77a7216e9d954df5898451cb6f61a150cca9e6fec76004a191a2fddc195d5dec

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Size

712KB
MD5

f6847ab67e21a9dd8b96a09b80daa65c
SHA1

e33fb83ab7c248491dd27b8462276b9f75443aa6
SHA256

77a7216e9d954df5898451cb6f61a150cca9e6fec76004a191a2fddc195d5dec
SHA512

ea99e7276be1302ab1ef50be21d5857d54722273492662961cb2cb9a1d4d332a766984f95f7ffed99ae70efc5bf68fe251d9d9d55be144a1b6bced8161d39747
SSDEEP

12288:/tOw6BaWMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:16B8SkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3220	alg.exe
1996	DiagnosticsHub.StandardCollector.Service.exe
3292	fxssvc.exe
2596	elevation_service.exe
2548	elevation_service.exe
2472	maintenanceservice.exe
2236	msdtc.exe
3144	OSE.EXE
2180	PerceptionSimulationService.exe
4904	perfhost.exe
1800	locator.exe
2672	SensorDataService.exe
2948	snmptrap.exe
4744	spectrum.exe
4688	ssh-agent.exe
2800	TieringEngineService.exe
1032	AgentService.exe
4468	vds.exe
4516	vssvc.exe
3536	wbengine.exe
5040	WmiApSrv.exe
3100	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8312ebef240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efb94991ceeada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e55bea90ceeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5bb2a91ceeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000817e6d91ceeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026f46391ceeada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f68b2f91ceeada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeAuditPrivilege	3292	fxssvc.exe
Token: SeRestorePrivilege	2800	TieringEngineService.exe
Token: SeManageVolumePrivilege	2800	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1032	AgentService.exe
Token: SeBackupPrivilege	4516	vssvc.exe
Token: SeRestorePrivilege	4516	vssvc.exe
Token: SeAuditPrivilege	4516	vssvc.exe
Token: SeBackupPrivilege	3536	wbengine.exe
Token: SeRestorePrivilege	3536	wbengine.exe
Token: SeSecurityPrivilege	3536	wbengine.exe
Token: 33	3100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeDebugPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeDebugPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeDebugPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeDebugPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeDebugPrivilege	4500	2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
Token: SeDebugPrivilege	3220	alg.exe
Token: SeDebugPrivilege	3220	alg.exe
Token: SeDebugPrivilege	3220	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 5964	3100	SearchIndexer.exe	120
PID 3100 wrote to memory of 5964	3100	SearchIndexer.exe	120
PID 3100 wrote to memory of 6044	3100	SearchIndexer.exe	123
PID 3100 wrote to memory of 6044	3100	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_f6847ab67e21a9dd8b96a09b80daa65c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2236

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4904

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2672

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
1⤵
PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5964
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
146e162b912c91c5f08cbefa45e5feaa

SHA1
60e15d8fabd1c1051c52df9cd6279f287cb44078

SHA256
db3dd3a1a5877eca384e0fcaf4953b7e9b3f58d52287e3287d28feb5aef4ee40

SHA512
f9021274d03a7df3c4644aa6e3f3a1c0589cefece79539aa3944b9d2550b36b72453268f1dcf93c5d032878272016d769897cc93fde7203b131eaff948181011

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
bc00dd7c69bd55d4a1b8a6cfcd0125a7

SHA1
ffb81c25e90ea5575c584a7a5f77d3ea1346ea2f

SHA256
8bb673bb7c8d42a1a9a753d53afb1097a10eb7e9bc847a5b26d33570b5e5fbae

SHA512
4a8a76515656702b4871137d4342ef0e6cd37091c0c2e11d380788e23730f385549eceb0a3b56029af5612c6fed64d22ec95ad54e5c7645616f917b0d33c2211

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8d90fde691ce439128a8bbca87ddc4bc

