4a80e2048ce9e580ef885c4401576bb3c35f2dae2f17c8e53caa613997cb3916

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Size

1.3MB
MD5

bd9a43a0d08231f991e17fc1ab7459be
SHA1

c5fc00113a82a58da08657fec4da6e1409599f5a
SHA256

4a80e2048ce9e580ef885c4401576bb3c35f2dae2f17c8e53caa613997cb3916
SHA512

a46251040fd580ac5ed22af578578d58ae6345ad309c9b305a974daa4907ae4d8cce24c630c6106af9158df702e600f91f819503517ebdbdefedd8d2422ec33c
SSDEEP

12288:ftOw6BaaJlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:V6BDvoKFLgYHJWwl24C15rDY

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2544	alg.exe
4660	DiagnosticsHub.StandardCollector.Service.exe
3980	fxssvc.exe
2044	elevation_service.exe
3320	elevation_service.exe
2240	maintenanceservice.exe
924	msdtc.exe
4440	OSE.EXE
1604	PerceptionSimulationService.exe
3396	perfhost.exe
2816	locator.exe
1680	SensorDataService.exe
916	snmptrap.exe
1400	spectrum.exe
3924	ssh-agent.exe
716	TieringEngineService.exe
3980	AgentService.exe
4160	vds.exe
856	vssvc.exe
1836	wbengine.exe
1096	WmiApSrv.exe
1840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bb9defaba29f13f8.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaws.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaw.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005633a42acbeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af99492acbeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061b88329cbeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef8d9b29cbeada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054c99629cbeada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeAuditPrivilege	3980	fxssvc.exe
Token: SeRestorePrivilege	716	TieringEngineService.exe
Token: SeManageVolumePrivilege	716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3980	AgentService.exe
Token: SeBackupPrivilege	856	vssvc.exe
Token: SeRestorePrivilege	856	vssvc.exe
Token: SeAuditPrivilege	856	vssvc.exe
Token: SeBackupPrivilege	1836	wbengine.exe
Token: SeRestorePrivilege	1836	wbengine.exe
Token: SeSecurityPrivilege	1836	wbengine.exe
Token: 33	1840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1840	SearchIndexer.exe
Token: SeDebugPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeDebugPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeDebugPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeDebugPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeDebugPrivilege	1924	2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
Token: SeDebugPrivilege	2544	alg.exe
Token: SeDebugPrivilege	2544	alg.exe
Token: SeDebugPrivilege	2544	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2196	1840	SearchIndexer.exe	117
PID 1840 wrote to memory of 2196	1840	SearchIndexer.exe	117
PID 1840 wrote to memory of 1708	1840	SearchIndexer.exe	118
PID 1840 wrote to memory of 1708	1840	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_bd9a43a0d08231f991e17fc1ab7459be_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3320

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3112

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2196
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8d748ddf77fa8a2f4b7a7714b2d2bc82

SHA1
4e4a0a4f320a49c11ad0168f03ada625a363af4f

SHA256
bc74e833b8b9828051d7968c989cf0e608b097c70a05e592097c6d8e601a12e4

SHA512
73a6348be963b4e77868d2aa9c1e71253052bce17e4a05a9ac303c296fcdde92eac045bb9b50da5ca731cd405cf35ec40b968797786279c687fd2c001bb38925

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ea63c4c0e0b44d959b0cb092a1c86f5d

SHA1
a1bc6498e81fbc94d4fd0cc6c41b19d4791d2b08

SHA256
d594c09f9750100b111147a61d9500f7cbee9a9373bcd9e44673250a95e2c679

SHA512
e322a70523d2e6dd6d649d5dc7d45318e6f35855c28460569e9caef039ad129aea8d4b6b54f213a7c4e6a58ae603c30b162fdc993ed322802a1c64ef1f5e1498

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c91b7625926e8fd3b00e3e853c32b3f3

