223d077f90b2d7742773b89d3cd0623902237477ec74f3b2481298d4b848ebcf

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Size

712KB
MD5

d9bb134ad4c93bfdf72560f5cc76c535
SHA1

8d04873be46fcebf59054031346ab9eb5036689f
SHA256

223d077f90b2d7742773b89d3cd0623902237477ec74f3b2481298d4b848ebcf
SHA512

e363fa1b91039faa747dc9e41ee5559bb27508d81b6ceb71cc015e0544669c91a43c92381b879d6ff8e7b2ca68299ced118dd8e33a1e7d68ce3b7c14cb29e75c
SSDEEP

12288:ltOw6BaxUNU1FBtfcPKcOYRLbzQkbL+Qg+H5oeIj5RLLB+lOakPprNFzSRY:P6BC8S+LbzQkWWbCzLLB+lMP1NFzSRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3748	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
4652	fxssvc.exe
1428	elevation_service.exe
3088	elevation_service.exe
3952	maintenanceservice.exe
1044	msdtc.exe
1216	OSE.EXE
4428	PerceptionSimulationService.exe
1236	perfhost.exe
3432	locator.exe
1468	SensorDataService.exe
1340	snmptrap.exe
3672	spectrum.exe
4204	ssh-agent.exe
4372	TieringEngineService.exe
2948	AgentService.exe
312	vds.exe
3296	vssvc.exe
4064	wbengine.exe
2120	WmiApSrv.exe
208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cee769a6a33ac798.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112765\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_112765\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000324f9b01dccfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004651603dccfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006682f603dccfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb099802dccfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfb84e04dccfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeAuditPrivilege	4652	fxssvc.exe
Token: SeRestorePrivilege	4372	TieringEngineService.exe
Token: SeManageVolumePrivilege	4372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2948	AgentService.exe
Token: SeBackupPrivilege	3296	vssvc.exe
Token: SeRestorePrivilege	3296	vssvc.exe
Token: SeAuditPrivilege	3296	vssvc.exe
Token: SeBackupPrivilege	4064	wbengine.exe
Token: SeRestorePrivilege	4064	wbengine.exe
Token: SeSecurityPrivilege	4064	wbengine.exe
Token: 33	208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	208	SearchIndexer.exe
Token: SeDebugPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeDebugPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeDebugPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeDebugPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeDebugPrivilege	2768	2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 2036	208	SearchIndexer.exe	111
PID 208 wrote to memory of 2036	208	SearchIndexer.exe	111
PID 208 wrote to memory of 2636	208	SearchIndexer.exe	112
PID 208 wrote to memory of 2636	208	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_d9bb134ad4c93bfdf72560f5cc76c535_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1044

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1200

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2c8e2a2de26df329dedd15141c84ccf2

SHA1
e1fc22f57af3560b8bd3a27ba61582d0d0f3e86a

SHA256
dc4e6c421f294802e7c65c53a8937cd8b70194d1d2b9e827a0d4041371f53c00

SHA512
8f9681669b5c03f5dc79eebe537355ed05fca4aa121fb6986b5f931a2b68c265c49ffc3aac69ee425a1c9667829dd17acbd3ece424d14930c23f32cef49eda6f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3e6f499beb82c1b6b1fd0e65a9c70775

SHA1
6648cfea1d204317681693eb67fbd9dec0ce9533

SHA256
7963a52ab5f5eef5e6c19b2f7730e4a334c17de67a645abe98421a06b58c8335

SHA512
0b72c0679bdda3f024eccf30965a283f5369a6005ba85ecee4145a9081ad66a8e5bc2e01fb1c0bf22ee3620d2caedeb1a5b3f890c0d98ae48531ee1c0fac1adf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2e095aa9cc5c2bdc9c9e9dcd4292f6a8

SHA1
438fbc072f3e7916c125f12390dc56bb1ed83e41

SHA256
30a0510db97665b5ca02442370811db0433978477a315871a65385ed6922ff73

SHA512
43b258ef4cb33db4d86bd612296351771d2048192b4be1dfa91d9a90851e21137f93282958440292498220dcf8155926975eb893a077f42866c5ae9fe5807f19