SHA1
f13f8f376dfbeb04e4e27fc407abc26661bbedbb

SHA256
cda1a9cb0cae2455cb8024759ee7aaed9c71902fbeb40ca5ed783bb098694447

SHA512
8a6dbf8bf2ae074f6738f97bc164dc3a7f5a36e3686d457c2ef92c7f54ba714199f0d84b2d5737d32d90b3d890edd41b5c9f404b7b15ba1ebfe901db3e463e76

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d6c86650a2674dd722bf9b7b08251f87

SHA1
489ae47116b1570e38418f051143e24f896f462e

SHA256
74993352f08053ec48ef1b3e1d1978917da63e9f791ac04db58c632d4077d9b2

SHA512
72cc9bd3bcb4c0e0b8120104b3a92bcbf8aa846169033731c0c447fb17ab07ed298dbaa9439427e39753596f641e3130719471f665686e67986d58a4d72e1e1a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
861f54abdbf807fc5528e12b3e658d6a

SHA1
67f01763ea1a20eb956aabbc023f06224bc3448a

SHA256
b36e764c723151bb9de843c8647b54a7580ed45ea6aff2190b0217525e454361

SHA512
6f35594d8420b3c71d75104ba1f389f29848e746724498a1b201b623d382acea4805d91a0ff4e9711cc9dc2400ccb88dbc6f319a06b8cc405a9b8c921f7c6b38

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bc3afb87d03cef67b1093552d0a61f9c

SHA1
1f9303fbf30721f3ac76331039bccae7e5db9cc9

SHA256
26837217b32c5594795b8fd21f09745f0ad8c46bf2fa9a6ba6bf5dc3b2a421a6

SHA512
b5f55f2fff481d7e9ab997234ebc4fdeba86d3c57993651e99a7dbd2347dd0d505ce6e59d13e8c394f37acb7c26cb4b91fbb7849a44943d730a19f0c204bcd2d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5cbd6954700b53ea8fa054798d8a60aa

SHA1
5c15622df0798dadeafd3d120cca8d5dd9463171

SHA256
47ab2991f8c4fb485aa224ebc547aaf2c29352ac0982e23e861f62e8f3b90938

SHA512
727f3a20ce385f5f4da737f80818432fad10564d95513d26362605930943f446cc7cf1f0ca383eedd5e67566dca01ae16bd5cccad38534411dedf9c3fde1b5f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9008a6ad0547adf8b4a7a692bf894573

SHA1
df881c22f73923a14a673b01e4c8e2982d1b70de

SHA256
24aa53d5dbd2099792705d5a32acd0e6fb6f1c22992888026c437746f8eccde2

SHA512
778788c2662a1499bd1e46c6c72f5464be2d0a6885e0779a340a3552232e851b2326f5f3f60869bde03b1d4946572cff3ee88ea9a47843c13067afe0e583cdf4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
684fb6f1e5b281478837715719391e12

SHA1
8211b5bcf45c696b2255eaed6840cac8a9541519

SHA256
211d23e2a3ff00325fec25c5acef759a3a4ca7749285d7ef2ad4a961dd661b18

SHA512
987cd108652b8c83a3696640152cb9fa7535fc1a1b7bd3b3efc36d096d8cc43f2d021a7ae39ae2446eaded03c73a8d262948f3502680b416e834bc1aaab46dd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fe629b0a7296f5de33ae26bd889ceaa7

SHA1
50960afcbcea4e4a3e28ce6dd57ca202d0c18655

SHA256
255f41ac11dd6aa42c1ce1d917ac3aa1a7cea3b8881ddf699b0943a5fc170d59

SHA512
8c4742ab3b05e76e8471050f4055d0267830061f6e1f946458ae63222e8344f3f8c3edf515e1e7a1c104b8ff558d9307d55a3b6cb2e318d71de86ff09a613493

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e1ce2173654368757b176eb4723b281f

SHA1
3fb499f4e13bfc766139eeec7629e18e2da95599

SHA256
d9f6abdeec7ed274831dbabf189a1d49de60c05c7671b5840ff0294db3a5a4e1

SHA512
c00354938a90813e1cb2f4904b4a70d791929fae1359e9340b916044e54a32dda49cdf4f15d28931bc9fb713230c90b47f725cd4ce00ebedf21ca74ca4315e15

