36df2f7402059356f8a810e6bcfb542a89bc13692d38d4e728c944362c21945e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Size

1.8MB
MD5

947b6a7a6af5ad950b6f47f0f5fcd39b
SHA1

2e92c8d71992df5fb87fac5420de39cbccb7f5a8
SHA256

36df2f7402059356f8a810e6bcfb542a89bc13692d38d4e728c944362c21945e
SHA512

471c63858f9b69f3cd1e0e1c83e96ad71e91c41aa9f66d293bc53ce71d178997c8deb32378000400d7cde8ebe3bf13a8cb139ac8faa18a17ed72a05ce6dcc73a
SSDEEP

49152:FE19+ApwXk1QE1RzsEQPaxHNZ/snji6attJM:m93wXmoKREnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3688	alg.exe
2580	DiagnosticsHub.StandardCollector.Service.exe
1980	fxssvc.exe
1820	elevation_service.exe
3696	elevation_service.exe
3924	maintenanceservice.exe
3316	msdtc.exe
4604	OSE.EXE
3440	PerceptionSimulationService.exe
4908	perfhost.exe
3400	locator.exe
4384	SensorDataService.exe
4884	snmptrap.exe
2512	spectrum.exe
1272	ssh-agent.exe
1268	TieringEngineService.exe
460	AgentService.exe
4452	vds.exe
400	vssvc.exe
1228	wbengine.exe
4856	WmiApSrv.exe
4496	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cbe6f6f24a48edc7.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d449d35d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000852ec835d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb299e34d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003168e235d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac023d36d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc69c335d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001591ca35d1a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5205835d1a6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4485f35d1a6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeAuditPrivilege	1980	fxssvc.exe
Token: SeRestorePrivilege	1268	TieringEngineService.exe
Token: SeManageVolumePrivilege	1268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	460	AgentService.exe
Token: SeBackupPrivilege	400	vssvc.exe
Token: SeRestorePrivilege	400	vssvc.exe
Token: SeAuditPrivilege	400	vssvc.exe
Token: SeBackupPrivilege	1228	wbengine.exe
Token: SeRestorePrivilege	1228	wbengine.exe
Token: SeSecurityPrivilege	1228	wbengine.exe
Token: 33	4496	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4496	SearchIndexer.exe
Token: SeDebugPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeDebugPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeDebugPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeDebugPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeDebugPrivilege	1852	2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
Token: SeDebugPrivilege	3688	alg.exe
Token: SeDebugPrivilege	3688	alg.exe
Token: SeDebugPrivilege	3688	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 4376	4496	SearchIndexer.exe	113
PID 4496 wrote to memory of 4376	4496	SearchIndexer.exe	113
PID 4496 wrote to memory of 4540	4496	SearchIndexer.exe	114
PID 4496 wrote to memory of 4540	4496	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-15_947b6a7a6af5ad950b6f47f0f5fcd39b_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2512

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4376
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
db5494554ddfd92b1e46aed63260b25b

SHA1
8c3aeab7ff0382e3cbc3509ae8f37c4acb8ff39f

SHA256
5f0245bacec13c7473614ed371f446d9c8a3f049e802d128c719c92c243d96fc

SHA512
bc0a67058e0ab6f48290d6e4abadb3f5079361638e27e674df8130356d53fe98ab15df43dc0c4d3c96979532fdad588cbc6077db3565b92c9bbc783314565e60

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e7440f84c2e61d3744d2f9c5306a1a7c

SHA1
1733b77f0b63a827508791bb69406cb486c9d1ba

SHA256
e846b83d22da62d52eb822653fac5e27f7a8d16c62f8219c54785b8c4de7a3ce

SHA512
c5a21df5beb28904233cd98782b3a6fade1ff5b6c3bd07771030d4cda1732b5b690411a19893217beaebc26434e9cb9d5c65d31eba2153aed72c61598dc48d3c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9d9325e37b15725e3ebd9c6d5a190eb9

