b573bdac124fc6a2515e8c7d91d7f768cf11b6f2921e417ed057cde992743e75

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Size

1.8MB
MD5

f04b69960844ae8bbec6ac8db4ca09fe
SHA1

32281803aff44c2c27507f1a3702ed5be1e47435
SHA256

b573bdac124fc6a2515e8c7d91d7f768cf11b6f2921e417ed057cde992743e75
SHA512

26c38f4e659e85ba760b0bb25383694570a411d9dd34209e8d54905e1532301f20729f0fa0aa1b56ef485977e201748310f49f17314091705f219841c648a4a6
SSDEEP

49152:aE19+ApwXk1QE1RzsEQPaxHNraB0zj0yjoB2:/93wXmoKeB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3752	alg.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
3248	fxssvc.exe
1564	elevation_service.exe
2532	elevation_service.exe
2384	maintenanceservice.exe
4560	msdtc.exe
3356	OSE.EXE
1220	PerceptionSimulationService.exe
2316	perfhost.exe
4852	locator.exe
1524	SensorDataService.exe
4472	snmptrap.exe
3844	spectrum.exe
1600	ssh-agent.exe
1668	TieringEngineService.exe
4016	AgentService.exe
2052	vds.exe
3944	vssvc.exe
2080	wbengine.exe
1700	WmiApSrv.exe
4008	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e160efaabb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004560bd8739b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079d82f8839b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024d6d28739b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000671ef8739b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d1f3e8839b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeAuditPrivilege	3248	fxssvc.exe
Token: SeRestorePrivilege	1668	TieringEngineService.exe
Token: SeManageVolumePrivilege	1668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4016	AgentService.exe
Token: SeBackupPrivilege	3944	vssvc.exe
Token: SeRestorePrivilege	3944	vssvc.exe
Token: SeAuditPrivilege	3944	vssvc.exe
Token: SeBackupPrivilege	2080	wbengine.exe
Token: SeRestorePrivilege	2080	wbengine.exe
Token: SeSecurityPrivilege	2080	wbengine.exe
Token: 33	4008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4008	SearchIndexer.exe
Token: SeDebugPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeDebugPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeDebugPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeDebugPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeDebugPrivilege	640	2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
Token: SeDebugPrivilege	3752	alg.exe
Token: SeDebugPrivilege	3752	alg.exe
Token: SeDebugPrivilege	3752	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2060	4008	SearchIndexer.exe	113
PID 4008 wrote to memory of 2060	4008	SearchIndexer.exe	113
PID 4008 wrote to memory of 3812	4008	SearchIndexer.exe	114
PID 4008 wrote to memory of 3812	4008	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_f04b69960844ae8bbec6ac8db4ca09fe_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5036

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3844

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2060
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
51bba864c7887e9d5113f51d27f7439b

SHA1
5981685d80addf6ce2277ed751ca63f6cc4c6702

SHA256
376e1d76ea7317e6f166c738f068507febc5f1f19a9fa4c87ed14412c79dae2d

SHA512
19bcdf5ffcc44fe556590c69dd41a0710bcf297ade565a350a4c16dce57522ca021b67e08b71f4e56f6eca573859c69fcfd75af59cc9c1801982d11bac3547f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
6cd6bbaca49ea45c187db7797bd2b47d

SHA1
80c25667aa424ad79f5205e9b0104696094b5063

SHA256
5b07364876dc2b9efe3b211b6ceb86ebcdfaf694b71750f707fa767011394e99

SHA512
2364c97a3902b8ee9f2f877afadcaf638ee2370967bc0e5f0c22b317cf933dae3874d1567bd73ab665cf25c87983914bd36af60ee885781ab0de4aae7df2b427

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1a4244cc883217e6ac62ba0d7c6a7fbc