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dbf9e10a112ff13924b344a024b75f23

SHA1
42c561e00208ab849d5a41ce4877524c7fcb31da

SHA256
07df6268e07db37d0f93866d1a1a26b81c3f26add81769681a984ea8aa94877f

SHA512
ca884b414e4ac7afbab6c9d208f2e0b1ea7f6e6c2b864a73b9bac7c70abafc6786ed8c880082a7455fd52a8cd09d0aece6e60879705ff055583086f51bb9e03a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c130c7928f1aa745974e920239402352

SHA1
d29f95ac892615a2fb6533e6af237f99c0b757a4

SHA256
5e22903bbe417faae33a778a08450c85091b5447860c5f9309dd31c20d59cd95

SHA512
bdc284493c8fef0e27fb7c4e1f4fa6cf9798eb0b19f8e04511d3b963aec945ffd492e1511a73bdd4cdd4a26ccf73309d186526a287dee61c389f56d35844b0b1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
47eb184704b1d56c6d29a2c773164cd2

SHA1
d5b4f6d5a37bfca9e6b0edd9049b32152c6aacab

SHA256
5e0667a6450e0b08b21f9ff2e197388c49b54f416bc10ed4481fd5801c5f56d2

SHA512
a34160700ef794358cd7cc7c1d466c920b95a87b22ad3782abc03b270ec38c4766326a6dc5d5d63e4f36fabcf73729901cb4a639c0b22acc7d76b489ac413cf3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fc0660855d16eda65071d1ba525e0a05

SHA1
0d0addcf55636f5b0e9b197d595be4cdb0138ca3

SHA256
4419edfea05792ff48eb75306e9d1dc70e24cb689eef1cc389fe6deb0d15b606

SHA512
ac468d05442df7b822600f203234b3bb0cf9b4065ba33d83ff7bf92ba503e025b3ee51c6a1928549f7a90d8152d52dda06962b781623dad02b4c05e0d9456fcb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
46cd27b4e1459e5a015768ba503b0021

SHA1
6b550dae8b26037a61173421227ada8ff0671b30

SHA256
b655f842ac1795ae946e2a270bbe6a0b3d698a21a25477e5beb4e96877f69f7e

SHA512
8d1864bb390c2169935795915e8d7f76629f61830e1d4b8fb9f7cebb152f44bb7158dd9141b4b430face64912ea7109aed2ee4efaa1e48fc940e1e25569453c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
dd6683ef3276b74ec6ad48be9fd38afd

SHA1
c2585e3e8170a65793f08f8e1eeb5f94c113c8ac

SHA256
4412ead8e655d6f857cb8fcbfa81adbb9706a6b0384e9c62a08aacdd2fe5b09a

SHA512
b6e5c3ddfa8cb3e35c9ab6a2ca6aa595030c897390b8d0968acdcd00369385a29645b238b471c28478f8700a734c0ccd550a749a629ab91ba11c7952fe239781

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2c204e84ce50c935231bcc6dfd9092bd

SHA1
fcead0cebe35cb5595362c0b6370eeb7fc2f06a9

SHA256
8ff22ed52b274fd74ee452a69b5054c6e1561db3240691c5cc80afa4d316a865

SHA512
60b59ed6b7699082d16ac8e95383f3951d43b5116368316941e9bd3fcac0bfdc1f20821b5547f4e1ff7853cd6bcbc5fe2ac8ecf889f75e6c21cf45b4d962faaa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
efc455b621f61f67bbff166c8993f5b2

SHA1
053cf58547447abe2a896791462c489098964bce

SHA256
d91a90c1fa3ecafe6be4d99b15793136c5c32280da09763fec7002098ca4b5f0

SHA512
30d7da73e762cb4eb7c5e98e6e73017485670584b34d33841ff6c6625f2bdc7044684ee94a9218fe5845a913f92e3e17a075c2a709139d7afa46be36cd004c46