SHA1
853939b2cd0e017072ba859693bfe301c8ac836a

SHA256
366cfa90cbf60f59545167128f4981caeb2b852d76c4fb33ed90362df0d26231

SHA512
d24cc234f117ced84f7ec2e68cb4d622c5eb90213ddf53d7e3bae22e4304b85378c4be4341223f47d1144360b8ec19694bbc053dc150b37688ee94cc545a7b24

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
32711c11a0271d03ceae8ab0bda5ef9b

SHA1
6a3efb18d60eb234400e9ba9afc0c1f2d9f35dbe

SHA256
481a5344b969719745a855f660079e8a9c4c5d24d261a3e35632eb3ea51ff93f

SHA512
74979782b85597080cb99620a81445b5dceab428cd277a367eb80ab5849e89a13bbd757f99a03316644b8e082c60624edadd6b5b6e04396eb7b245dcf7c5e6eb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cc0da874e733b53d2e774fcdb68a4236

SHA1
a3ab2b5e2f22da1539b6b8db1e3b0b0642214f38

SHA256
8dcf7d2d8e6667ba032c2aac2fa4d3726d702bae17bf467f6a99f39009731d70

SHA512
6e8653692bdf6ca6644c2349cb70b73de722dd08e713efb66d87c51bcc84b640493e27374ec8da2bede5382db01c51fd82d116a8bc5927885244ef2931335624

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
57b27f4eceb7c77915c8ae797a2d0b9f

SHA1
2af175dbee26d0f226e303f1840400eb913ea410

SHA256
b916793da25c1ee46abceae1909efabad2f6f0fb062a04462af8e5f3f1f5785a

SHA512
8bfc0b3b9801df5337fc2bb2f99e53e797233b534388de15faec3016979967681898ca16e7786ce14a3caca2e0bd2fb7f151aa469422f9b3e61dc4403aae1bf3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a01b49b231ea2ec1f2501f4f6ce2ed87

SHA1
f913e32ec553d030777cd1ad6ab2864be4490f48

SHA256
ce13491d714829a3fcd7b1e496fb9142d372e0e2604e335e401fcb99d00dea51

SHA512
ed9c3a980ae637e3134c45f7f71926a2609f2f33c67f5c3863fc04432e879bcdbea48298cadbdfb20440bba31523badd1d6e47dcadaec3ee922243beb8200193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
175fe66bee1d232fd96441b7cfd5b686

SHA1
1808647e2ce347f032beeda418c6f4208b8fbd04

SHA256
2f3398a914dfe96347b3bf8a6866cdf9d645fc792f68d63c9b527c98cb1b6369

SHA512
d9418af183729590438df168d1eb74900d3581ff4055b54643a8148e2e0c97e6927e1d683d391889da6918c9c1cde0a23a0fee1032b8f9d854d1d1ae57eb0b40

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9b9f2f497e2377ff2d6946ce56f6405c

SHA1
a96c81e0f3f533042e6bd11def574193be905fe4

SHA256
52f71feaf733732d2905a38d82dbf5dae206dae3da0b4575fefa9c4b0757701a

SHA512
3ae7524a3279b099aaa68737662bbb5fc2bd7d2cf93ba177a1e8a8867d8c6dd760b0366bfb22b7360ea073078d8c4dcbd501169ac85202c776e578e00b7e6ebd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c105238a02243046268862b260d73e8

SHA1
ba287cf7260140d07a54d1c587f9d046cd6b6f25

SHA256
f90a390540a4ab026bb756780040425056fda17734b7e5a6bd79fe6f081643e5

SHA512
338d7b6adf5417020f11eaa117ab0ec8626a5245c8c6bd68f7b74405a43f3c2df54018fbe0d10d2e1b9e004310808526aa52b96a1b3826a141405fa187ef07ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
855b561592c5dddacb920b6a360d5920

SHA1
19c34995ea493c364f43176e5b631f9b9522a3fd

SHA256
d2ec298369a4841c07f65700b58747797e0bfecab497d0239d38c6dabcef05a4

SHA512
3c423d0dcf8ad12c706a31257d537485c115b5d189186e5a5e8d50ee43c9948db9c1cc0055da6241b0a1842420abbf9330b96b44e68e9fbfa1673498b3093209