SHA1
2d47334e3dd05fd946e5de014d52ade6e8fa868a

SHA256
c074e2588bbe066492a2e37e579324e1e5b61f4cec2f8402f61d7b9b95c9f0e5

SHA512
f5ea46b8749cb10f09ddfcba159d427e2b3ea154cd782027c076e2b53f880beb3ad5e2a5de27f1f181a5dd1d3e000061059acb6da1ab38eaa1fe950bb3eb521e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
11039965344b701c012d2352f5dcaf3c

SHA1
a8a5e80837bcbe99a1043861afaf47c886577578

SHA256
02c69e8b5c989bb548cf87c33572e9c6c66748bfd5687baad732b952d59408ac

SHA512
57b9fa3d9246f8a4993cabc3e81ccf6426ae9891f9bccf8e551421851aad498e7db3287320801b9375596abf25f689312a5442ec5e2813b1b8319d6f4adae11a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3a76c8437148f566b83de8ce66a734ca

SHA1
8a2cff84577a140214551760d3c3a719a23419c3

SHA256
42c0a87768f42dbdaae289f3b746ef3ae955ac728c8dbded1eba85aa5eec32ce

SHA512
1e8c977014a400df6b9f609a37f93e01f265187f3cccedf661caf323d677b8c90dce23a4197b26f02d2e3ff27ccf5964167b12c71829b8df2648088ebd47aea3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b577e2b4f6159469d270a4c44b0e8884

SHA1
fdfc461ebaa9d7792f6d4cb988ede6963db9d926

SHA256
7bae8aaaee5ab2d61d32292515f255876ec40b736a8f26be5a1ef352aa2b73ec

SHA512
910d134beed531bb027909c4fbb607ab34d6d8396b36c68ac30d88533a858677b7e43c0b16c52e3f5b52a342f53153aef2551ff0705d22904595809c95103bee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2181c6147de12cbb9193e80ab18dce0c

SHA1
6a4b72ddde50974dff0570a89161ee22ad5dccfd

SHA256
9d281819a19e38fa32897cf024cee5945488f2cab00e7cf9c4721222f55e8737

SHA512
fa7c926e6c11a2dea258cf4a3574ce7fbf33c64ea31109f866733141c7a0a0d6ddbddef4fd1a18389f498f5106823a0a2d03b914caad0bba4e043ed4745e8aa2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
caf20fbc6a3e4df58080ec384c98bd5a

SHA1
38c963efb779fd5ee8b24e1d460f1fba5819c143

SHA256
e574ed2569f198400fab3e1331f2cdc763ebf2c6352ce404fdb9fcc5c34371f1

SHA512
e9e0654fd518045281db3c61e05c55dac590b6b2f5d5a292a31bf190ce55cad38ba6db4a432ccf915b682eb58a14567513cd9dc1b234043e8caca92969e11458

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5584652cd226ce1b0369ca27ec58dafe

SHA1
ef47754a1f76106c61ec7a5744713ff973ccce13

SHA256
368ff49595091c39dd16e7771768e15be30692e4174f48cecf6a7ae2a54812ec

SHA512
4166b8473628fa2f725e579e6244b4927032cdbc8c4ea38084ce5f6647827c689c690a7d0e56badaae21127d2edd749852ea8961327349216aa4f4abffcc7e14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
428532f5fe8b660f4a76c96e5168c4ed

SHA1
1c41ca29cd2ded52077e77cce7d94d2c2dd8fc9d

SHA256
d0111061fb829f1eca5e0fcfb9244b249c0a1ddfd7b194c5a3433dba8b0415b0

SHA512
528338858986a84a375cd699c30308816c2e3331c9f6de5435f18221060b6a27c800d71f808a0597a812ba86c2f7918a94bb513fcd9524b0eda29d4331dd3908

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
73d729db3b9f4b3a9f318a19b5c78e12