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e41a56f6bdee1542ebbf590c7bcb8f90

SHA1
22f1337594e9d804aea8694de4494c30907068d3

SHA256
c231d6b1092b7731a0eaf7e4dff6d5a48319c2f4cd564b21da79d2a6ccceaf80

SHA512
c5e3456426c8dd3159547fd4f8c695e86944970f42450f674a38e01821e0218501c43fe005bf3c0a9930ba09c271d3de0e4e440a1a7912e272704e8720ac44f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6bf9ad85b498e5218537084931b7f5a0

SHA1
62e7ab50d23d3d6eaad2e54be0911a0140cd1178

SHA256
50e9fad8da2987c475f884d98c2d5966dd5e8e55f603efdc2a8827534a158f9f

SHA512
ce09f60eb4b3c466c3a41ed2adc8ca3534f346071f621a8f2717e45e79def6fda81caa9a0ae29b39d02e4f740e6103f9d1db3f43141dd1e8a5278f8eabd77459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f6713351cd8321be04738b25486198b4

SHA1
f023ffce9858389e47683038da41a3c11c2984c2

SHA256
df3384bcdeb78302c84cf3b4f168a0034e13f9bdbad8b2719df424308a79ec3f

SHA512
8b8621660dd46c1a7e0b1b36d08600e74d0998bd87a2f582ba39c19f55fac5e4eb4e8293e31985e1051053a1a811852c60bfd0fb46e9ed3000a4c736340daa14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1604a4aeef57f7bf8e11baaf0a1598cc

SHA1
19ed857eda5552f8470cc19df3a4c4dc22ed3c18

SHA256
ba7515e957067a2586f8c26d86144b922428b4208216140a6d2f3dbbf4ad39b7

SHA512
b67259025611e71f2771f35245422568481bbf6a608d39c8d149459e8f6d7af2c48d6fb3d38a4c60c41dcbd809901fcc95e104c34980bd0a74ee1870f30fcf66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
64a4df015de4c6f9e506def0faded181

SHA1
d6fb5ea82dbd232cdc884a757bf23f14d850c933

SHA256
313c243c07e334c9c839060623b4b9cbd2df76048266bc5109082ad76bd766a1

SHA512
0e6172b4db0026d63db57a770deae1636d65332dd9fb542146f9a43646f63d2c80998ba945d5f500c99f6964077276842b596a0b4481134da237f1a8cf537e8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1a517087b2e0f008c68b164935475662

SHA1
6ff46c436f26eebab7ba29201919e7a21159775a

SHA256
8a87318964780cfd8ab8d38c2cfc22b95c23023c79ed9d8e9ac6e4cfc69298d4

SHA512
cf64a20146fe64e2057f8416585c3e353f3c56065830349fc6648b101332d862af33a97233ff99c66e303b3a6454f6a97794c4b26bd3823910896f70c7525cc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f057b9bbf03d4ea9d36293fa3ef67fab

SHA1
62738223f990a743a44ba3dfa763a64ad30de64d

SHA256
4f1c34e6974a2c63294994b9099ef71ad5025a010e20dc0cd1bcce36c1e7ed7f

SHA512
5ded8e800ecf1a49e0de660e610a75f073417eb39270f8f42f77b0009cb1efbabf49b0acff502bda903654277fd339fb1e760bebd59820b7ae33be1a21c23cb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7045f0aef823eb60196b657f6833685a

SHA1
983e3d9f4ba76cacf1ca9898ca8eacab3f064f04

SHA256
a41f4ba30e721b072cb184872d41356b81dcc9a79da4fdf7b9f2fafc1119eb95

SHA512
937064aa0842915007a9fd20d13a57b929e89dc428e021cf0a68997721ecada8f13db34e0117de6238ea0b3b005b8f78821b9263d45ab9c54fdd52c064fde8dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f842304fbaf5a06b6056c589c130d5d6