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
35452d70c981ddb09af82eb9b727306f

SHA1
88e03145a2ce876bd92e6c8cdc5609f21d989341

SHA256
509e634abead5531794eb20085da1e10627be692345c30b4c005c3700ddfa28f

SHA512
96641ce272ead7b95b87374db3967879505c31692bdabff5c0ff162c769188ba82156dfbe598f73b716d82000ba739b8050baa090c4bfa9e21ac0549fd10b68e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e4b10816c5153d5fc47a05871e64b4d3

SHA1
50bb9d52f8961e253534f1201e6d683701a02493

SHA256
51716f27385a40872f112a5dcf7b792e16454eb54afe57ce708bf19860f91c63

SHA512
250af237a16de0adb97e9af6adfe93b2eb5ee9f172250c15c688dd9df940c1a57829142059de763c61a423dec22691c89780996e7bfe4cc945cf50295b4ea147

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ccb04cae3f46fab1368651020de98e9f

SHA1
04531d8e3e41399c0a5d5c098aca501766bb5e2f

SHA256
87d471b6d679aefbb77d52094a2defaa121b5b8b894325fb36f70050bdf4b94e

SHA512
f481e699e1f9b4eefa5141e263f52b1ae123e06f12f4f18c1e0dad5627158fbd45e4067c3b598319fa58e9aba4fb1a21de030eee8428e2401a91cb8506cc7e7d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a296724d66f432fdd6bd758fc00bce1e

SHA1
c2bee5e5312044b14ea004d728a48589b5aa30f2

SHA256
2e9507069173cb1ed0b80f051f9c8bcea06e90d88480ed3c4142992baa74339b

SHA512
6977b1b8f3928942924ea4003a270ac2dcfda6d56ac767a551a51a5da7fce09cf9eab56b4e27c961bbf46ce0b9380530f9e6cefd55b722bb8878fc1feede48ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fec1d8efeb963972c6593f195db3a6c7

SHA1
be562b1ad6855d5eb43d7c6b0a680e500de1a003

SHA256
1fc986b45816d9bdaa25a80f83df44fd484c418edfd50818fb47310209b51f9a

SHA512
d6d1f1894a54d2e472fe9ce1be852d55fbeba347603815f00b19186010d83d81e92bc36bff131786ca293da690b50c035c8b8a9da18c6587354121cb524cb9f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ee1f8fe98ba1c81283239664848072ed

SHA1
f25124e6649b998b7e79fc4cbc4b332c3de10d71

SHA256
de5691f24e1b0b6439249807637bd893a692acd4c30fcbff64305b921631be8d

SHA512
16eca742baf0dbcf6a10ffe781898baac7cc38361b48fdb4bdde0e914d65a41b5f605539464cab3c975d1af3ecb9709b16bccbf520a8cdd37c17ac1481560faf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4e3a5e2534c48719ac69b6f661a78542

SHA1
74795d431dfe27c042dee032b2f77a89ac8850f0

SHA256
f63757bd1dce8c4312648212b98105eb2c00c7aae363517ccffff0da03cba797

SHA512
26cd6e5e8b213347ab9031e07c5450bac88bdcd4faf037deec583a221608387b811e5e35c8860a07a41b48ec288468217df151b950704bf9e8e67297be7ee27c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e01958ae8f959b40ff08e76447000ef9

SHA1
0d01bfd3aab1585fedd6115a7dc9b171a233289e

SHA256
990d9559f8663cf0265c2f627c8d922f6abd8fa376b04336ca123f7c5396eb5d

SHA512
209b5aab8d125bdf6c148603658768c653b4c55eb832628aec60a06d39be7bd53bee1fbd086dadf27ff7c0eb641dc17d146fd91382e2f222ef7c91ec890cbf70

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f22dc29772b53bbffef0a37ccd73e6c5

