ed3ef6e85bf38935ab50e4f22fbb77ffe30bb901b465c600df8113d30db869c06bd402b4adb3fa2d4e6a5a92c2c1fe5b3af5530

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
18aa9ae2a9af7cd3a9d0d7b144be5854

SHA1
71806cda69b62060674012f11e355b2ce5e0fefb

SHA256
26497fc329f7910a0088e55feaa33fcf86c7a6bf097152bb63f8f7dcdcb747fe

SHA512
29a96d2211881e558169e6027552aab719ff535b3aeb642761f099417264c2ea6f94709c02c15ca996183ba922d103ebc9c0189c3e47593e1a376c8bb3953f1c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ae4c21c82b50b312c5689ad9f3aaf523

SHA1
12833f3755ba0985978c9976513dba3367fcb11a

SHA256
fc9a1988c56e1a365ff1802b4d7f48604ad01be5a55abed832db7ae19a182b4b

SHA512
791d47b4f19f4b7a6ddc09276513792f2d4ee8c85ac7ff88cc310add4a7c6e79e8e89e776585c93d005e1a423f10ecba56261c0655f6f9d0f975008e072d6eb1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e6f5f21379f35e2ead6cac7f283e2644

SHA1
98fa174346f9f69f083e06dc0250d1ddd68f04c6

SHA256
618a36b7c18b9c4ca05190a631c77fbf3e8c70064ae62874067d6fa25634fb0d

SHA512
8fc9fa8e6677aec7843fa869ebb51b9e8487a8bedc05dff73ef9f7ef42a80dac74827180de2ffd19b3bc0e6b9258f690ff24ff37972e833b3b0031ef6967449f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
55d3829bda0dc5d192a16c1851277bdd

SHA1
9e2f530f2fc890af6fe15df46bd9791b811d3f52

SHA256
6873d9667750e17b1461286fe1dfd4c269dc7613c68a16eb4fbd37891e170139

SHA512
a798ce591fc9505c6952afb8fadbd90215b003b43ec193f219814847ef0c072f7c7b270d4794698395e1b9d893152231453720dec9072101f20294ea8b62f495

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9e696bf940c184cfb6a35e83f6c8e0b2

SHA1
36196ea12d3932a1089972922c3345c58711e15a

SHA256
89a94ca2001dc14e2c76d195c576e59be718b38a370c067d8cec0807103ec97c

SHA512
1d568e967bbc5d02b93e067304720287b7bce5ec4442e6af96c2d5a3a3205a822c563d14982b4af0bc831809ea54d3d32f0026701c136af84499a91f65ef3fb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
73563d6bdb90d221465255ad5285567a

SHA1
6ca3e6217baec795104f9a14178580389ac23cef

SHA256
63645a6121b53b82a68e2bfc7e9deb1d775c03c582d2a950f8822cb8df707583

SHA512
fa1d39997077741b7521f03e0436e3c105528bd682dc43b882b62db4b022a68f542813430fa2cfa992a1825f98013036534844ee430e45e2435ccc9b1b94f531

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8ff44b8aa0651c09dc11e0e5e841281c

SHA1
6543dc324ff6e984686e240590e4945604355c8e

SHA256
bca8c792983a52bf532d262ea625ed3d8fa6c84ffebedd28246d9015bce00fc8

SHA512
ca9461c0c3015facf5efacfcc47914528a2a0416a5341f03cd8a21b314ef0d87cb32baab7628bf808b36afe200bea371ecfafde7f12bdf055851d6ff5088a7c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
57e13dd6dcdf7d66d5e7f447d701846a

SHA1
5c0135a6f9b3361b385f7264ec0ca55b7e1090d8

SHA256
d854faa71b8aeab088fa9da2c9479f1e9951947be0baa09405f90d940cf270db

SHA512
ede0da3264633df3032c8e9ff7aeba27a2385393082ae06a93327d852a4fd0f15043dc9357ed24d1adb1ddb14f10a7943d459cbc55b5ff5047170870f77893f6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
24aa875aff46fa47477c505d8a7b57bc