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
24ca2302e2f53fb232c1269cc59e4be4

SHA1
de5b2e8c614d9fdb880c87168d7735a13361de54

SHA256
a5899319729ae7e3e2c59e50faab253e06b5754082295af9c7993694cb5ab476

SHA512
7846b674c810935727de90e39f9bdbc3788991523d87b680e03132bf5f2a75e1eb1ace79300ec3d880963b5f9eb2a3bcf37701e520dd87f1caef88e6d452bcf2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7d167ecfbd9bd825df4a4f6d972d1299

SHA1
69b7e463e2f0b6bcd27d5df0d3bafbba074a893a

SHA256
43a141f7d2782bc8f8f2240503db105578ea82e98df53c99eecd73c963419254

SHA512
23040fa79daf8bb78bf8eaa99b0bca84a3a6b6c854401387e83a2babc75fa24e791fb68ecd4dcca826356a208210ec52d6565e2242100c8fe38de5dc45565ccc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
90346fd8c46ca8e0846c09f44b242100

SHA1
2bbc36a834c84511f75869b49d072bafee7eee3b

SHA256
4c6c2b9c3f59451d66cc121c1543666648f4650105ae3d1deb1db2cfae7ac3a8

SHA512
5258b67ccbd59239782981ff085714c5cefe8e4621368cd50329cfbea783b95fddf1be0af058b5d69c464d5593beabf796cb69273b0a007adfd875490dcf5877

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0edc1ec624cc60a5a459ee1d89f32e04

SHA1
ee7ce1fd6befc881eec4bacf98166a4eb54ba02b

SHA256
3f4bdc46704c438eba6d015fb91649fbf9036747b4208c999445b7146bb7b484

SHA512
93f3baa7ca9eef792851b4f72aa3d84cc1f80ab0f9c59900d49bd6b743200f8b2b39df308842a81241f04222529736b519a3758309fcb82d55bf2dcb9de29da7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5e5bde25e24272e15f66b7d3f9224588

SHA1
387eaf328eb8d84fa89450a8b293651e3e63daeb

SHA256
23fa3adfa49db150880c43584fd79c1d9f5a223f543d8b83c72d951e391dc639

SHA512
145887ce02b5f24a33e84f9a928e3b34a61fc6cca8e13a2f0cd3c814130415e15da1dea6861b5f4c6524830eaaa70f17228fb34779eb4cf0fd3e55544a414418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
bde9a97bb41e227d4d0a1b1552b362cc

SHA1
2207ff7f73f021a72ee902cf663a2254cbc4ca13

SHA256
7f2757f18d9bb387cc2c52b3eda89bea4dc1bff5ad440c56a51c7df073651853

SHA512
c922a9cfdfa8316837257472f6b3242290a5f17db5c65dd16ef2e1048ddf172e344cd9a28a2fbca01007eed2519a1802e03e7de9d9398aa4c9669990b2f429b4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bfb81e619951148798616fd55752df47

SHA1
3a14179a72492c5a46a8630e754b91c53d1fdcff

SHA256
ed215d935e3c7378c54a7051569908d1003eb58a926c7ab2e9716eeed67996f4

SHA512
261f9a2e6b9dad306865deef74a43577d965c2f1046f149ac9e61d69104750c4f50f16145013e1167a0af3ffe0f5f4a2a8aaa3d648c216722c18b55e6bd00771

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5628ecfffbc324d31c6710e3a48bfe5d

SHA1
e373db2fa1609cd96498fd07c8237c23b753970a

SHA256
0a7f7fd16db6f5876054461eeb4558c1b40844bf08f89dab25c86066855f7af8

SHA512
6026ee49b153ea791a22e392a69ad5fd54f0b5401da7a2e3b862bdd4f92ae3bad361a01b5cb349354c6c3d7e084af43f7296c41438183d3f130b58f4d873c0c1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
79d6c7db5bf4f4c233a6d01c583ba668