SHA1
77e77545ef250ace338a3d63709e27d1796ca512

SHA256
091bf97e1b6f9c798e2fa98c368afdaf4d88f23dcb8046b5513201fa0c7f4361

SHA512
589c7c4929bf83cf0fca141de889be90b4eb002a4ecaadfba511193235808026fdbe50173e646f7a499711d0d7e5146f1140abcd51491a40abb5a165d2d7ad24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
cd5bbe48859b3452775c1f8270f94405

SHA1
b9467427ab5ea84c54e38828397b98d28c506159

SHA256
b1ba1b0d7eba19773cc8a1cadecfc01b1fc23d716ba62d33176de11dd0086cb3

SHA512
33382710dcf586e4675cb4849dec841cf9f4fe81f89c304343db965e115ba52ac788f962b23b0f7e4bd722ab22cb27a2c4a8e6199efa3a4476c59e75d0456728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7b188d372edb2878a5ef6421a789339d

SHA1
b485a74412e98b14e17f2b5d7a718c24582652a1

SHA256
dc8b475d3107e54f0b288905af2c8f9595067b2044cff29c1e0b829145cc3349

SHA512
2df227579dbf32fc5457a5bbada21fe48a4e580cb2e60f1662bbde9b2d498d1fd46a0933d279478c17aa4febf673e2d00bdd1223c63448aa794f8d6b4a9ce520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e461becffd2ebaed4e231b7568be10ad

SHA1
13dc3c8e01b879133786992f587f1a39e770a850

SHA256
53a94ebbe52f1aeedd466ac4ee3289f6f07ce00d9b31abafdb134840916866bf

SHA512
b62636e7ae454f3adcc4b737a05bd84f73a7c4ad8fba2ff367d8c8c2d795f9060abad04600a32e1f1bdccc9ec2ec335ce54c121d6709d5fd43d088e34adccdc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fcd1cd932e62d5e86abeacbb0aae5426

SHA1
49c57fe06a7bb6567647e423915f9bb8e3ef57e0

SHA256
af213e2a409522a11cffc8f53c606e4411e8ba3471da2bb3f23954a5a674f935

SHA512
2d939a4bf38d12cf71a2ca6b4906b3d8b4767d4f14eab7253133bdd654baa4a2a7e4b18e314ce2656b59281944831e537024542a0b269ea644d9a653c577831b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
61d90beb3cc38c28b0f5cbbd7a6af442

SHA1
08da5a60a4a6dee4024984a8ed1a5d5d2cd49220

SHA256
536e371e1bc28960bdd496bdbb49bf401110f39dbfd219c195bd45c34e4d41b2

SHA512
1ee92871f30ca74e9d6df116166f5fd00a834c416d256891b0ff37263eeff86b0613798d3e09eb5bfc3cac1217a32f8b28045ed911f1f593bcaa5e1d404583a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1440dec39f447ad36697c4f99a4254d4

SHA1
c6a7cf7939e4b0474fe83540ee6ada8d81276237

SHA256
55ef84edde0746ae6292e0364306912e657fe2f2e3ff3a10af19f1e2e8c847f5

SHA512
fb679fc0789491ee6b68872810ad733e2ff56a5f4b8d3ca397ccacb98d22430618612f665e6b8a036877c5d9655b4940de010990a5df542dd3df01b582481dc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
054819ba30ea775a9c887e28fc1c32ee

SHA1
0186a846a6d51b19feb8ccf0452123d9d8abd4f0

SHA256
b2b5eaa0f35c58a62bba822412f4f3062ff534872764736d04a68b53f5d9cc48

SHA512
39e92be0ff57ef2ddd638228f7e254335f3fa889a67a27570bc0974e2c7e1538dc38ab546f64bcd3899045a6804bf622e25541c0b3330df82118e68c94aa3737

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
02e39243398bf327995482fe02530b10