SHA1
d148118bb2185f1210d01293c4d17f05b2366f41

SHA256
bfda921134cbba6321f35372662b64f9cb43e6721571649e677f9d2b086bd056

SHA512
73a94a637fd20ca668bbe05cfdcc5933b3cad1536a4dd2c742706a6acd3899c077273ac34f40b12238ce49afd4b6645439931e88fa048cb0c0ca32b0efed8bf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
e906492268b3c428e439e2f28fff4938

SHA1
760ffff00c7ed0666203c4a94d95fdc6e38f0b6a

SHA256
b24f3c8110c9430111f7477b5c60de125ca97687875836f9be9d9feb760d5c10

SHA512
9d72b144d6e7adbe64cb34bdbcbb0bbaa47252948c4402df90ee81cafe9635a969eadeb40f635a5cb67eb14dfa6290dabb4ad3eea716b9b3bc3d01f3e1d8d7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
388be937b76801f65a9cf54a2f3cc48d

SHA1
f87d5d19bb0b83fe41837c2a33f1810ea57eada9

SHA256
a5f34ab2530e52ac37b783ec243ec7f92382102ef9280b978aa5dd61eeb517b9

SHA512
bdb0cea9501fb42d098d4ea6ecf98c2bafad8d1dd5eb37db52c014829824d2ca5da9b61d02e2a316b21932d074016ff2e03d36ed28dc559bff8af4d9745ff799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
a26a30deb176fcd271f447e54cdb6cf0

SHA1
be38f1a9abb8ec42ef94ed3d118bc8ca7a0d4cdb

SHA256
17d90f2c2563834b8bbe730ef7e4da2dfe6ae32a30d21c1e9faaf27d0166aab2

SHA512
7f8d26cd8464681bace789f0e48398b95fe49ea4fbbd7f01351550002ec212e52ae5d933928285dd6fc45834cf0006bdc4e7eb82bcb635e3dadcc3116a4cc69e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ec8f590a10259b96c6d4fc4311d3327a

SHA1
caeb32315869639ccf1e98cb9849af0c5f7dcdad

SHA256
5b0ce3ad039b819be95bd9b0833e23cbc8a7c1abeedf1d8ad37848ba914d8051

SHA512
13d9e56b46b9cf0d851004c5f52c04813df4986399a8759206a01dc5a03576645ee9bf5f4c835f47f073e137f06f9674d733fa173c73acc241d046eb10f38533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
68e0021930f11f6486d7d834e098a8a7

SHA1
d61645e5f29200c41de09a5fe381f4e8b8fea306

SHA256
fa1281ce50a45d00121e8a4baaa966e41cfb16599f6b435dde8d7ac731c6d851

SHA512
5a433dc4dd3d6571fe4f8f6dcac472c8fc07d3b89e6ebb0180e1ae587cd5addfa71ea11c353f65a158fa3ccafa6c39e8c5ab363d26d37ed5893ab4f21704c313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
0577233b5be1f913274baedb68469d7d

SHA1
eacdbcbadcdf530fdd8d5298c24d0f30ec8d3cdc

SHA256
e4302bf277606d6d36131197217b122e9fe9b015594157c40fb998c2852319bc

SHA512
92bb370cc1a770383eb05f34b46475eba4e83e07d7da495ba5451de6d836398827017c7b40e31e32f631e80c2ca4303e33a2fc2bdc0de37e58c71fb5593a5cef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
135bdd0821598229d0fdb118add1420e

SHA1
725021b92e750af9c98e7038e8ff70f1f717dd8b

SHA256
592655057fa918d782aeeb9bd972705e41188b686ce540a654ec21fd665dea65

SHA512
ca331bcc303884006137a965af7513be25825d5a78393b48af6decaf258032081764fde78aac9f98ab86ee8bd7a64950da5b32610c076be7c286cd74b2f26f41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
a8954127fbfd171b30ef1e4bc9861e92