SHA1
a096fd79e0e281539b7e3e549cf0d3eff6f0986a

SHA256
443c512735bcb5bf9b6757a8d343770b738f3fca937beda144b5e275d3b54e87

SHA512
4c99a20347a269a32493a5d5ca8327643f8932ef954b09c4c064266f5ea0e3065a5e2b318e9d1ae7a1adbab4e1e015a754aa674256c1bcb91019f19c95da1de2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e3ffefa2870e2d282db4243cc125fadf

SHA1
ffac77a7a50e0e0d24bd0af90e26ef0017135f45

SHA256
0456d5461da1930cf4bbfc6380803b3ec091e1e79a7d17f2142787d903567f32

SHA512
b9cbb183887701c0e29120b706ed31d8bc06a997cba1f7543866216d07ea4fe4d594e60ec1fe6c60188fb933a19ba5a3668051ab09d95cc70edb57d8052176ef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d077e2bc57a24dc5d8d4b0ab4e2167e

SHA1
4b32a2541a7a853b5e572f8dc2ac0e907c1261d3

SHA256
b493fd03730df42c5e2eb2eb34507d058c3ad51d0c35fcc9173631ec48aada15

SHA512
0ad76646d6652c7122dc192c03dbabdbcaddff83930293f6ea9c627edaeb314d94483f30fd4cd9a741abd4928175950eec4b4d00a16133f6c179be391967c27d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
54c5a16eb72846fbcf892e08efa505f8

SHA1
51e44756afa7236601cf0d4bf5fa05795d5b6c11

SHA256
7c1c2f74c6548fa32ea62ae011c1a33c1b244aff709ddbeb7c35b7b0ee4b0135

SHA512
ba542a8737fe2a1fef06a649f0a97ac51ffc399c7a630c899e78abbb2dcee43c22c850d361a657f0d55da76df3b4d2c085fec56d7d42187b361e5b048559811d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7d41af96ed59c8918598da31041e42d7

SHA1
697a7e738e9c854b4bb94d8d3604100dfa1b0f09

SHA256
44c0ec138f11442e4c7861703d5614a6edddec63cb6431fab48fa0d3178109e3

SHA512
73cf10c7cb5f11b064c4f8bbcdfaf54981d07e0ffa48e15d4d3bc98597257e55c176d2c424565f26b35d46f4cc12ade8cd902eefa6a895a7f4d5196a418baad3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ddc52641c967cecfdf778da1ec66fcbf

SHA1
bb8e7f040e9500b8f9cd3109b4939c6edf1c87ca

SHA256
056b79a5d86e8a1064d388d3e659e878e2431143b4697313768d61aff85c9401

SHA512
76b0e4b7882c75e307cffc3247412909b7bdd59ef243dbbd124126574e2d46343362fb83c2c9dafea6e747e1433bcc1ba7f6312da598865a215ad14828330cc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
26ceed43f1f45644617b467e14475200

SHA1
c42d96d9874bdfa2ce4dbd4f759faf6a4d931c2c

SHA256
0da999326377f4816aaa7b34e5465c6f3310a3b2f99db079855c96f16596c359

SHA512
380150378f3386904f3dca265d5fcefce6a204a77221f73a4d5f9599469991beed9c0f7ebeb1cf2aedf0670f78a186e09c0920c0983a2040b82a78a7982612e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
af53209b409febd88f59341c5deeb46c

SHA1
380310e723f750753ab6dcf8bc848f366b1a0508

SHA256
e3b7275d5654081e7421c3c639a7692620a5945234ab9322f45d8be8c24fa5e2

SHA512
80287b3280a1adedf86506f2e318e67eec2754a4b76a335795c1d8e612d73e797750f8869bc911d8bf2a15f29bb10018202f5c99b4e63427cacffbbae57f8d8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ba315ac4d42c6ae1c820c8fb7bb0824

SHA1
e26af216f1ba6f05f555863b23eb2dfde6c2d087

SHA256
778e5768e352be61a041f3b2d8b6d9f222e446f36237f3be6d3f015a04b940d8

SHA512
40432cb2236e2b16f549b4aff0907dfc512821dfc26431a74a28c37571092a56e5656e11fc70a096bea40332c0d59a05a42c029fab7ff7e87c5e3a3575438dc1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2d6995e0c40f5c20a9a82bb29ae2ebd5