SHA1
2b21bd4b2a093a7a541992f9683b6ad3a8126c40

SHA256
69e4bfd99c20118b063252ea07839b96e076e684f7680328ac687f01cd7626da

SHA512
1ea30d5125f581d213a374e0a505be6844efb485ff8cfbd571f455d807fb3bb7aa6d887a8cc0df0813dc9ea26206ddb14d2ed9491cf99972c0b7deef3a30106a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fdf0a0722e51d6c91723f9af4a166df4

SHA1
6ec4a3418966e9856598194ba227b96e2132cba4

SHA256
8baed6eac321a0642f4b7c5c9dd390441c7747b3a5034745058170eb64769eec

SHA512
371c85b259b2c7943fe087e9471059d82b499fa9aa0b4884f682091d93d8aa0e2a439fffcae6c00017d1a3e3ba61b0b66d40552f990843bc62015f09d8dee934

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e8db8add4c479002f25631641cd91b32

SHA1
764e75d3a0a821f991d09ab14c196450e552a847

SHA256
c259775d32a156a8eab78aebef9bcd6f7cb0cd47a2a0711b2157e43e5dc84354

SHA512
5950640e5f5d4e7cfe0548eeb0858e91a55ef296882fc4cba63f943ce2010d05cf81652f60242bb56151a36cdfbafe36412fb0f1db6502987bd364644893ee20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
97c28c4091c02213540c8d4ec1641edf

SHA1
3ee40f34949e356f458790178d03882636ee8f33

SHA256
710122832c3515586eede053bba3b00555e3294e72a33d7fba1f9e6b555fad18

SHA512
94318fbccd000143a9789c6755816b860aa8458c10ebf003bb74db18cd0baf0a96b0c933fcaf5e3448e898a45cec40d95065c7b8a5bff83f770eec5a4d22a05b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ccb8f7822034552f7124c70fd1d334a6

SHA1
c94e4b70207ec39fdbe63bfd89b03215de90b2a4

SHA256
0a8ca74009f6d8945399996bad4b2d7fa9e2057467e9761cbf7a72d2489d6de8

SHA512
00832127f58f572181572a88e708a9b44e015f04238f5a6c5ba8d521eb4856e39239ec17cf0e04d35a17d58a55ec566b52f0836d410870df88ae68e588bdfed9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
63948ca7b003ea9bdb81b1b7d1c9d0c2

SHA1
a20659016f7c475993f869224b97eb4946d7bdde

SHA256
2793f092b458afe41cd67f481f89811bcc0f9d3dea682d0d9957e5c9df58963f

SHA512
16047e5c4cd3675d15433c0c97380ff05e31ee39a87d982f92466df0c3fd1682ab8cd18f0a48dc5eb8ac89cabd96007f56d525d8a8464aae50205741117f528f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8020190faefd97966581f0ffe81edf5a

SHA1
23f11e917ac8ab087c875fef2c3632434862cf95

SHA256
afede0ca3f6ce7ed5a9fef76eb908a473946a913383cc25c1b982351a9bac0a3

SHA512
b37e90bae68fc1ae00352cccdf31e801af159916615be8f2f6bb2bf4b42f535c40c9275f93e178ee012635d09a712821ea77425422eaeb4be549a30ac532d341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
844f116e5da93fcde5718dcf2baa2fc2

SHA1
0ecb8671d715bf0c4d0a70506b1c93925afea90d

SHA256
4bd77997373493240b48228e887fc22d8cfeb82e781cce1128f4e400ddc7c2ee

SHA512
243f9f002c952d3ac21bbf4fca21347f4cbf55e746a2a133cf02d799d0192dacb8fbba9f2488a54fd7622ca5ac90c73ff5e4f7cbd3771e536e2f70b7c8feda88

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ceae022b7397f65f8c6f4ddda469584a