SHA1
76c354d155acbcfb3520c2cffa5a81ec1630a78b

SHA256
f5529403ccc6426353341c18a07629407242557baf21737e610e3f41337df3d2

SHA512
92a6ac23b5889c8b83f9de7fa22d7008e66e6aede55a9972d6cfc77e2b217283ebac47546af39d14670e455ef2bf57d92ce87aa73b4fe3d95511277dcba3c77f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fbf47ce7113f3540752e100b77552c66

SHA1
b8fd57e7191b7d3f247b5a411398d8aa9baab012

SHA256
e73570dd453b55cc394c62ba36d2214453d5ad9fbe6be59ca6ec8e74190ccf80

SHA512
bb97664df02344d4e81524195ee89a5b1e5e4a5c109b30292cdfa47c43135fb4de46f33959f14dae9db8582d9335635f7acc7b39288fd282ac832be983ed363a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c7b310e3dfa77ba6a2625b59c89eada9

SHA1
378a899392cbd47324d1ca9ed1c8e55bb38bc1eb

SHA256
2995fd9eabda2d5dd1dd2deed9a37f569209a248c7f07d973b954135aadf4375

SHA512
939998f4487829bb8cbb7f32a00c66840123bc681908ee5561b3b022372f8a9394d18742fe0daf1ecb1cb1fce94b4521f19b57973e0e6a422f2736b478a4508e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7cdf742108b2ed91a7d196209da1edca

SHA1
c2b68d0876f336b00e645a365722a583f35a5b50

SHA256
d13433cc91406c36621b0394c50dd3b1290459f68ecd58f5a5f6f2900e269326

SHA512
7e8839ec2a3eb9579c8234232e346d9b64d3b571f8abbf784a8ae4718bbc4d4a9d1763a017a442ba7a98c75dce6da6f121cce41fba9832ac24c526fae349ef69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d870a69cdd928489fab8fc8fd95ae15a

SHA1
baf1dc69b24cf444f00f4a49908ce692513b5f63

SHA256
bc3acc69692f938144f56df8de9a00446d723b2af4e0b841375fbd7e66c6aa0d

SHA512
6ce3e0cafb146807a93e512ebbdc68577c964c0de017ce5611286d284640e83c622634f65ff8262fccd78302c1e50be7dac59bb31b94695de21292d5c88b1dae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f1c6aa86fcfc6c39fc13f6d857f00459

SHA1
3ff70ad0e290872536a383f5b96fa90885f6f90f

SHA256
4e4eace4c51d15dde300c09195b02489c885c39376646e95d84e4184bb6d3601

SHA512
6042db809b9cf56f50ef1c5a156d9c6a6d1b7aa5409590f3589013a77830c0bf92dd2a8efe24dfe1487a60d0588a81a3b5d97301eebfdca2a42e5a00dcdd5d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7ff5c6eed79a6d789a309e2e6ba8c4b0

SHA1
35317f24d186f9766e25d35eca1c02f3ebae5787

SHA256
45682b075fdaefaea2e02a2e430df2814ed60aa54981995f30d072f2dc1214a0

SHA512
a8764010d0e86b36dfb6a3172b2f5089e987ac62316626dc73c516a6dc0eb5e0359a6f188800c8fb4ef6adfdaaa12b527340f293be3b9ed5faf8b84fbe5cb140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
60455b0d17e9adfc0b19700a2812dde4

SHA1
96f8e5888eb8d79e0e29660a7f38672580592c12

SHA256
132b0f30667ff80101309ef8ca7f488355d9dd416063aea13d34e5bb07c904ca

SHA512
f1769fe9b6b98b48e240139eb0c9522daa166068fd85231ed154e41b4142b77ff7386c56bc529372fe9daa364492971a30adae93c55174181a48eda2ce71586f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
baf9a2533b34669c77f26501aeb08531

SHA1
344ecdde5253bb3b860f548490b716227ef75ee8

SHA256
77b7268ed7636dd9c4aeda1a20c0b9b245aabab7c1e1848dd969eefe4f0bcd83

SHA512
ca01f89fdcb1c6905918bfb0906630fe5896b94eea2ef5843e04a167c0f4d8cc520391c0664f3d667be47415a5cb0f7ebc8985ed36f4d6a9db94408c4f0e722a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f6c116a92cd5a7e4141af80720ae6ed4