SHA1
9e0cb5a9c9abf1fb406e6b2811312597aae39453

SHA256
99bf5b01e7d34dd4c084d9e2c159755e199e31029fd3f3b27c4f4eaeaeb24edd

SHA512
a5dadaeb4cb9fda51cbe05dcac5b2d63a9ac0ef7e0d6f7059f3677261e9637cc400572b77ebbfc85e9e60bd752d56c0948bf31a87bc707d52b1f1faf0ac5f765

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
012a1010a49b393c61dd9e60ce9b2ae5

SHA1
e927b5f6eb5c0922f39656044df488610656de52

SHA256
f89259d0c2fb5e2d27d5c289ba70832157ec62c89dc9452c5f1a52e7d30aaa4b

SHA512
e07421b03ca85023fb22b5dda0f64ab2bef538a6ac9d6365c5fd018ab3f5a2346bf8565d3ced3043b6ed8f797637d3ab2bcb265081afe16009fd85fd71fa11b7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e29d1a4dc523260237f19c29773c5fd2

SHA1
04ea7bc84d8216bbb7ca4bb123c175127ba77fa6

SHA256
9750cb211a86b96358f3f1f119e9af25568497677653091c27e7c8130005e5ae

SHA512
96b7c3aa200cac7c4a6a35f88f6e6d7ddd3a286759503e9e2c741dc3733c964fe586e5a669b13bf00daa6809f7a6772695e1b7a38e1b8fd0b02f83cd596a9ac6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
393eb53331a6b699f9f702a3732854a6

SHA1
265d01902df17e730c7de454a215fc99a5cefde1

SHA256
428f1a83da77d981c8049a21e6944cb1214ea02b68bde5ab44a1ab4d404a068b

SHA512
8941e6ffdea881c910fc4505a449bcffdaa56968e340ca30aebd9d36587bc2c56ed35e747681c7f83d67a4ca0b40c8c43deecdb3153dfc74f444c30521c909cc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
5378152941dc453a76d6917ca0ba1121

SHA1
fb398a679e7da399a5715ec44134453917239189

SHA256
40347985ee3cdabdfd4aa559bcd7774cc39450aee06a3e7caac66be3ec658d79

SHA512
68a0e40c2cef84511cb2e28e1a1118abd0e5713e5e99e962220bafadbd6b8603ff59fe5021a0d76b057c3fb54bf4bb1dc37ba69d90360ea75906a2c7fb9e21e3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d4ea3d39e301ed64cecefd9caec40e08

SHA1
4c796018f72fa7d5a6d921e6308111ed97950d82

SHA256
f648637abcf70849f46215a0d46bf58f8f3d0e4e9ab499227b62b00cc39ff5f0

SHA512
49ffcbb14a89b6c3fc617069ae523e3db264dee141e8ce72dd1074dae2fe5de5a1e8bcac292fcfd2d6d3f0f09b14ae55eedc00cd2787bd2b46f597e6afd15210

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e83eb7ca17fbcc16410b41e5ae1c3c47

SHA1
8cffa34165b186c7747dd6973050887384aa7b32

SHA256
3abf48315709ed21dc1188ae940fa133158fa8bb83aa8e3e7d049c9b3c15ebfa

SHA512
5949a22065d1537d143a8298ddc6c941e6f2cf76f1d99388f19b5c8b417ac4f9437e2384d1136b784d6cd6f588ec80d968d0e0d660f5966d86d9e1fc16205d4d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
485de981cbf5d075549de51ad31cfcb5

SHA1
c18955ec2ff5a751dd2ebef655f6bea8e016f02a

SHA256
3a8276f7238257b686bbcefd91ad21765f15b9c8cec0e6c4b2ee8ced88ee1faa

SHA512
527cacc56b951d1e36ea668360d2a320874f21db1295ec273ef75343381f19d8b38c63822eddb2f301af1ce259359313254c15aabfddfeb5aa6d854ef65f4b00

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
62e67e4a8b0eeb1121b79008f243d479