SHA1
eda09c25ce698a409c990d7f936a76b484846499

SHA256
ba4c2feb0452d10b95c389b951cf2a525b3ddf2b1ebe233c808007388b6311ec

SHA512
a2293936ebd957bd1bdbecfe340c7666997c21ad23b83e08d80c8a32dbddedba6187984d81c35447a18a8c3b56a027141b606ab4dc46e40a158c80521b9c5424

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6cd36fc4939ce02eca47fe795d2d77ba

SHA1
8cd8b5e1d5eb556e3868fea32ac6dcb75e594d7d

SHA256
ee3a88defe15cb3a1be5491ecb81229fefd995485f0032d49801d81e83f4ff46

SHA512
ee12b5a44cd3ed4913356548e2cfbaa769bf5bb3a664385fde9869ece0f3d9617e47dbaf780265dc7d2c3b242517889d2bbf4f1107bf5a4899201d582ac0cfdc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e3032dc5fefc3c9f49e8422738d17d80

SHA1
7fc8ed988e95011120342c0de13b76f861f73763

SHA256
9a14ee4e5836a9e44fa1776aa5f387ab03f9a63f09f5d2a5ad5c0a2592fb0e7e

SHA512
b3f7e4e5929a3464dd21ff73abfc5913d6f497eafeaebc62b9d8f4d928b614190e08e322f8ca55ded33086048f04189214e9a7ccf8529a99a131fc44cce1bc67

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
457d7c640dc52c1116832ae94d387d1d

SHA1
9fcc0062e7b3a5c19d79e150251229447eef717c

SHA256
b26a9b1dde94accb037465a518af55ef7b2226a8fb945c136dcdbbc4fa9d2bd2

SHA512
1899abf102201fb4ab3f9131b6786493766ee0f5530e74c974efd3d8dcaa5f006143c4c80dfbfe72154edf6d83848e3b84ae210448d474a8c5998895a6a241ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1507ba9554f91b6921f870aa2556b6f8

SHA1
2b0a868224a4ff778ee0c487a6b5037b0eff2461

SHA256
a669ccca0fb391086bdfa33c4029a778585b0a12ea676af810cb0887a8f0735c

SHA512
0bc83b40500787499d0e658304563f263fe82cbefecc83d25f0af63c60b50fee2694d47825a6abc923976ce727a1c48506f8b796394610536d85e2999fbda234

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
433c42a7aa3d1e71a16c6bedd3a5e5d2

SHA1
44f0e438b875ce263f376d82dfc280a1d35f5f8d

SHA256
8384c9bcd8870788b48f24a5b6d5699fdaef9f48bb768c2b1443b8e42cbcfbb5

SHA512
b47de0939112e1f725d0fbb56a1e6e1005bad3eb01606d98679006592e815d6303b77689a3ace0aeb8867b64481839a13c2b1ecdc37352ea662ac7e14e668eab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
40599f59bb0c8d1bae17ee6cb0efcb27

SHA1
a55545126209fcb08cbae543ef1d3a96274b5825

SHA256
79d48b9c6addded3a2362c3cd055351d58f9afa804fc616a605ffdecea4a8977

SHA512
db6aaca15e1e9959dd5628c0c843923cca9c3bf38f77074ec5b3ed035571fdca63971065c0ff4d8fb3afd59eaeb48ed459dbd7b355133e166816079ecbf02b2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e1f59c5f47d80a46bb52261543b5aea8

SHA1
3db08bd080138c82c47f489291ad04eedb465162

SHA256
d0d753fbbf92fb4c4ce2ebd4756fbe3bd71803802e14055c2a3c19877f8ce66c

SHA512
1cf9627833a8352eed1ca34133d5c6632072b7c2ce90b37744023a7a27574e51f66978fa85ff28ebaa19367c5f542dc29b13bca190cf036baba573045b31e284

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f7574f2e0d838821278336139cbb252d