SHA1
c21fa7eac9f1b0222b36f004640d433b009ed42f

SHA256
70533b440e70562ff325f02e9eae54caba5532df22a4b4be383998b970c9dfc5

SHA512
71ba58c0134c1b962cf2c2130d62f1c1135e563e1dde9def7a09501362058fc2d216c4a5e9223dac01c6bcf7e07d7d74c7a75ffbc4f866e90365142b55cefdbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d7d09488540ff3c8092ce71c06dfdf85

SHA1
707fbd8faff1b4e7e3cc803dbc724b43ee966830

SHA256
cff3ed71ad8d047ad1b14d973f4528a025f0679a6826b9a81f9e3b7f980515f1

SHA512
248dbca2de328b54a31ad59cd818ed9055cbc602a6271a032ff906f6bde8cf752c69ec093551cb139352b03e5a69e7b6d2529cd624086585220a7862145548fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a0024dc0c06859422bd33fd0517aa7af

SHA1
b4098cb3a8613cb34478250514124b25fa7e099b

SHA256
6db077f5cb59b33ea36d4d7ae6a69f90ad9ba70160b28e956662359bdd12ad61

SHA512
ede5a4f25c6ab5bbf883e074e94cbb9c2e0824144bee26b766e32bd1219a0d441278d63e53a0e8c8218b58c1e9344b26904880ef36b19a3b46d559fed1c59c67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6d29ad742d53b3dcee4a1f59743ba2d0

SHA1
37074cadb39a8978063e2920c8584758e879701b

SHA256
0a4961e4644ab9d7da9b381833e70bb63975c71cbae533d34d79f3fc220493ad

SHA512
54aa5b7787252371ed603c66193e0e46796b7be0c158a9d68571f3695618e5a44222172f49b551936b2bf2984d7d53369eac47793929e451afd7893141f741ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f8abf7671ec2ee4cb3b747de389af792

SHA1
332fc41a0161e146c65deb0deab134f9d0b5e993

SHA256
7e490f9c8ac3ed4639815f0aad4819d468e5e9399ccff504abb0476f684a5439

SHA512
0b5bf0198c225505e7acabece66a43f29723e2ac84759df6e81159e4caf0a4806057f7614fa8d564282ded19975ef001e0c1f28f185457f706bb74a89be2f466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
041ba9f4d410762e1d8d392f5c06a8b8

SHA1
ab2ef7bb23deb092e46f1b04dc44c72ed3a926b8

SHA256
eeaa4e89cb9aec0c4190f1d74827ab8983281bfdc55b448f8101e5b106450e32

SHA512
f791bfbc2ce69a9004ac19a98fc792228b6582df310db89e752e53da1603d0593041da9fa845945f0ac2534aae1e1c8e9856853502a65c696d6770cc1cad8e1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
023dfa239e0b10c14b90d9e04b9fae86

SHA1
2f6ab05c13688d80d3777424a6d7030ed565f85b

SHA256
b8c9b158ac0c157be8ed73fc0d5b3f0b2e15b7405d179c8937f91cc57bdbc122

SHA512
801e9296123037620be49839ee43a3f5efde3de9abec3aff3ab806d07de3be882a7cb11502c7ed6cd8d0037c90376ce93bad13ea06e403c910a3e6715086bb9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f4d54affe573bf898d1bb53a9e02137c

SHA1
ebd7f0cc91373293cadd9e2723713d66ab30689b

SHA256
8d13ae1adda4a92a54604cf4ea2725f05438a5ee0f61f580ac3171bd5f8f3279

SHA512
be1c0a6924e459d0ae457e3fc395e75acab6f3c9a8fba59944a3149731d010d902e1b0a5416b02757598e058f52e48cbbe24ffafba76dc3fc5b003e5f0df35df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
1fab55fa700703c23e71cc1df8a6c7ed

SHA1
aafe058bfd18ed192546af4e84f0e24b27f04f34

SHA256
55e44b979da8b046b365d88e7eb17bd530d9aa3d723b388801bad119032129bd

SHA512
e0a23341024472afe4cdf6a66f0eebe4bd4b90b520fbde5470e7ab1560812490ec7838695c7605d02f6ebac581ec40f9cff48530569faf00ab8ae0abafbcec3a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c7135dbc999e871e4005f58db412a414