SHA1
6fe1d8eee0ce4fa3c8f33ae2f0850616e836250c

SHA256
0edbb994c56bbeffb160dd6115f1815baf57052833f7daca14ff0b33867af1cf

SHA512
9d174f7a65d9766004fc25a9c526ffe0550bb954fa2ddaa54ad7c1b594717dbd59e93594febdefd0f47ba3b3ffbbcc84b18a87a37019a58329ca1e9ddde0226c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
de90a7ca9035188d420cd27acd688457

SHA1
264015bb3fbb531a72d7b355756088cf5dccbc08

SHA256
d19d2ad8997e75a9da9d570611aa5ae57c9b2fb6abaf70dd6e80d1f8d729b755

SHA512
82609e829cf3269719f59a57bcc02a790d5bad79a33889d5a78cd1c57c32b134d9aabd724778b74f849d088ffad588a4f75b899912b089b915310d2807d73ebb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
705cbaab1b6641066af7a972f6c4af5d

SHA1
716e371d4c507ac0235863e5e70415d696741aeb

SHA256
b669a25bd7ef9f95c4bb9ff41689cdada77b2bdf8dafebe099f3c38887a01f03

SHA512
d346620fa9724dab0ac5d2e79de7e6f4af2a61ddb29e10741b1c078cd25ca2b8938c3d738f446eb43c7fb99115cd5cf364e6fa49dcc276e390c6ac4709804d5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8ac4d0dd0a47e27ba6fa7c135e0405db

SHA1
34a87e1d0e05656960a0c9d62d04cab0badad6b6

SHA256
09609b67c561cd5c1dd39e8deb592c234b8483cffab72c773b11096255c3e03b

SHA512
f1f78862dea4e871211a0539ab83924628633fdcd482d4a3a9960326b2b31bf3a90898901634a575cd24fc9ec568ffc3678a8d2de769c690a86e24e0a113abeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bafbbd8bc43c8e47af6410db0f3e1d93

SHA1
abf5067b453a8be4d9b0fb13af666581e6440975

SHA256
1b8b5b2500dc748302a9a8caa15af0074c01d12670c5767168ce2e409046590e

SHA512
21f748e832c95b65c165731c816126842d3c0a884a12ffd2596a1cc153fa1c896fe47bc0335125d1fd2cac9fa87b97d10f00659c2576613a03c8b0c39a5a28ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fa19d040c9fd5d3f7e838ec636f126e8

SHA1
f6ae4fbd86d816d48c180ac2bb821c502509a36b

SHA256
1bef264144f75f54464c834656cd4ef9c1c0a786d0e926fa3bd94b154e4d02c2

SHA512
d3f091e05b131bd0f080e9ad2c646fc00b5489ee8a3301f65ce54f19a24b7bed3a718990314f801708bdd10918826dd2efe89ea5c4fb00d486ad1d3cfa56d6b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d5656991a0e45a8eb32b58babbabf8db

SHA1
db5cd518cf8922a6a8aa26290ef2ea6d5cdaa83e

SHA256
82bdb7bbb6370a5b1453f50d21090d3ba9d5ba9172d317ed60c2c04afa0c2cf5

SHA512
959473e8768f5fabc1064249d04562ad9f267f9860e3b9352ed2a0268addd858df5627f8e5fdad620e0dd7ac1419ddc00890e40a9216c8d70658efd368623b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
51271ffc31ea71bcdf49c21402c1ef40

SHA1
07ff73c83ff6589ecf3cf3ad23bf26e9eb3db7b9

SHA256
ef41d121b078c76e61fc6381bec655900c1c486b0d2a794304c6dc1a736b26bc

SHA512
6f9086393c4b433a2de426426b04c7b151d37a942611774e6e24a793dfc8653f318891e82bbd25735ef48f1abae59f885c6838937a20b58cb6e809167b5fabab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
81770a3fc6cf780f88fd973b8df8a341

SHA1
c3ef13705a843c4900390ce353770e99b514b8f2

SHA256
55dab4a9e44d6705d67917a0fe2b9e6f3c6ec868b46e6c774e73b5ab5852b9ca

SHA512
ff6325cdb1051e7c4acdc47968d513a67159395f67092f3a0ab20999c944bc1c5e0e6ef4c47142d56d1c92b8b6441295d7613ddd7fe9532aa88268aa031dba24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3955693f18a7ac0e07c79c8f13eaa15b