SHA1
d709ec2c446142ddd178404d364d330c095416a2

SHA256
f42e2f61df459b072b59181c48abaf590217e5c8419ae75cec27e13079ed1669

SHA512
191a44225cbb206fe4be523ee266ef02403b9ac925a8b2660a1e72dc07c2b3c995f2ea87ad5fa58d41e86bbf88f73341b67b642ecf2d84ab7a72d11841bb66a9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1ca257267a1e29b1d503f46b80736cfe

SHA1
ff177f9ad47adc64a7a695cb8ed820526e575c65

SHA256
3466130f498651d8bc44f67ae41b0e530d0a9628c406ce7786fcef07010ac78f

SHA512
66b86b1562affd14af4eaa198bd8c672fd8f269fd7f8b0b56074d607d6682dcf81d6a198317f343b4662af333c1771ef66637007ddf2652e69f80cb98655a975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
066e0cb6e4b69d8924d77b2f49888c8f

SHA1
1d6935c7f551df94efcdb97a6e84673a745aa480

SHA256
723d036942d5437b569b485c570a3be345768c67e4fb9211f0a6c29bbbdd21db

SHA512
d2c1757aa39159709ba04095b83b912381794860160d7d87f9a46ef5b8195d7ef97501f581c47732ac1cef2afed8d0b64ea852c80720fa44f4f3bbdaa528b5aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
50bddf195fd7898c8209e0aff4704d17

SHA1
a1bdf5986cbe2a2077101e30ceb138e0a98e4a7b

SHA256
845d09ff73eae94e10dd048b2e62ea34e3d0c8df31db8de3eea234310871e6d7

SHA512
e35c6212dfffed06a964856ee6f36011896f750de8c1e7090fc70eafadea7367e1c0f5147a0cdd9db0298811ed6c827174606d57ebbce5ceb4d19231650b99ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d00bebf6e72ae528cc5bff3a839eb891

SHA1
c9818e4b7557d388bf1e2d9d4fff31456b043bb1

SHA256
83a471a4242fe8b79dd0eeac0103d5dcc3a7120f7fb035432c3cc71be789dc2c

SHA512
c3498f095519a8fa19cdd6f82db859cf44fdcf7a9f2a0f513e5430f4fee9756187419d009befaefdced99d87379c3b0be6f5b2afb431b3e897f5361e75da88ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ce118c82ee8119ab60829983f0649dde

SHA1
91c0c21e16fabaa556c2f7c3f91529deac47366f

SHA256
f55a941f1db07c8eb9509b3e4c7097d57b2a399c425b5960a62cbe5f1e170194

SHA512
981b8b60ee40feb460ea55d20dd5c16f1612160a23bb0a827303224268c3744453f7772d2615671c2fc93340c48740c18009f2db28a427f6f952d0130de7669c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
11d848a56be4cedfc471dcf74dd56fd9

SHA1
a8823b1f7885334fab6fb5c1faded3400726ebe3

SHA256
a30334c8b9752cdc70510512c88e5dd0ef9d40191f78e0cf1cc325d3a3badcc2

SHA512
ebcfd2ac772f3dd5ef434298a4d7a32c1f00f242717f924d78946654bedbef34739bafd8de62b00315cdb8b826188dde4a655c214afa168d708223e2de3febcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d5650f6cb5f6b0283c423f958dee5fc3

SHA1
4092986b5da5773b5eb0b0231fdd2a7b3eae0822

SHA256
d324190b0cde7acd78641a637afd33e7e750faa44e6ed5dd9bcc84c3e74669b2

SHA512
27994d87241b07a89d029392696f0268b8b187f80a2f672d8e743fa21e85883035970727dc8b13519ace94adc180becc8c58129b0175ced60083889cc6d352e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6edf31e16ddc58823a9ea563084d521b