SHA1
3e7f7049dc7f7b5088a7964d514f3996af48d396

SHA256
0c9262dc3bdfb8e6bbbd4c65668c085cce8ca7aa93427236f14342f4de56c3b9

SHA512
19275c9bd3fa64424e9fcb0ec7da662e265c1d32fc59c7009c08136f1aa79f5207f3470f5d48daf2c57b71ed32dc4b1b71d4deb3029e5f59a92ef68d2cdd1aec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
500d32b511ca2d7fc0bd7bbcb6dd690a

SHA1
ead195d8c87786a4380a3917391e878f27370aa2

SHA256
f17790ed439c81f08913ce70a6510746e896854b5f84b70cd0d6f5ed0ec2a4fb

SHA512
0f8a11f4a035801493b92ddbfe18f8b43542dea7ea03ada18b8f99ad706d03d53368c2300b3dbd4c955cd3e6574a816fc533f72ec02b36901d2b675f6daa9b50

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ca6c9ef5c74b9478fa52b36f7a6b4d3a

SHA1
4359860004997317484b7334d5f887d9d42a8e33

SHA256
04020c4508e293c80ab0e69e159a8ef556be22d83f95dfef9f88dfa5ff6e90f6

SHA512
40fcfaf6bff049bc9802cb01568dfbecae418f385fa7257853bd433fe439bace4258ae10782da4e04027875d49cad14f9ac4ea8420dd4ad329ef741a0ca23f08

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0fd0c60ac788c6a92a9847ed348a32fc

SHA1
e1646b34f48eabc124bc81abafd6b1a9fbd9c172

SHA256
b92c0c740f518b71e4437c1a1c3d9d95981d5420604b127974fef646fe976c6b

SHA512
f1357ba11f65ee2f8ab38863a72ea69800deb458f8af326883cb1b7410baaec7fd523674e5a3cd73b250ac38507a93ec697bba0998c42358c03b5482827a8d05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8f251bf142ab68d66339ece1cd6bfc66

SHA1
c95fd157440e919a07f596ac8ebeb74e2e2e9ab5

SHA256
4bc109fee79bffc4b41076708f59d4e6fdaed8a1500a4f5251504096f426e003

SHA512
7db6b15d6edb7d4985dca3db5eb837b823222b05d8fd4c35cb453d41504114af55ee530bfedba52d3c506b22bfe2a850127deeddcad015d4a6a11883f804d245

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3b1be8475ebaa396687efdd405413695

SHA1
59cd26ea208e205f210966b6211d376b73835344

SHA256
892c2ac31366eaba469ce192ca6a9d0ff26dd80e42c4fff51a0b0da57aa1003e

SHA512
c525ed9a8e12365ee38d69ec7fc704283eaf05519e42b577b68a9e265c2a1150569a5b2f818ead16254a2c7555f94901af94ddaf08d5414641c9fc16ab1400c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
23751a51db0c7d82195bb9967d83c930

SHA1
67bf6ded4ccb0bae0688e473883395477d5720cc

SHA256
c01b584955f4e340445886d569bd64b956a843d8d20ff92f7a34e4ab5438f282

SHA512
ddcc865e15334013cddce58d714a6ad3cff571adbbadc28bb6bfe6ccd70ec53fd5ec2c785e0ce61ca684b223535946a3b8962297cb22f4a626fc588078e6988e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e4b40dc02e1bdc9a2d5c6becf7715017

SHA1
005f796dbe1179c1399b70553f09b8c3e7579f2f

SHA256
1efa02a704c0dfbaa8cb3f06fcd779c45557f671122bafc1f30d20fc6b845ab0

SHA512
7e0785afcf75fd4363d33e2d4f2c7c9a74af51a20777693920f193355fc3a257f582fbbcc7efc63b71e5225f953c7da0bf282397c3ddf1f06020360bbbc08237