SHA1
d48079894ec59d1bb5ba187bd6cfa2cc9618c4da

SHA256
dba7ff90d8a0e74f0b7d275deb4622afbf1fceed623dede81f497fb262dcf79b

SHA512
15e94903a56b8ee39eb3d8c52c746e75d651d4105ec384dff6d95c5785ef0adbdf083ab01ff07009a84531fdf28f81f6d7b593938d6656dd4a02383bdb03cb48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
85736c380d0f8f2591fdf9918b1a3ba6

SHA1
6bb544407b1c3d7a9254e2d17a1e38f21eeb8e4d

SHA256
168068feebac035b5a51b674730e316c4f17f8e2a5d6d9a1f45701c7d03c64ea

SHA512
655ee483f5ea50517faecb6bc08af691eb8e2110d8dc9a17dd11f663e4d5318ec9be59674062bff37fc315b05f8738c685737f14acc8ffbec689ce9ca25e5302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
aee17955d59f0e1611ed68d89f28c5a1

SHA1
d17603464b4b5a348947fedd15589fed38312441

SHA256
9f5dedbee39b27190b333c9e789a6db3ab20fc1a3175c240205c3e1f5009ddd6

SHA512
1cb64dcc54bf26ab8617e4c612d3c77fcfe77f1756d16cb4aabf37e6ec9d41b31d53b877f67495bc962e00b75e17840577f7262e5e1b2fe87559f0c8973952ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e72b5fe62982d85990f72fe835670802

SHA1
25d42898e11ef4a03a350048688d8c3bb80d4fed

SHA256
3a5872500efa534418774e968d8c5c40835f16062471c4d14fe929b5139d5cec

SHA512
9a3fc745a759e34494c657ec1c6abe7e2eee01dc85a77b04035e01ed40236b931fe1cf52c022e73e902e11179dffe860686aa4d39d57b5a56385c1643dd946ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
94f4dd20e7d2ea617ced27fbd2b10f12

SHA1
37453618243a31e019c37358e3fb07e420ef4a87

SHA256
8fec4861e81815e71fb8ac119c2dca98ab4925afc6a9e2760824b76c90250e7d

SHA512
a7e4ca1eb82df200a481e2c7fe6484752c96c9b10428bb04206d6b4aba0ab9c35e28fbada8d68b0a9e59788d80966fddf54dd580149671603e66f4ff1eb237fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0e54f1562c89926af9259f279369ea3f

SHA1
5c68bae2e2e67c93fce3dd75a096673c492219b1

SHA256
06c92d1b90946f5084dd18e0bedd580f75841a3db5f80574630ed8b8acce2da6

SHA512
fa67c06dbc0387cbf90be8f4b34fed02123bf4305a52b515aa4efce0edfa1364b6e0e1a5acfcf1bed5ba676c5393faea3b7f848dc4ced51408f159b2a95ccaea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
908ccca98b9f4289c878e76d1ca5b859

SHA1
951e815fcb734792ffaf2351da2f150dfbdded20

SHA256
9b843e7711618276823af472d4bc8add26a462eba6678e398818617310cbb033

SHA512
a99df5fc0e476309281025330685b62de1f240f96055b8971115c0861d24722d8cc5940a7f4886b23cfac2c98e7fdaa01e0a16b5407031d916e099689dcfb043

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
636c7a149959db3ee51eaac01ccc739e

SHA1
a05c81ec120a5908095406d2c5f759f756c28416

SHA256
3487a0a5e14bfe9cb548498276fbc0877d50f1b7eb3029476a4c703803626656

SHA512
dd5bf6e9ff2dc99aec43512566976a5afc294510e66f26d78c6bf14e3e6f4baf18f203cad8a07628cd22a1652339ba3e4ed3c06f7df763f520eaee310caa37e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8b877fffef6d09f790c76b8a2141a2d4