SHA1
6a6f512b30678b54b5dac1a04060249526dec426

SHA256
1671dcbe4effa1421fef717ffc86d98637eb729a48aa5a1d814e751d3843583e

SHA512
01cfc978193952fce786689c5d3ae2d04ab8bd66978ce17ae03fbbe06e27890033517be1ae408a08ed8683ab405f91bb3ac8f5fb215e9b8201a64df98a45105f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
cf2f2a1e420eaedda11951d1e8d8ebe0

SHA1
d78ba420fe2c866bb8055f6ae66fa4f2d80db865

SHA256
2728bd8e00302c2499dc2742c6d0b9d4b28598575bd27775e79c7eedd0704fb4

SHA512
c480ed17de364996238f5592ed01750dbfb06fd93af39cb2dd84fdc06661c68876f12c435bead0ca9696e036e42bc4d4b9cdd105ac8a65595488679a620b5940

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4d00bb86a1fc8e9a2fcb06d6ec2c2ad2

SHA1
b5e8a5e1f059ca78bf502099ac4486800a4010da

SHA256
24e0cf50cd4b1614b840296a2d733b81952581dfc333c0e8f9668de616d9c637

SHA512
e184c04d288b485e6bc917dcdc60a73547da0a33798e917c99f15e92eaa39c39ef279cbb4f1447e4f65374da6d1aa31c633536ff00870991005cda0302864294

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
67ad75cc7a738baf4d62d901d9949294

SHA1
f036fc024b6acbd747188d5aa7ba90c2fde8528e

SHA256
bd2a3e5dd27243db1e092695f2992d1dc52c111caf6bce18f08fae0ad972e621

SHA512
d0815e4f4167f674f0be99796143c0f1658d41e5bbd667f04615020f74353a681ae4fc06c5433ecfdd0514a66ee6859e03b3f109c68dca6fbfb591ba45afe47d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8f68dcba8081a8b04be6c11ec024204f

SHA1
04fd87f924a1ac4c2b1f3f4a1eb35e5578143bb8

SHA256
23c805493e043b3774301365e4f02406c193b65c13a93d700e79d79abd57d8d5

SHA512
82df4ade37c3c018fb5f0ec50fb4c0e881616d60e0a7a70b190f548ae6c60993190a93221275b8221785ee317d87a2ffdbdca9d1c883218162c1e878b1a78de1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
420bd9bb00809001e2813e39a97c181e

SHA1
bf2f498943580ee8bc8a652d03145858a16e18de

SHA256
b4c00e727d9884f36442e54b3b3ddc6a1f9c25ed3cb16e46cfbacebe24cf00fb

SHA512
6647580c360ef297e78d11438e6789ab7792a85fcf6a9ecd5bb646dea5de7237779df7dee5db033d237d172a1e9d28054ef4398790016b80d647b70bcbb26418

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8dddb38cd132d9b1ec73e4d5a2c2a30d

SHA1
2925d6f3b79758814ef04ee38e870df3fd914355

SHA256
e3b3af9a4e43032340367c2cd9b0a1e9cd3192b4309b6e6d4bd0d2febb8aeb65

SHA512
a2f2f7c9c48f966e9816b34e81549445c83379234ccfff133d41985179e663170edc99877d1da1851f639d0b5b3f07afeaf8c2bc21ea8892bd3a71bab9814a16

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9a4a3f81c6279f775e27cbfa8ce26f6e

SHA1
9a75e00a449b5b2821aab66eb2076f4e15181cd3

SHA256
f64f45dbd9ee4a74fe2baebeee14d43c61fdcc0f864ea3f6e0344b2d77727f41

SHA512
77db750c330718e73857a763731886aa49389be2ba9500fff4333b5bff91fbd7ccb7d4afd37bbe0e870cf4ba796f1363b93bad64287300ee911564309b0cfe4e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ee7389a95c9a7c6cd0f2865acca87da1

SHA1
90115bf8b535de870c69ee640062f172f6c6e899

SHA256
5c12b308cfc13dd6d390ae479290eba417396c220b5006f6e9265e55eebd8319

SHA512
8db085b6c8fe031962fd3610cfcfb2a4b6274b34e885ee0ed3383115046d118c2eb1e27e92963becd62c1e07622c886f00e46e684954e01038e86d18fc7f4f44