SHA1
e4fd17499de01405055f364251cad75555dc0356

SHA256
8c0858a4e0cadb577fad1f9eec9409c4b3e7edea662540797b2e8e9920a9affc

SHA512
d92f780444358213d491e36892b20846d208017033ad8d440f62aec7994365d924e96caad6d50d9191d61a38632885bf9a10cba294c6808a78d71c4df57be0ef

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
d064eb9e99a96abe7470f812add2880b

SHA1
2092ee75294b98eeced832579b2b4e656114bb5b

SHA256
b2658da5698500ec1f1ae9f46fa171c0d5cc6946c66f2d0bf146e4cbc72a53d6

SHA512
45b242f662c7f3b71ff99cf86355976961dbea9972e94f5afc6a0319927b99f331426e6cc5c0e156d73cbe4cc3bb7b76d1bccde86b3f3873dca3cfebbcb24f8c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
62d87d7ae0ce75af8d23b775ba53596b

SHA1
c55e1c97aa03da7553a9bcd0aad2e3ad77b92d51

SHA256
0bb3fc189cd650d01b699a391b62084053a7cc5c3c1ccf199706c14990d0f92b

SHA512
b21a3c5caaabe2edbe20aa2ed8304a2d5bdc35b043f58973ed300ff7213c33991b62e5aa865dcad9fd7aec33f78420a033eff3662b8a4b2e420264cf191eadf4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e63e76a27fe2697679e99a7e7b0213bd

SHA1
43bacd510df9b5aec20f346ec0aefd2bde11be2c

SHA256
918ad62d8de6f3bc4fba1c93d83b5b974bf2481af1946dce7b8d629496a46b29

SHA512
f1a721d3e21b87359ca94943e0e5e4e43d22c23e965962967ef1bc7bbaa66c8d8e6534b08d7035403d3932328efe49189605dab39ea660fb10b7f3b824a4f3b2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
7c62b5d9104f89f5fbc1b98e25cfb699

SHA1
fff4dbf5243f13400a5067cd2c19d4347b233beb

SHA256
c0956a14780c0343e40bc51c0a21787b317d4e0c33d0c647a3c1e66388b0ff75

SHA512
ede4edf2f3e5bd4700ef5a01201fed8998debd0cab169f2ac7d75fa360e18936f217fb2960bc42fd9901e4ec3be241f7ec395d22c70dc84efb93c9973be5ab53

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3a7b975f4605d427957d6940c3f4d493

SHA1
b1718ea95d943ba031b45e620a199cfb425b2ade

SHA256
942913bb088a1c1656ad115c02da3fb311646d1e68489e93de7317af6bb84e84

SHA512
790f367464986148e10ad3aa391903f6c5bf02f9a6b3b47cf759667c1637d94252b202cc05ec8c20696847a8bf54891f736f7cb637425b11a7491cdeb60bc31d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
79be03e9de8115f1fded9dec7e43d9e5

SHA1
2006e515113275164e97460440a87cd2b9d6492c

SHA256
9628ca66a0a24751777918b8ebf4eaca2c8864f1aac845a02b61888f27db56d4

SHA512
7b2c863652bf90f4f324cc425b9791fd175033f94f21344ff9b2434bfdeb06d6d58c913ffe0d28e8036b202cd8908c1e3385b0cae4832e864ef43729f0fad518

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
417205db0fd40f629eb59b9b710a86c1

SHA1
654a8038d275585719590fdd67428c997508f057

SHA256
3877d03b2c0f0a21bcb539ce30fd60f1016c711ce1bc4c33e5f3e4732913e883

SHA512
6669e8c54aba5bf037d627147dcb2e0084b0e782de7c7bbe0e126606504bc0d36292d05dd4763b13d189946db58a8c1aef0787009add2dddd4674a7d782c4fa7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
94be9c28aa6c178d83130103637ad1e4