SHA1
e38d5de9448d30071a8bb332ddc6710992f0bed1

SHA256
bbfa427af5342555cca00ec505509868a06d8ef7eecbf93a3ac3d3141fc0c082

SHA512
4cb758fa6053773fb748f847e95288035a9aae01b945de39ba8aaeb7cd2f439f94886b9fed4c7513f9f90cbe4c4600669ccbb5f5b581e777d9cf05c962493bd0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e084e3e42eae14215c0af152c9a35f39

SHA1
786e81e2f38b891f69ef71e0243c6f6ddfe5b852

SHA256
9aa3b8e1682525a79ec3cba17cf6a5db257b87570cc6a7f74bc0c14c980b865d

SHA512
805efb2649a9c13ebfd0981f4e13c4b5988feaf0d2a2f2d34b8ab8be977a722de1d3d38ffb1405644f5ce246c330852bf7c906cd65ba97cb11124dcd20a65b34

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a47f603524c909434c78ec78d06e8d14

SHA1
8a5b940e85b1e3836de1ec867470da96a657a7d8

SHA256
4aa72e41b0f29874683f82e652daa1d4c462ba66510da4f627c41584299c3e8c

SHA512
901609ac70c1894bcdd3eabe0959f32c56a905f5b6f652c8527b9dfb16e98ae02d6f672f5250687f49375e13bb0280d259e5179b0d5615f491925bfe5ff11196

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b7ecccfd0c0b71ea81694e97d06bb4bf

SHA1
8d8f09ef204e34fb35facd84fa6412d15dc2dfae

SHA256
eadb713a4f7bc2495ed5bc4d2f5b425e611050140b086f37fbfa3b10bb98fef9

SHA512
576bc31c5c4e89789d5b2c69a92108bcd26adc56faf3681d7479e666e9a2342d917250a9a89cd3a8f83ab87acddd6e51169790591b0760f599a4f25c341790f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
247385f1af15f6bf2f165cefcb9f04dc

SHA1
3623663bb1f81fd5a992f9c3730346a1aff215f1

SHA256
92a8a902efdd94ef09434e0139fcf988eda82c0ebd099c7572f5698ab59070b0

SHA512
d53693de67a87f257b5d39bf30be4d93157fc31424a0443c0f3584d64f9385a14d694c5e39f5944f325696d3d5c5ab3519a7376fa9e3e675e53f990b5903e515

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
590c52f46434201e508b20c0eab3755a

SHA1
12dd013178cae15d9bcf2d3309dfbb2fd1001ce0

SHA256
5d1e4fe253ed3e495cf08b1936088c445a8e7b3c2023e8a68c7174360575b147

SHA512
1ab3889bd68fe45b049f5481b6a5f444e6c96ec0c3f6f76f5982a5f6c01eee2493ccb8b6ee9f87a5b30f2d1a80794d9e8e922c156fa6da5960984ff96b751be3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d6c196f455375e4e577df3377125b8d

SHA1
4656fe80f05141c2429eeed4682a6b284f5181d3

SHA256
2a86abdee481c945f2daaf0ad0dced33a7a506cffb98092aff6cc1a0a24000d5

SHA512
473247f95f79e8da034295916f025c9798c7a34ea8e03e788d9ace0be3d8db77d62b4025ffeaa5fdcd46084a589be497b9798ccaa9c99b387fb63c584c0c7abd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e91f3329f5b8c084392fdaa07b452c48

SHA1
09722013fd9ae0b65aed92ef5e581720e16130c0

SHA256
4b47fb00e61eba719174bb99aa70860c634286d2414f1cedd20d3d8c963f99ae

SHA512
cf5155c4348e4ac5561c27f0f66747dc1c517d81ffaedaefdf49083b2186e3396ccf1de209917c53efa87b7414995ff4cc89959795c7dcdfba2079af8eeccd43

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
978f81a3bd16907029485086b43d2af2