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a357a34fefb33d877194e27c25ab4a33

SHA1
86ecd7c033f90d20174780fbbb35cd006b3908df

SHA256
45671311f11046d4852bc5e53c822b22142a71032cf0f4299c39036130f3c5af

SHA512
cc089da0874ac29f37b7b842b775ab3f9a159a3807db113b13b34b78e2f8d8ec2c4bd7e27828bc1b020b77a870a236575a622fcd44619b952f2e16aa9873659a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2642fcaab0f8885a7bfdc851898358cd

SHA1
a5adc5c44a816317b5f2317cdb14b540c392a35a

SHA256
6ac890c48a412f262d182d92e70711cddf15794f511adc9f78feef020bdab6ce

SHA512
780ca9519b52fed87e452dd2e60ddbaa7e074f5f05685b0c3303c14619f14f9b08ab9e737a3ee9565da29203c56ba5e3333dfdca150ccca66e28c80190ea4ea9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3daef93db35fe39a49d8a6ae810d9cbc

SHA1
a598822db68f12d7ada45e71cfd459939d9032ba

SHA256
c57bd1e048b24cb2757d06151ab0b0d37b797f0482dc862a5c1297af456449d0

SHA512
542394e4b9afea88faf60baf8c31f914204cfc4ce067e0fd0f27ca502ddc067f2a0a22be3b01722b035e47d5a3781eef532cf9df1fa4699d6f2950af3a64fab1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
45186b6e61f1e265e3c03d9324045e54

SHA1
f62a0ae18073acf1101d0f2028c453a2c54d4355

SHA256
813ffdc4f31cf4f9c6953dcdc54ff094bf6345cc3428e02047a4a19607a5ef0e

SHA512
9c45530351f4adc0ab3cb29c657a7fdd7dbf4d3d322105d6d5166c89ba4d41b765d8752cfc86182f892ef4815e72fdd252c80a671e387f2d26ae7f6978f51be5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8b24e73146777b5d925a0224d13c3387

SHA1
e14063d01b53fecd0331f8f4f1cb8b7f5f500b86

SHA256
6ec53a9d3cd66131722e7f7e0e070f24f8ead1c9b46fd532c09386de61316234

SHA512
06e265c87f976a337198a442430d42fdfce34a8746faa24dd26846d2e68f7f8cfe308ce6e3e4ddd28d92acf8c72f7e5fc78e3b086406dea43c2443d7b9884c48

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5ce8a24668a3eb128fbbddf502df52b5

SHA1
e8e3959ee94475a92c043b7249ea548d02aa9eda

SHA256
2c2aecbc20634c3de077fceb38bace541fc840dd03919c63df092aff0e4a58e7

SHA512
fabf5073c7f78e5af621d77005e53b9fed0bf98210bc7fbe277e8119480dafbb9c6674af65050755335b17e3bc1fb3ac88d5a3f3d0b179a5c042ea257dafe52d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
aa7e8590f9a435debd1d30352c0bf359

SHA1
db1f56918d13f8de34f03f986f95eb615c436b76

SHA256
14dab581120eaaba466a298dbebfd6c6c14d6f394d658f158b9715b1ded0ef00

SHA512
0895edc7d0554bc7c1503b0c81dc0f3d8213d575f21a672d2f4af4d341ada129b84b1704d22ddea21211ad2778b2faf886c89857c03e81ddb0bf794b3d118584

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
343f516be024ebf6dd72febb6aa96302

SHA1
129c51a9fb29879b22a02ef24c96a5696f88f3f4

SHA256
0fc96c90be3485d99b478499c2a33388edec948ece624279b2cf1b7b6b83ef88

SHA512
3a9dd91657c824f516849ea833c23a9e283e5de28d67946b5b1f6f1b8988c78c68f59c2fa07fedea77a3cca4290283694005c1cf7239bf0022b5f904157d4933