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b269901752cbe0264fdeb0b85e89101c

SHA1
15c128a46d56440108359ca68e94295b65136302

SHA256
69cd60220d31a44c14ec5420b2ca306045df76505469d9e48d403eed2a9df351

SHA512
9a9cd95222cda21f0dab1ff2d008a2bcad742590595d5e71586b3eb6a0481a7a7f20f5cf2e2713314e90cffaba2b281801c535a2d37bd1e66586c731cb3eb17b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1a10816bf5472324d242bc9a2db96b49

SHA1
10d11b836cde6cecb4657732332c7343be0b775f

SHA256
06ad28899044bb75d317275167ac7c69997ce7cdbc7d303c4ee0c0814ab7ce31

SHA512
e5fecc5f42c401ecdad71ba4cfbcfab4b89b1c2d11808526eb7c0e58e4269f1118c0ee544870adc7721cc86d6cbfab253c4e8c347dbd3982d81e40c950a6b3d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2824827c95ed169b65dee16b77742640

SHA1
d87af47f8a35bad4b061d1200f6d151379a8a4e1

SHA256
8c840ab9f9d6047e531445e3479aaba19f14b1ff288d6178d89faefe9cefe725

SHA512
76095f0a107cfb0da47ec4e8abd781c74861d70ddda1f9a2a9f44d2e7a77cc6b236a88ceb1c0f790134fa4198d81b01736f6a7a890334423bc78b6fcda7f3e2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
742480c98d80d4cce0b23c44918aaad4

SHA1
6722df8f18df3fdd08004f88c37e0d052518b545

SHA256
6c3066eb7632e7d317f78b0bbcddef5f3b78fa8ff231ee358d1913cd4eadd820

SHA512
08488f52cc660b4970887f1a5a07daf688906e6d8d18fbf5f08784f0f5d5f5c915ddb11303e55df57c13da0867d5d80d8956941f9fd361dcb4b561f83ed54127

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ea13d097455ab1cffe56461f99c77d94

SHA1
69442843a3863efb936b307fdc6eeeb57a4ee5a5

SHA256
f95fca08ccf4455084ccb6f03e261aaa6b49ed7b287a36f831c771d2b0bfe7b3

SHA512
360d980395390858648daa8b61023df2d54dcb776382975c935dd066a1a5d566438129c14b5e49217aa594cb33b046b1bc378306490230bc15fe8f1d428b7882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
90579f5d9f0d23d0d874ecab4eb2508e

SHA1
f3d9b4854ab75063a75dc618e8eb64172fe75e8f

SHA256
431bcc2da5d56cbdb6f3b68c4d0136ddef0276f67be8d1c16904a738b99feeb4

SHA512
819082874c9c18dee9e533649fa130ad488bec520f249dc36fb8f3f3ad22d980dbad85a04bb0ec033a254dfe43469a8422b94415d90123db904f251c534cb3fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a74b401eee56915361ef6b0bbb541b48

SHA1
76d5c8e9c0f12c4775191fac8fd9a5c3fdb3eed9

SHA256
2e883b23b25e4dcae0272522ea9b11d886308ee7c5187ad01799f090abb24bbd

SHA512
bec25b2a16fa4a9d71194eb5d8ff79468380e885a96a5ca47c47a2d92eb2e5a1f759ea4b39cd7ca577144b72e7ee88b2ee0e460ddad61117dc26a5f9a743a200

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3fc935466294d169c47b68bf90cb8a86

SHA1
d5ee9642f639a081e7712af09ad5daf2e10cd776

SHA256
3a01ce72b322c7724c15d688eb8a6158a042c06e7da3cc8decd9b29b770366d4

SHA512
066a8e6b47be8c4d44d9b431c6380e1f650b1897eb488d6db5af060c998a5ae6dd9cd1786551596ee7593158095f0547aae4a7eedeff015a5bcdfe22161a22ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9ad4e5a299cfe247abf0d4b0ea601774