SHA1
e001e86162e9f659de97ccb12f1870a114044324

SHA256
8489fa077443c27f36d659c4fa17c8e6ab00ceba7c9a6ffd7b260b047352b496

SHA512
018efcfc4a833ce4b795180ff32afa84ae2b5253e89f6836f118bfdba717fe678ba494962a8c684a0dbdb35d6da149be75feade7fb7bd0840a4050ee273985f2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f11afacdc389f1857d6cd6bf55e95e5f

SHA1
16b47fb626435b230298d24c4c90ee1a464a8af6

SHA256
e88fbb261a716351e1cc68942962e6aea70d46524ac4d22cbdcd69d253b8388c

SHA512
e16a6f58455acef8396310208720fba053f3ed1f0e45c06ffbfc5d131980fd42842a7872bfb562a309e4709f9b96384a0dfa8ac2f10fe50101493125a7c6da9c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6309680a050085be280be3cf4075c031

SHA1
97110979b20686b5ff0d4737e1107699e31ae0f4

SHA256
0fa26c1549e4c23ecf884d988c174e9848beac2ce0e7e3bdadf811c36ace29ca

SHA512
fa66362830baf19e54b8027edbadffc4febe5a9dbf8dae2ab7a007eaf2482d2eb7614028c04c4d87cfe70517e02035c876b7dec2a927f6bfc803c9ad519cf5fa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
effdc42b2d7741087f6d750607311805

SHA1
3ef352849cf0aebcae8a7489336cd472b14aa4ae

SHA256
faf464feb8d4bd384c1a3c87006090d05a9981eedcee4ebc637af1b95f407df0

SHA512
176480c6aa724df17d540793a36f38bb4acc3ad9e5cd507cf76941fac5c0108d81402215e45c0084d9627faaa847b104e32f298bdbf53a1aa8536c512bcfe90d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c5f6fc03c2887cb1f4a7739c9e40da6e

SHA1
9f9380f16d32ebbe1b83ef28970e10c70f8309b5

SHA256
e272b1d69326692bd26d85c44fa394100689e9e5871406bce0d9920ed6fbb66f

SHA512
f00514bacfbd54e2a656e6c46c084182638ef056eeb5a1300e7e585f7393bd4bbf20be865123e338ef1dadfb93abe40c0be5b3af3fd102da4cd8b1b87f0ea099

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
61e720d785c8df3e6bd4d15df6ab86b7

SHA1
5fd67879f09f73639d728eee20e1affdac4f8fb1

SHA256
bef12feef1fef8dcd533517a6b5224f3730e5f56aee0b15cbdea9e561193e5d6

SHA512
96886a60021109261a8eb705cee06e5138dc7708d887b3ef3a85cb16e0309e9ac2f7304526943312168668fe29538daea11e77d7d7b7ea287e634d4f50ca78f9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0f3cd6c0246a38e22aa3807c4611265e

SHA1
4b0dc8dbc536920344e3503daa81207055f454b6

SHA256
6e39403871b159562bb8eab0e8adcc8858ed563e29fc0d18928f667829c85267

SHA512
9de45fa94e0c90243cbbf9f0db45407bacf78b7a09ae54910a2873680e260bd880fdc176a7d7d3adf209fdf67272aa4e7d0ef81a8fe4c0b4315cce5cdc47571c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
a2acbc7252e02261aa4b3d4c416b68dc

SHA1
ea30951223ea39ffa43c8d1de34d80b597639d45

SHA256
90ee1a5223d8139b78a242817919c966e407ba5f13ab0b970332d0e6c75073fa

SHA512
ccf969bc312047bdb6674090ad26fffc2c22b3aba454d7548830e05fa7a49c3d795df3eef1f8532f49b6b56948885e892ec35ecee328373bb6d3e415baa8e183

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
af68c1d3643bd375f66b0b804fd485dd

SHA1
81ad04cf3f6c1e5f1a517587cfc731c24d7dbe95

SHA256
b67e90de9cf7034b90654c4250c6fdcba2f0c7445cdc2675358bc656147fa96d

SHA512
5032a73ccc0a6bd9714400176624d5298c84e34f62013bc53d4acc74d3fe4bb980872aabaed48b71ecaaf67fc48f998bf879b0c554cb1a9f92f1e767eb134818