SHA1
e6e02783df7d2a2ac5a28d54f71b43b4a26b97cf

SHA256
ab3ad07eb6498d8055c67607b00369e76e272edb997f2def3b94ef432d1c3685

SHA512
57e919da186fd838cc97c29a845261a70159f54b63c6b847f315891cf959e48893a0bf7ceeaf193a538f1fb4ed88bc0c0d674400d9b2f69afc7c0caa7e011dd5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
32b0f3ff4b63c5a7bb15c6e2a68b56d0

SHA1
7d115abf41387daf4b12bba0e65bf27167d48685

SHA256
d74c914f898f523631a9c92f14242e001f2f89c84697e64d54fa08ecc94a81a7

SHA512
95cfe1aadc00a0502684cd8e7377528e657829596b53c27d5ba4b3cedeb9b3e48723ebaa00ca4f66ae940bd3fc021514638db41a86859b56b744b9f86d50f4f2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
52c348116f2c444f49506f52607b62eb

SHA1
c030e1bd06748af3120cb3520eb35747307115d1

SHA256
53427bbcfcb2eaaa2ab0eff4d1cede473967234a2f1afce37d1164e21b3588ba

SHA512
867a4224678338696e62817a19ca59dc17e9256855648daaf20a5084a2151e16b19399b39c45d8356e71fd485a019e4fad6f2dca73577e0d22ea97b3996ee57d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
98539f2c42474c5b15423c39ed73cd56

SHA1
26fd44718ccd5fc556b99b43679cc0dea3528c58

SHA256
580dd4b3b54cfc94365946d7b235b5377614bf2260ab2ef886179a84c4896a87

SHA512
a456dec07845d05d617921822e457d4b221c3541cf24fbe5304bc010df767bcaadf1e172fdc0bdb890a07c93121109ef22f5bf1923af2d80ae715cf071a20549

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
97d7f973c842556ebb65167473276394

SHA1
5d48bd6f99ccfc1182de022a9bae476bd22ca021

SHA256
e4d0e5d95fd3e5885ea4cd5569025e5e8fb77b307dd84644bb17f30e99d767a2

SHA512
4ba60df767b1da440d15d6e123eb3ce912b2ff99a76bd3c4d23322e004b29e5194e23270c7a18ec19f0827c42bcc46b69ce8fe394524531f4d8e331fb3c75a77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1f2238f138ed6440d614d004d4978035

SHA1
af2f2869bfccad5d495a64410764291479bae6dc

SHA256
5ff24be598a8662c38b1b522fd2ef65520d986831ac5da92f69369e2e88894e7

SHA512
5e35d9a268603e0b33b12078a643c97d75ee0c125ebf63f735ccfd0de53bba1da7f8db9f0f6f49dea3b0a8818dedcef312c1e1dbd72fbcce2a054886e939eb68

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
dc7e050e595a1b8f1e0c829483b40da9

SHA1
3f6888d9524744add43c2454d059d4cc55aeaea0

SHA256
61989fc888580ed16a0a98c66357449cfba8a592411dca0152c9590e0abce870

SHA512
2a5b88bf9bad24bc4f3d40f144506de1258dc755f316d50dddcd4b5bfe646865b80da138da8a90527b00b065e0d1cf54868123e21713ea43abe9c0bb1458f3c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ca82fff08093dc5f23689925f5f86f31

SHA1
cbccc2196df94c987f79d5cd548e7bb2a7c0c5f9

SHA256
3e88f768e7671e048acd37be614c3814418240a644c0cb68e77d4454867b4c3e

SHA512
1400f93d4e05fba9e7cd37ae83ed646990d26b4a7355c6d4094157b9378f20ae426726329f1cbfc5e4940e3baac10af953a68e0943e1a963f442313ae422f4a8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0e6a9f8b92b6a96939a88461c6768259