SHA1
38144cdad5b1028097018bc14409b93c62cd369b

SHA256
e95134ba89cf76eab437c79670504fa9645cdfbe925539ea08006645934a6b44

SHA512
468562b49d43247c3e813e97d4027bb6ee763655ec2c392e018d8ab32e46e3ad4c2119a59eb1e7b246641d28f38f7295fcc736c11549ffa2558ba677846f75a1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
220ca36191ced5673ffc341cfa6ebdf4

SHA1
6a614e0d3cb7f2eff188439f93d15195a23dd17e

SHA256
cd60e034958715b77a72be30329187e83ab31f22629e942e31bc26824dca8203

SHA512
c666169368f9d970d98bbe6be1c271e40982f96b1a5868c365df7ee940376c90f8807bb66eb03a8d7ddb805b8c75f4b649fd481ea81a3d025f4675ebe2f89547

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ad38b2a89c9dc8bee0cf81ee4b8d776

SHA1
64afd1bac28ed4c08ff51e30f1c9c2c3e0088cd8

SHA256
7110ac8a46e86440acb2ea9d5e8584bec6e5eca50796bde8772fc029e54ff75d

SHA512
b380ef03924288d75b1a0239f216fcc612fde10fa62501fd1b17a083bbadf5f00d1fa4f971d4ece59093c77e0a81e28afb82a3316d403767341052872dd71ac5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
47080606580737b0294d3c8eb0f16295

SHA1
725369c0d3443ea1542c12bf596d806292f8e563

SHA256
cbab15771647c356ae2f7e7d37b705de4679affedf35f2655b8c625c77b99f6d

SHA512
d12cb0b05f06d51a65596dd64f2c05b345b351d77ddd34488215b7458b2851a315743f8bc5a0b6b7f7cf7453c01ee87fe551133040636a03d82ec362795b3262

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b6ab1e566a2b00f95c388ec3dbb5f707

SHA1
a14e9eab4cfb8db410ed21347ba5b32ebf3e891f

SHA256
1b922102f975a2b1778f2e585860a65c79f0f83f2e27bc52cb871223236bb356

SHA512
b6162ed370a26f0d15c5de2e4c08393e4d1c3453693fe1e3e711be83d14713f1686802aaa881203d8ad6118e2a16e7ed38685b2ab8a2220f54ebcb02fbd42d48

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1a2e58828944ad876621441996f5d3ba

SHA1
1e6d125cef7c65faf8364057d35591e55398a19b

SHA256
a1ab7355bb062229e3bf67897961e946705fd8ed39f6a0980aa763a44c106ba9

SHA512
b9214558690590442b6b36ba0767353b5475e47d15dc477007d9866c53cff112905d660f4fe25d68a6bae5f84876757e4ded7bf9ab9b9ea56cacc84ed9042383

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
92611d0ea35a76f4e66f9f72c6a58655

SHA1
ebce50554aa943c2941002e848623b9690460f61

SHA256
a3c50c1424d0588d973974268f4a611470245b3a87f9901374c73fc120d1bb1e

SHA512
6429f0c4aa65825172f0c1ec8a268d8a8dd2d8fc94a49648d87132aed9f1fa7a47f6d549424de47d0e5a6c8c1283df9a526f789e58bcd63e461d3a39068556ab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ef3b011773449e61238ea8a3b2ca4cf3

SHA1
9775e8c5901cb7f9b27b81edfe023a28fc020095

SHA256
910413b292374d6449ed300ecb9a3519c2af897b5762dc98980f6b9062beb5d4

SHA512
f695d6f2e7f46de6b7a29ca6b2a6a4522499e35a90a42b5ae24798671e28ea802b81e66a72331ff4edf366861cb3d8c4a372f2e83168385ce0a0aac978c97ac8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a2d27bc87a2b6d5676dab64599876800