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6dd9a6472ff0d92073123f97b43a6249

SHA1
2e3a353ca8242a984a53d26956d37be5a3af5b42

SHA256
caafb55c7fb9d5a0346e864fa84efa0290d4cd3511618b71f97dfb786f84bf51

SHA512
0c552ace4d45f3bfc207c9025d9751808532753d00e2a6d0f0962fb9443ffbcd6e95a95a6db8775ce7c9a1785acdcc81ceb8774c61df06ae17c991402ae9dcb7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1a41e5f81d1a0e1dc8f8b75a9e5fcebf

SHA1
c3487b9a42a67c3b00dc8d057165d220abdd8ca5

SHA256
000ff13c0fc0a6536c1cdc13bec7bc492f195d2676b4692082a0c02623ed3366

SHA512
6c6dbb6645cebb1c93eea6eeab53ae82338f80b158890901e7d651d683684c3d356cd6090e820e24efb7a15b637d148cdc2bcf5847886221e122faee548ec005

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1211fb59a8b5e076840cb5f121cf72fb

SHA1
f0bf64699ec85c0769f56e7db66f6ac225f5cb56

SHA256
c01067afec8a50fb919afabae3d26174fccdc79b56b2147ae12cfe416e8e629c

SHA512
388c009c28719b36ac081a0a6bea3c42a65004f28efe4273e46cea83669194801d9710b01f924141606e503b8efc858c3a446ce2188ad7c75ad464ad396acf05

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
45b95be6bb81e25d63d52dd9a03dee1a

SHA1
5171ec06e0855de04d58b11fc4a17002db9ebee5

SHA256
f771a60f93a8eed57206ccb361e16d559e1e54036645a03286a6ed411383ac7c

SHA512
636d284238fe6f79fdbb3d69f170f31173c307a4459f55fe531023dcb1f5f0ba78bfa8b05aa97844736316370fc762efb630f9aa3b01ecd5a1f85b469475633e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
ddfdfc468b06d30ff9089ae9fee57591

SHA1
b6039ec1546f65ea23362e4e5e376a2fd1880895

SHA256
29aaec933661682a9c90d65f59e832dc05964891b73a30843800debd0503cb2a

SHA512
46725515beba55b687965a16d562faf783fa74e3e72f15d37296a08799712efc0912c606b22a5a0973303405e71a0c40b8302086b27599d183c1526ee0ee5bde

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
82ba6445dff598538d50b037942e0cb3

SHA1
35c17f1fcd03f63dca71ec5b60294b7a74cea6b6

SHA256
cba0ec1b3324bb95bd4c702ec7a4b47175a849896b455b7b4120be0a55cc52cb

SHA512
6045d0eb5281573427bb28ed36a2f10bf5fbcdf3f6a1f470891963f4b28f7c7874390b3c4197034b048d7f0afe4c69d42749cb10e004abba4b81ebbe9c0f4131

Download Submit
memory/716-589-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/716-197-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/856-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/856-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/916-155-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/916-445-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/924-202-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/924-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/924-90-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1096-597-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1096-253-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1400-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-576-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1604-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1680-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-582-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1680-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1836-595-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1836-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1840-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1840-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1924-0-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/1924-112-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/1924-7-0x0000000002570000-0x00000000025D7000-memory.dmp

Filesize
412KB

Download
memory/1924-6-0x0000000002570000-0x00000000025D7000-memory.dmp

Filesize
412KB

Download
memory/1924-1-0x0000000002570000-0x00000000025D7000-memory.dmp

Filesize
412KB

Download
memory/2044-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2044-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2044-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2044-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2240-71-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2240-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2240-80-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2240-84-0x00000000016A0000-0x0000000001700000-memory.dmp

Filesize
384KB

Download
memory/2240-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2544-12-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2544-127-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2544-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/2544-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2816-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2816-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3320-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3320-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3320-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3396-240-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3396-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3924-188-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3924-588-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3980-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3980-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-77-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/3980-44-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/3980-38-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/3980-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4160-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4160-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4440-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4440-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4660-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4660-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4660-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4660-128-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download