SHA1
aee2919a14701d95af6dfa7a58b8a8ab18341b8e

SHA256
36d49b9a119683d149271c98bb203881baf47d9b364eca3b6f07947cd94e77d4

SHA512
b8b90ec2bac0b8a7b74fa93f76896caaf8d607748d7bba5dacac35c49913e955793a27822b0ac3cb79cea88f5a46075615b5b14a82b1e722a1c4b7d6c60ca5b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f7e27af42a4002440fa44e59fa9b245f

SHA1
4e5bc69992b12750380705a84e67847826bc5546

SHA256
cde81929d5bc603a7155e158c050b728a5ad25e834e899dbbcd82802e10a4cc9

SHA512
fc860e9f9a8a8f26d157d734c5f01f87899dce7fefd886582e292f2cc2a0586925f43f4b21d90883820258d5873845d0dc32e0ef576a5af5e09d3b9b08d744f2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ca273cae86c79ca56315cdd78004441

SHA1
9862a77c6706aab353fd802c901ff5d4ec499601

SHA256
0e05114394c4aee09d7d7cc720bc352dc9b28c09f0eceab593385c4a59f601c3

SHA512
4bfa8e805349355e58ff99093dfb42a5d81fb5810cac8e95ecea353ce370125a8394d3a801b925f5245d860a592d48ae4ca630ff184fe9bc14f1d555cf8bb132

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5dc2ab2eb4ec7331769cb5fe0b127b3d

SHA1
80bc52a3bf7ee974c9d73009c0e4930d11b24d5f

SHA256
391903231ecf76b59620db81f4535c1ed92a3cae74869415bfe1dfd7d552a5ef

SHA512
374f182816629192dba6f81f7e29b406bb52b6e968fcfa9edbee524c1b2d15fcde8ffb2b37f7627c8267ae3f012590f99ad841b3e54e5fcb07ea04f9f7526ae0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b2524e66bec6f76b128f9639db870bcd

SHA1
4c1c550533ecb1da23e2cf6576ef759aa77b6c75

SHA256
ec8d946b1c0a9b9a94ae84528f110da720facb6b23eb804634b0faf4d56b05c8

SHA512
d3a69592dd7b3fb6d70d54785fd1ae505267a0b05d4aaae249ad672babe137729e727b8c1d6e15ef652819d9cb74efe32f856bd70968cd3a767ffaf6eba93a1b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a7ea0d5c25f75d2f9e4a6e487e004674

SHA1
bb373e7d05b6fb6ac5cc15d286d2af9d0be9ebfe

SHA256
6c348aea26c0def192c7d26cfbcccaac864774ad1149c8a29b6e2f4822696756

SHA512
2580c90423ca488843c6b9ffe4a308ca073c261477b3b3f3d1a9aba1e338fc3a7058c864011040bacd0a329bc2e72532cc61636fb67e0a33f8f153f17e1cc958

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2118a70ecb1d756a74f1225077aade60

SHA1
e55ae0ab457e3500d94648caf05ddcf6bcbd1342

SHA256
ccbb34984aa01fef1dba57b4b0a01eac4576c848d010316d1706c5cc283a0a3b

SHA512
6a3c99e3bdff9ba103d9ffbe6f6889e4f7153104e0cc6c8d0d21dc024a883bec67b308ef5b6b64426a19c38c73c358327d9e65289ae9b957805943ce9614c73e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b2a11ef95d3bf6cae54dc55b2ddd1cf3

SHA1
df1736914a84c831acdf3ae2fb5ed42a929403d3

SHA256
c7d35324e23b2f9d44787c1910c9ca65741a0f16fa6c8477def96a637f685b6c

SHA512
0494e1a4bee476173cb32d09da291e8fc2eb2fadc48256fd7520ef831d841f6ff3d668a54a520385358e5fd7ce0ac92e8955fb3af7211f56e37c66d633d73282

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0195f0ec0359e6c0525b936af2a132f0