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
03875e9989a793f2cef24c42ea2d93c8

SHA1
0f0983912cc6f019c99028665934a2e6f07e0d69

SHA256
669d1ee692ffe864496ab7d928f5fb896d93cf3ca9c1687c474aec8714f1f1d1

SHA512
8c36b6509ec66ec25d23f1933c5d47c4af7fd6138625fd2ffedfc6a0816deded4d7280173d5633f974245aa2794960cea6da48580477ab000d412bf9348c7dc0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
00dbaffcd6407c974ab29dbb85dbb745

SHA1
9426e0d86147b1e217b96d54e66ea82e9c1b63f4

SHA256
61ebacb647262db8fc0ea3706e2d3ffee11966905d48b6b89150fb76a6fafcbc

SHA512
0b0d67905238f34e35cc2c790b4e9aef0e2239f33996b6d2533376fbf0ec3b844f22a92248d57c42050b7c414b2f63475578d0aa26c9c8140c998a8bf39419be

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a916cadab60d20e6da15441cff7e7c5a

SHA1
88e75711ede34fa120b9c14597c07b5234c87ec6

SHA256
2612161a2a615d978e1307e794695fde400b7cbe38c61b2ad7b516207418773d

SHA512
497feca2958a1715bba3f374483faf8ed732eb89e5af3e2763491f86ae97b2e9050665a5744703509a5bb8240e3a6139cf67f324ff97014f2a2096084ad13afc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
89eaac9183ac0a1243d0afb15f93b762

SHA1
102269686940ffaf99e1b20468492415f38de809

SHA256
f8bfa461a01bc3d8a79d1ca749c60a67407b8f4a1acf1b9d0d11b7b215e09089

SHA512
584c11bf285f5b37546cc1fe864e2ab7b0dd31e2be40af32f553db4bd9a111177fbb9ea9d6d4dcf09acf6e2579dfd2cb08f9c505c7391a1eed5b0fe29929a096

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b2e2ee6ff7d3245c327c21e1be61703a

SHA1
d0ec3affb0ad58122da517909fe0e90da96916ef

SHA256
a4fa16a15afa8d5299c431741dfcda5a165fcea01dd3e981e76d5f305e155915

SHA512
89aca3552754d4e8b424d66876db0aba1e501dc9095c6c95de02f9f7791ceaf9ab931554062a17250f73e91f51ea52a0ec2874d3b8552a8fb7d9372c3663ccc3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f55ad8eaf24af9f71a49b8dae4bf5c61

SHA1
4e06d2b294dd186647b92446a9bdb053d3ead6b7

SHA256
3fe17642db945b251c6817ab599053306b5031970c3649776866fca3a6e33a6f

SHA512
fbdfbfff3d93d61b6bdbf4adc94382ba335f8d8f911a5fd79656c0f112329a4162f83ce189eac233e087289040cd69d4e540f68cccbc2b707060e7f51a6d1991

Download Submit
memory/1032-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1032-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1800-268-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1800-142-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1996-141-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1996-31-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1996-28-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1996-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2180-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2180-113-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2236-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2236-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2472-195-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2472-82-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2472-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2472-71-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2472-77-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2548-66-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2548-58-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2548-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2548-183-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2596-55-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2596-47-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2596-53-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2596-170-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2672-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2672-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2672-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2800-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2948-473-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2948-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3100-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3100-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3144-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3144-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3220-110-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3220-12-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3220-18-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3220-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3292-35-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3292-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3292-81-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3292-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3292-67-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3536-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3536-616-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4468-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4500-86-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4500-1-0x0000000002420000-0x0000000002486000-memory.dmp

Filesize
408KB

Download
memory/4500-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4500-6-0x0000000002420000-0x0000000002486000-memory.dmp

Filesize
408KB

Download
memory/4516-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4516-615-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4688-190-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4688-482-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4744-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4744-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4904-125-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4904-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5040-617-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5040-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download