SHA1
0f34a6ffaae12e4995d76ef5302d0e9687435c0c

SHA256
2935731c7ac8806543597f5bd50b2c2f0d382cf615bef8c96359b58d3bd9aa3d

SHA512
08f4033e0177ddad89b244ea011a1ad67079ebc79d7895af30dd6d93974c5167b82e92a3084e050b9c62f92eb47d50c3aa63bb9233d2bf40011bb8fd2546d066

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3006d8b60af3739194e560e6a252bcc2

SHA1
8cd16c9fb192775324a41cd261c462a6ee7ec372

SHA256
fd1ca63bb92350df57b56c71b0812b9786c514c9c43d09f34ec90aaf376edeef

SHA512
dfa20a4cd75482a8f3d01a393cd3a3a135080d06e0e926ec39185b5e40d767a8d0e428c15cdbe5cbb065bdd1299d0312e308576575d6722cba64ffb5642a6354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c9cc712443ff7bcf3289c07cc868d3bd

SHA1
9683409c7c737cdeb2eab225f45aea5cfcdfebe8

SHA256
79e8b265cdf4be6681acffa73f808379ef70b072a048cc4ebe9cc21020f4d53d

SHA512
2ec848bbe1daa2be32dc28c346c6ee5030081d5eefa8455d520f67d22d6a8238b286de5271809ee2229b09226bb1eb61af7cb0338aec009928892836ca2f3e2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8c494e121e00e779b58ac593c6de5183

SHA1
cdcb70a10f8b6431396f4f64e165d38859a7af01

SHA256
e8ff4757720d121d3b13f612e848159570486b00dd4c036027e3b4a077ede7ad

SHA512
33ec312ee382ca0c0622d671f6950342861310e68c22734638f38192ad3c40162d011ad7657ea25679db9e65142a9b47379174b2779c049b594274eecdf60d31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2ae85981609360042e0f3fe9fc7a604e

SHA1
39b4aa37df7de3caf3d7ffe968d7d5ec6aa755d2

SHA256
b68aab605622a0c0b1513a387a29222ecc47678c236af5c54b2ef1680444e302

SHA512
25ca6bd92f12d6c201afae88ac293f1ca82662ac83aef90b0fe47cc1a23b3001bc0d6113f2b0a41d162e1964ae3ed7fad0667057b1e74b227d71ed980d5b67cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f25b1de85bd1062625d175612901b05e

SHA1
d290c126426d4f0c91e9ad44148e9029d9940ddc

SHA256
ec0129f27282dd6d2c5fef0578e59b7d146c0038c2d031db9ae25df7880380da

SHA512
26693200af8942fa793767458391bab2e5c51fd8244bab52fe2788049e24ee6a605a46f2135bce1c321b51a92f57c5a48b37c9015f787b089f487303c4db487c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2feef3d1e3a0d52f46feb8b485be5843

SHA1
78bdfcd1955ab8486dd9c7fd3d8e04632f3daaac

SHA256
ac8c587ad3a6241916a8f2a7d8b915e059edce067940413cf396be8e54841b71

SHA512
b19eaf06efb0517678aef4e32e3cecd0298730dd461837184b9c756dc79ad68745367d68dd413ae122e0c001ef7c0436f0c86573a84f22c4333c8087f8a8eecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7a3a3c625f49d4027d6594c27ed2aab2

SHA1
8db9d7733a56ea0945d123e244ade12cf83d1878

SHA256
8fa4f653b8e63a953bf51484f6912706f0df908fbe0f7a96bb9ff6424802ee9a

SHA512
36f44917d964ed68f329618165918257bf01a61b62273f5716d5642a0b15770292b445009db76094577a0493487252b1d70b89ce32d3cfb0d8b5ddc9138fdc17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6bd0acbd739a908a87a05a3f71700fcd