SHA1
c61a380b45011a41e1eb1f8af55b000bc22d0d1b

SHA256
6a79f71142caa3174ead20fd4ec3c4cb958aa948d05aaba4a8dfdd675dea963d

SHA512
f51ab2d795709ec5ca8d9d8ca79b9a26419f03ae385d1a79a17248189f81eb62ef0d778ae7933d3ff0d3ebad6811679985caa2a42faa83af2831929a3374b857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
116ab2dacc1a564f2aaa37cc29f3c92c

SHA1
4660940b552065193fc019fe6b3f0102ecc1bc84

SHA256
97d8ed2334b1fb1d608cda22d7076db0dd979dc53730b304f0a1b27f95c2a362

SHA512
021586198af9e101c4775d4f9330479afd6d27bfcafa76b250c0d88268b9541ddf5d0a4d0d14bd9d9e1295ecb5432f470371a9326e6d384c5c5aae8e182532e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
db8d683aedc9e0a2fb9fb92de92959c7

SHA1
29f10d196bc9542b1ca0c53ab9034ef81db12c12

SHA256
db325874f28b5bc90d6bbe5e85958a18a1df2726d613489d12c6c89158acb99d

SHA512
300274681622ee33ed8e976c1f864dacf7d0c1b9f33bd795346b8468262b7809447e09e61aa9c87692c93970c33acd7dd5763a388f0b8d9e1be75728a17e70ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c9e52569b3ddc5be2af455e597ee5a69

SHA1
3b43d8773bceeccfc233862d840bc5f5fa1de055

SHA256
14a37d0d23d14744d2f3a0d1264f03751bcc975590a79dbec3386db931225047

SHA512
ded4e5c713d43332b158db8fb74c3d67577cf4b7868dad6f9814cae01f9b2254d39748ea776e51b3ee910f4ba2e77984c484c58351e55a98748140b7cc6cfd72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1b2b603a199dac90a934e3b1dcd6d8a5

SHA1
9f45cc119dca5e52f48eeb028eb6c5a4c60a681e

SHA256
d4aedac5a69a53902868deddc466283c133240f0fb49cb3c0933eb44311c423c

SHA512
1867896c0f11061310c42e2f72aca383eef187f8316a65872cd452408db09bde861ad444bb37f04afde71212cb63a083a18c7b8cfdd40a6845796d552eb4b6d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e270745ebf19064c8eb65741dbc6696e

SHA1
5c91dae4cb8c122734857f02732924229e117342

SHA256
4fb24abef4ec31c9ccea09f5e8236be9e918d6f61953fdd37bbac663f6747102

SHA512
ca58283cd8e2ee25a0f1f070f19b7cd6bd564ac4d7fd634a086172e6ce218a2a3102147683ac07699db0f4856a5638d31626b3c03f2ead57dac44a42cb83501c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b9bb252bfc1225cdb3eebe80d710db5a

SHA1
a7eed4da6a7b3d223da44e88514fb1660fcb5497

SHA256
70d53694b9fbdef49d8ba43a719e04a8110bf9141af9251b49d1912d7d0fa5c3

SHA512
de18eb343261d443450d60aaa92ca14defde7ff9337b90dccae5b3763425127005afe6c40e13a4efcc3384d21e3d5924fdb1d4b35614b77f6d90ad4fb173398b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dd8c89af06aebe24a63b62bddb284430

SHA1
f11b8144f363eb36ae98c260b0ef58b8adb73fd3

SHA256
7b649fd47f1e9e49794de0ca6ee1a143bb8d1b4df8638a115b8153506153426d

SHA512
b287715d60ecb82fa64905e83e2fef14c5a37297d550f1dd440b5b4e51c9a6ed4cf5b772cfee7cecb9f5f42a4dab2533af0361fa819e9f36232a0e8f1f6148c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
963f98721e5624cc5b4db9d646ef704d

SHA1
9012de163959f1d59bb792380513f49c4d6a1886

SHA256
ce072d8ed6905da1cf5295e379c10f45e8e707b8fabb19b7fc64077544c9e9c0

SHA512
e1c75c61127085e38c91c2f7f735398a024053bc94c8c8bd4e74089b84caea3182b04a45a0135f120050acc03d0b0b90650ce3c07a1c8e8e628a50558bf7f098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7a4e11bc82601e990b351b22231c9140