SHA1
03624a6813e6b55d00bcfab6f622777d07503815

SHA256
561d588c2710c6e753f21dbe8ae9a84942587aa739493c8cf7f09fc41d5902c9

SHA512
2dc70d186c076e021453f20fc930ec6abb0e7e583050f7b0357556c676fa3409bc876062660f64ca47eb8288571b1dfb9a9541c9d83afc3240a8e707ab87a165

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7e4ee90badb1271491793848c0e788ae

SHA1
b10b21fc52f4e5916175bef208b21cb4d6ab6bc1

SHA256
bcb1a94110362c47d0cce4b0e077f2eefad59c3bca65875286ebfc8b09bba832

SHA512
d62d8bdd85700c27bc09f16cc638c01f2d4ddaf201c48333323a8e914490b4f5227fd67a985d32ea464f677b776e8b3a726127d486f379accf124940e4c4736f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
001c176aa39645f5d842c4066cb73855

SHA1
b9ecaa7b2903b6f04937b6b097d83a632f0ed9cf

SHA256
739d77623e69d3e158fde5803381e5153d8739d9edc4ee1990a211d81ccdaabd

SHA512
f14551636f691944437834064b955b61d533b1854a517838998aa9906ee02ac78bd248383ed5112effbcfaac61e434a75195f777eb1c55eb1f5dff580c0caf13

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1032b5dc7505281a253363685e40f020

SHA1
3ffd4ed5d107fee8a315524df3635c42441f4389

SHA256
aea83a95e5d1c9f440c948660bde238babd145b2aeb357e161dc0d4840aa2218

SHA512
b2ed1dfc66c920775628c79cca2ca12abf533cd7e2dc3d0049b8892d9db80e32da97378e6254ba90f70411cf727428d32995cca3e6e8e60f794aeeeefb07d18b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
db764365f8e112f76939f1e77e5e86df

SHA1
5a8c40461fd487fe0ffe89a906bf502903b8914c

SHA256
55217a67fc4c8b727f468f2050a99d9c2e6b72db94c150033bfd6baf059934fa

SHA512
9ed50df0f36333d28cd3288885bf1cceb51bafb549ffe9ff19f1f215af78475ac9ac43a23fd1fb0ce95e225e41a42dbf4c5edad25047f78b7fe0686654ea6e35

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6320bfc3f859c6b0d4f6ca49eb7dd8b4

SHA1
64bc4a9f8370758a4fd421fc2d28595adb85e383

SHA256
a244343e3bac7da4a0ff9126338d42dc7202998a0c417ddd843dc798e603317a

SHA512
26d6a747857fd5f50948956bcc721f0d65e0713cc2777dda23070390a4e611ba1de10c1243d9ad95cdaddefb9f090e9b8117dc5f775f50b40b0cd32f7144d58a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4c3579d198f64605d4c63c02edbc3112

SHA1
58d5044690742c4520b768eb9074f8ad39e2dbf3

SHA256
b08825a47f3c940421309ebaa903005b31ce99084a026a76fd13c64487664a47

SHA512
f30e59857c0bbf99180f2f1fb09d8535dcfd16f48d0376d45f5c0eb1ac040497bfdf306f19f7d2ebeefc87dc3f7f7ff50dd8a06c8473423a027aeabdf46b1d5c

Download Submit
memory/400-569-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/400-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/460-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/460-234-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1228-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1228-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1268-566-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1268-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1272-562-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1272-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1820-50-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1820-56-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1820-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1820-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1852-75-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1852-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1852-1-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/1852-8-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/1980-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1980-39-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1980-60-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1980-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1980-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2512-476-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2512-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2580-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2580-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2580-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2580-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2580-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3316-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3316-218-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3400-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3400-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3440-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3440-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3688-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3688-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3688-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3688-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3696-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3696-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3924-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3924-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3924-83-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3924-87-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3924-77-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4384-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4384-565-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4452-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4452-568-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4496-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4496-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4604-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4856-574-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4856-270-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4884-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4884-453-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4908-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4908-255-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download