SHA1
b27fb8253fb8e0ca2293ac04994dbedf14585107

SHA256
40d85d949e97832af2aecdc860369dc96b7273d4f7c36af5695ebd84bb87e197

SHA512
b103d78d3ee6277d512b85a0f18dc8478991d363132a81cb8d3f93abb5a56de44f0a872b325fb88719543ee79dc039180f5644b370c5024c406fd5b1f55a736e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b2cd311da9231aca28f2a3428cf81903

SHA1
c9328ca2e96b137fe739612db1313a42be9fa15a

SHA256
9f3cebd5244c5c4e6955626690e8b09df5842bbb4531412055374a63d7b030a6

SHA512
1bd087fb7c0806926acfd401cf926526d7960be7ffaafe14fbbbfc2f3dd3a7485d35cb8f3d0de4d802bf23620cb67af74c06ae215fcd5cce794520d4f77e70dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a9dbc0fefe2e6fe0e54f27c6ac3b818b

SHA1
4ce243241a65bc5369720ea106f2f2488d5b9ed2

SHA256
b20cab024d034e710bc6e324f1bd974d859f811f87f0b0be2ab62c206d7e944b

SHA512
5db85b9c8c58d6d5a2b2973e1123637d865c87b8f121b998e499c55d0a6127012eb27712c8e17e0a05e0e1869ca8b3ee51011a989e0f798cb906adf15409e740

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3165def65a41f844e2635efdff40f162

SHA1
5e37d6555c2aff5c8194214cd459b6c1a32f0dc5

SHA256
3835337a3c28697ea22dcba729361643e7d54460c3f37066919c588f2a15b733

SHA512
61b9366c047bcbb1df7f17b8b313531a08f635a9df91324dc9aa0b9b3351a6d9e2ecb623e175128424d4b0862551a93d9ab27b33e7d971f7c2f5df4e341f9144

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8e867e03817f424ee3bf708bdf436985

SHA1
561ff6341a31b876e880b3d2b3e1ead2c8728a93

SHA256
a660ae48aa48cb5ddb5b976c60ab5287f7aba414b87239aa63adc1b591951d2c

SHA512
a30035e9ecaef55585adcdd117a1542c40edbeef0e663fdaa30a15b6ed6450676ac3440281332b6ba9e03e35dc4b5669835ca8ae8b8cb3a48cac3193b931ef36

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0b78abc20cb1f2f181205899b7406dc2

SHA1
2927bc9a3c1321b3d5a8d649eb6a94c55fb798d9

SHA256
dbf9f48c120686f5b05727238a27c27a4c8b8fb0a68701d447164fc72ca45c4f

SHA512
d638d1d267d336e2a579c58ba5dabc0aec9909efe56a4ad2fd39b2536cae83210904814ef1920af1985eb9889fe95243af07870a9786c4b1fabd4fc7177af2f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6c2d0018e8991399b29fb77c6cf927c0

SHA1
fd1423af107c26ff48d7f112b066cb846a4f57b7

SHA256
5e5e1473dd41fc462cfd5bee834c613cf95980df585727a13ca09d5241a12d84

SHA512
d78031f5b49747c12dddbac43617396c4f27e3120b9f6fc84f030db2f30674a3eda45d9485989b822611ac409ee0ffb8e2c3e5ee5369755ea99432a450db21c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6c67abb2dd10c73202c3648dff7dbc40

SHA1
6ddb0e3330d5919a3c0b0dc5eaebb4bc6c190f8d

SHA256
5eea222d68aee422f951f55422cd6463b5f87dd43c002ef255e96510b66df7f9

SHA512
a723d1f7d942976b8fe41cda8d751332d3f7c0ae7cb3b031f101763c0baae6390d75b5d2c7029372698f8ced619e09d7af16da34def25309c255a08c5a684228

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
102ed7bd63d809b2d8e5abc657c930ea

SHA1
c0f4e707ed20d1de7bce6dbe018bb81a25a8eab7

SHA256
1a20ad986ee1f2064785289f03be9f9d31cf87991ab9a36ba78dd83142a1ebdf

SHA512
7329be272e02740fccfee737607462725456f085fc9551db04bff1905567c84df74500897102c95de77f7534e09fe816d5178dcd8b16e5428e46fd2ae629a867