SHA1
fb09e45f0c0ff8ec5e2da39d7491462a569f3c3e

SHA256
09d073ca3265e9704f4b2a4f2cc9a9f31f15311132ab03a15befd2d14a589104

SHA512
e5e7737c9d706be569d68519e93f02fde7a07281673080b435015b72c52aaa64718349887826400b929253574fd1a165d75f5b2abea4e82bece50e3ae8daba64

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
619fcf60c11e7390c8b20150e2350ffc

SHA1
972f3bfa279525ef2630030198bdae284cfe39ef

SHA256
b526292fd4488a783203bffaa962b1687a3e084ad1cc6d8777141bebf3775c74

SHA512
3ae6ad70f19cd932b3b534b8b8227625e3df808d9331c3f0ceefeec30adbf6b21e485311ec97f45c3e0915962a834346c4d4a23e7cb51f8dbe055098ada84ff2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a0e08665d57a5a2d1c8546f7e4786ab4

SHA1
9d34fa4840c3af05e011d096679498e86799d1b2

SHA256
e7784e6ffdbf4adee232318ad891d99996de88a521a9d1324a20ef1c57c1fa11

SHA512
6f5865a558e6aa4bc551c7b130e47233ee94a480dafcb5558ae6ad27164dee7a7780a85b729e49221ce131a9efa5c4df5c0bc26b16a37affa8966ac2c8a8e944

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
26032b04fb89b865b820b021c7c39232

SHA1
7ae19dd9bcc43f9365deb56c76eb7426306d944c

SHA256
f0f093de3cdb19cf3dbb730edaca662495837297ec2ecc7bf27dbd22638bd6a2

SHA512
c727131b4e5b392846ef2b0bad9a1fd04036e3ed30d6a244902bb5e6da67207aa05fbebd5df5c61577115149fc23c10c8ae1a321257cf9d34efae0e22cd3f585

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4f89ac4ecbb1c4c1b34c852c5cbdfd5c

SHA1
4392e659342785f6c36b1a1c945fc859d6019577

SHA256
5aedf66149fd54b527b169fa0a4662a21895d334288599effd4545bab8494e36

SHA512
d20a0d3858daa67de65076afc5d9387afb4eb21c11f36a1bc715c3eadee93581a14349297f6fb553e2d769e97b2d8e32b634e9f108e1ae89cdb228027cfdc20a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
33f689f255755f8b90c627080e12f8ee

SHA1
02abadc3f1849c2eba4bb1a310c6348c06f3ae7d

SHA256
a46e70de1f081b168666b3789a1bfeca1e399fb485d50d0b761bdd0917f3365a

SHA512
da074c3aa4262436b328919668db3ae3ce23c4971fbf32d8a644903712af4988d01c8e341d07350b294d296108e0c6a638d5d0ac28cfa1f12d5e33cc4f24a07d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f1d2fe056748060a3be093c5df2be59b

SHA1
1baf985349967ca98b3dcda6bb0f318df741a0d7

SHA256
ceb3eed1e899ba37174053e3d308bff597594178289d1d4a0f7f9f20b43fc2d7

SHA512
00fcd0d74e58a4617af0437da1aa93d6651171ef757555136534871692d5217a141d7bf3d8159f3a3638c5da1665c39a3dd95838f7b34ee62ee79ceaf97eccb7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
291ab1d97ad1cd92a4803cbb58096a4b

SHA1
b06bc29c35204a87d77d25f16c5858a8a83bc834

SHA256
6e14466c17f7eb263dbd7588bbe92b8c3ccc4b9f603f6bd5902c797805f97254

SHA512
37f6f37c01391402ac0cb94d77c38344c324143660ba0bd1f9250a8906e30946d39a476e1702e1449368f34fa99f1b220afd8ac177dd9b22fab7ca4c9700fc40