SHA1
192b66807069b8b2707cbaa1c02bd5dff7b91793

SHA256
5f3cfda653f45976b71da3bc61b5ef91258f57c9f83193b21f0ab2baf8bcaff9

SHA512
617f2d85b72614b48e79c8660c72fba27bf38bea80488e4c0ebf7ffadb8ab7a209a7bb8e8a941d0021ee9088e6ddf856376f06d188b216e8c59654d91b24b019

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
650479d9cd2809123250ce0b80f09de5

SHA1
d7ff4b853b2582f727d195b14da4c2f94f5a9115

SHA256
5f66d957c47e727ec8528a89ec02c2c837f387bb64bb01fa873b60b5e0c1e5b6

SHA512
1fdc77cd37669d1f79b9c3eda02a85c3d3b5ab5f25b86ed40559d9e145f0f7ef3a4c821efec599bfc898afc8d4bf02fac47fac1214ee04b960dac14d724c6f8d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4707234354d2e306d7e4ba54e0c7b4f1

SHA1
97fcc46ebad328decdcbfc010dbef3d47bcae565

SHA256
4e173d3b55fe6c9c4246311a25fd51bcf786f5a750a5d31e9c1696b0ea2a6761

SHA512
13adf52dfb338aeeb46a986e8df5e2b272061b7c2deabd50134e7d407ad61696a94eecad7f0c3e3a022c98187e8e4ac9974e917f59a7ead3e6b33219551e780f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b2a02014a075c3e5f0d0079a5a9e6ad

SHA1
797781f9824ad83f83b95ca1eb7686c570724c62

SHA256
0fa43e48494350c4d14ed94972b0f943fd470ce8a339c5629c8785c865a221ac

SHA512
c0b47d6e72f123ca6cc9cf32ae25f78b8a2bfcb668ee96166de31340583941eb3173e4860f44fff3c94dc3e090b593dc90e77e66870d1661253f335c9d446478

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9b526c0ed02331e28118c23e20e9c4cf

SHA1
4ff9c89008ea5772aa5bd995232b234b0d9d6e68

SHA256
8b908fab7c63bb0ca15cbbd364d40a1737fc493821e72a6abfe947acc13a7cbd

SHA512
c41ddf286a017a4ef5ff9550577c8dd003bd56d20e70ec572e31dff8269ae25232e978b3f03dca7e8d8707c299e279c79b368d0c68b61842a45a73468e3f1a2b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
3f762abbd301b2030940e7469eb2224f

SHA1
2dc4ea311fdd36264950bda95d7cd2dec105e8cc

SHA256
33e469ec4cc3ff163360cfcd2610d92c9bc0ed814a4c7d21770c787f289e6943

SHA512
b3bd805ee6a2b84dddcb16ddd6157fb6e227eb7e925948688360c847f9f25fdfe286ccc8b5867cde0b787127625c5c606aca533445a6f05675be509ea218fc0e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
428918e4f59ab95e334b130894f2b29d

SHA1
05642c7a5179c8c7305642532a07a56c28c00f20

SHA256
db8abc2635eb95d15d98a337d52a3698161d6ab1777c6f6c1b90ab5bdae07340

SHA512
f931f92fcd3759b117d42685aa591dc84b82957b9a5cc509d566ea431ca6a7b77971a8539e1574c7e7a047a909fcc1f737cfadef40a48449f27748cd72236a52

Download Submit
memory/756-110-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/756-220-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1320-78-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1320-1-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1320-6-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1320-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1564-85-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1564-42-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1564-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1564-83-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1640-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1640-489-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2080-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2080-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2080-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2080-109-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2224-120-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2244-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2244-48-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2244-54-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2244-178-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2388-75-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2388-80-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2388-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2388-69-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3084-566-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3084-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3084-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3184-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3212-575-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3212-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3420-159-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3420-382-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3444-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3444-576-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3504-255-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3504-136-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3644-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3644-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3644-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3644-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3728-577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3728-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3912-578-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3912-264-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4060-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4060-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4364-567-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4364-192-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4452-573-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4452-203-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4560-96-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4560-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4560-20-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4560-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4736-243-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4736-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4980-87-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4980-97-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download