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
77e589b5e13b56c58f04689f6fc631b0

SHA1
1905f6f6d8609e96d729cdbcbb82e622b0a22501

SHA256
cb6d6b94fa6051eda05b8ae3ecc0ac0d85df4ce3b77a0bdf0baa25988da7c663

SHA512
e372e3f687f59dbe597203f7516b8e466b80690626813fcd3a2f6828439f8423ec0a091629bb0529bea628159bfa753a9d678886c6ac586bacbcb9ac7a0a9918

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7deb6428287b6ee115cfca247317e49f

SHA1
b62984cee9f914ae7fb40d354e422c7189383dc7

SHA256
9f1b1aaa7798f811c4f58b2dab818a2ed82bddb2739d2ea874847e33214b7fb8

SHA512
a94e66d1d1fdd072d442e087645de57345ef608b354b4d74c33a57b9735e00993b58a042748f67f57f38cf2a08f53521f70e30988ea2300d287abaa476ac12e7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
26ef8e4d690038ed9e5e6e34e42a8b9d

SHA1
ff0f9bd6f1648f6030ce2b34ac2321bccb676d34

SHA256
b86329164c31432cde456bf5fbf921a704ad86f18645e6a6a54237efa1d66e9c

SHA512
31af2db3a5e7aef06b759da3e0030b31cae979f021639dc97256380ee400fd246242747ec99a21f848720d75e034cacc93cc48ec88fec9563fa80d10b3a5e58e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
536fe2d1d34167f1e3ad229a523b3a5e

SHA1
3338debed9b8dae4f929efaa04eafc116529ab9b

SHA256
6ec64e64325a3207fb03513125ca1b3f36eca3134bbb148403359314e9d01c45

SHA512
7b9d367a84240e74ec9c9d8b049af7cc0b4daf99023e872d72e9648375f0430458b0de2f56ad7c48cc29ea35b5373c60ad32203fbc1b03cce925f345ea6dd5be

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
85adef9ae9ba42865c31d64a2afd1919

SHA1
36466b2af2500ae404036ee341653dcb2bded59d

SHA256
5cb475f177f65e77331655f6b5b29d69f49b82e54769ca59afe6c65ce7238675

SHA512
86082022fee60dae9ef3fadf69a99de0d42ad274c330e6e7d20f39bdd3b55435cbe58bc5bef2fa4294fa8c5a816c1712f2b9deb59bb43dbb6552f3492e851eaa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0c942573b9d908e231ec5ca8c6904bfb

SHA1
697094592920d2d9cb8ab29721a731da0dd84381

SHA256
efd897cbadc50c716f386331024287aa62015b5cac5676c4d20be6960dae74b5

SHA512
e7d8247b7af1bed57f8783687811fb14262b7f704aa4fd80544c86ee4697f72fc744dccb7fd2398e4a2371574ae78bc2a7e719000de3128871dc514b749da666

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bcf9b96523f6e3320189342e5564bad1

SHA1
650186f279bbd296318b79d7ddc55c1e0b578c59

SHA256
e83dd6a888a21342822c136dca53af3c211017f808ad84a3070838f278dc7ee8

SHA512
07300f0941d8276599a05a5c8fcb2a4b6243c309636a178559e3cb83fe751874aacf640f2585f603c3ea119698647a6a3d849ab91f6f5d5bddfeb53889ed53ec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
308dea8a61925769c1459dc4c5070555

SHA1
3665f0912156a1cafa352a40ce2d2d919588b951

SHA256
fc8a3d3ed680e13324df0d909104035c75e2f98e2f6d792b6bc8a85fe605359b

SHA512
1f565d377d195a180a9ce51312736a01b08bb8676041c7a61b7e33377e03f36f93bb5f7fd813af8d4a8ee6b59b4e52798c203ca1baa2788c9642053df27f80d1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
04a01ac49ef0189f4d7cd8facd710a56

SHA1
8ca20c1ea987bca05c7bda6a95e1e29c9e023cf0

SHA256
21f20f3389372eed093e2e611990b2ede2e1e7ec13503a5628054abeae474dde

SHA512
15a9adf791bf443894b8d28f770c47823fc81392c6a3e9be90b07be267e4b919304216e96a9d3c61612fa63a6b189bbbe3df0df78ec79b70edf7b7fa2f266977

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
78990a175f728c68085ee0349c1722a1

SHA1
43031392868ac3efec555e5a693cf078828d3db5

SHA256
679f89cf4e38474b2702f544e8eae20e897866fff98424972dcc2d5bd4416f83

SHA512
f119487d3b9542ce1523d1c76ab9ece597204a5923908b62ea61efc86457b9f4908e8af32e67e767f6919121f7a1ef7dcaf1bcfc978b37ecce8b7e92438c22a0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3f5c320841e4ac5b0c2520785c0ed57f

SHA1
11ac0ca1ffec885401ba32601b92fca97a75ae78

SHA256
d8d1373ffa07b309a7e478c3ec867680026e63db172786908b82dcfbb3c10905

SHA512
5d6dba189a91babb84b777335751c6be7d13c067cda221e903adee5e043a7ee91064335d8d866ef907443958a14d4fd566d9cefa3944fd4fb0a683e0056971ad

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9da9e34b1f0af9c96b278af943182126

SHA1
f4943485530eef8862009648ff6f214c652a0271

SHA256
8e433986948e68b3e8c38efe04b3749658527b592187da2ae19751349880bb10

SHA512
00d62fac799339832af6357fb83d87aa4ed70d4f2dd6b49f355ab32c46ec362d5c93554f697f6f205c557f7e0252233fa74b64fd63fd5723357d31c9f29e6222

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
83acf06cf4f5d12945638ca0438165ce

SHA1
3122ac83ae826fbc5d9a5092263335e2d37a3f21

SHA256
8d728ab392836a1ab45c83cc1d85e610e4c254d2f6e9c959dd47847768e040a8

SHA512
10894bf60d7ded98cd9606075862ac7bb92eb86711600aaa4889239df87cf4921e3e01acac849bbc80bcf84140ba8c750294230a436fb5f2e93801fb0c8cf629

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
aecf00493db709b1458db563f7758fbb

SHA1
19d0b8bdbe83567dbcbf86e765bb0d4d5e6ad4fc

SHA256
4c4a52a7641d2ac00f10047a06f9247eab7d8c3346156fab168a24d23fa11d01

SHA512
63f156dffd25b5ad7a6e5e980c4ac40ee4819f7977720d7f4a497f8e4ee9c5c619be89d9c38ea81a462f6ef47f2611d38275064fa076796d3e1b0188d833edef

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8e39b6366e4a7a667594b9f860ffb67c

SHA1
55dc8246cab3401ea367fbd36c577063693e1ae7

SHA256
9cefa3ec641597c1dd121f6198172a6c276bcf5859f7c6aa6f89b9f358447127

SHA512
34c352d1c5720d158ec465b5ee5f219563a192cba657dacf38c62d16132129e538fe42dddd30447726052fa0148a1fa8cf0d9f346591a2692871e61ce906f8cd

Download Submit
memory/208-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/208-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/312-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/312-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1044-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1044-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1216-144-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1236-146-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1340-439-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1340-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1428-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1428-54-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1428-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1428-207-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1468-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1468-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1468-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2120-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2120-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2768-6-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/2768-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2768-82-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2768-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/2948-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2948-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3088-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3088-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3088-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3088-222-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3296-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3296-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3432-147-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3432-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3672-471-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3748-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3748-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3748-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3748-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3952-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3952-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3952-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3952-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3952-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4064-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4064-253-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4204-530-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4204-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4372-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4372-607-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4428-145-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4652-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4652-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4652-61-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4652-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4652-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5104-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5104-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-161-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download