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aa21c7de057e6f6e4fe122fe911b42d5

SHA1
d14ba3e033e9fdb4fbd9d52fc5715ea4538d1af2

SHA256
30251c92b48f401d7c31348d647e44ca277a4e5a3bed56ce066d0044a4316996

SHA512
4147176c4e31c175355969f051edee7c9bccc1dedfb3467fa7f2e6ebe1c30750baca9ba4c9f5743fe8720f601f66da48d01b36ccbf3a48092b482f192c7a4db3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
968e694049e2779c42dd2d75d553762b

SHA1
8b105d8b184353642dc7f09c6eda12d85ed1e86f

SHA256
ed118a307706e5dd6277e5d945b83af37c2839071f38d585916639881e8cd44f

SHA512
6802b0dfc83eeecb0f8e0149ee47f87e02003e4b85b591368c10bfc0da4998c2be0ece6c075c67576f2ca2a78f71dbdfcdd63fc80c0561c4648c57f3a68605c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9df8923a20e496c6f9d176da7f36d3df

SHA1
0d06c2efe68788e31696bceb084d941b8769cffe

SHA256
644e75b9c6d2772cd213d2b3a3db62e72b28743131009c392383cc67dd978aae

SHA512
c935202c1f8f4aeea05bbf0ecfe81d453c0f6270080d0a604594f0a3c912600d7a69d9052b86bad7c57039d355ff4aab3b70c8bc7c2d71cd6323a7929a4bb87f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5fb22eb19fed1333218b85f43d33d442

SHA1
0c0f20486f01668a1e3d6a4c0d974e084a4f1c63

SHA256
96fdc1aa0ca66b87ed43c3eac522196a1787337b89a4b299f16ae5e5727a0b35

SHA512
1ac706cc93b9e1cdef292e09103a5c2105fbc005bed813332897e80fb7e459863cec3d1e8434b26d19ee55d1590bad281d52c8e1eef803cd9ec1a2251290c132

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a42a3835ac9954741caae4653b6862e8

SHA1
412ebb7228eb7f8881617a5ee737d43c023e273a

SHA256
665720c86d9cd44d82d0e12a7ceed826fb9fe46a83bc60225357bf0193efded8

SHA512
0f2b29ecd2c0ab9c25ea00874d66fb7dae7c6dd6033e1d497227e31727b257d674cf5a07cc38282171a3668dd4a027f7a60d07ea1f567fbb9985d0ddfcae0dae

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
745016df555f516708075ad07c57faa4

SHA1
83d0ac20dd50eba8adfee11ba75c59b8fcc5be17

SHA256
4d6e759dcc5ad17f202e96a9a462fb7019e630a150fc785ec2feb3510230d1c6

SHA512
f05a65930e11fbb5d2614c831b2e295e3f73d2128a6145881c1d3d0d2920f3e2cc43c638e31e3cbe05b6aa96af34d3901e128368749727315ce03dec7583aa76

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
993b8f93ff45f69d500e3a926a566f67

SHA1
f741fa3c70080dcc185e4fae82de72a1ed0a9a58

SHA256
a961d208c98b119f214ebfc3882746a42ee10542b9d7cce88050bbb776ed1ca6

SHA512
864a3e23928d949cc1b8ae643e2ca3cb56a9f52c81826bf6dffaed60e6370af7105ab0567d64fcf38a7acf32adfe6c077d406fd312a8316ededba7753588b3a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2fa4050a6e190fe23ccc5d1b9f3ada39

SHA1
19ecdf9e10b746f45ad72049622d67b130a8397f

SHA256
43746978e5ab5f6ea126e0b1247e8b9cb2f24b3c611900dd71127842ed13ec69

SHA512
90761096d36a9f678dc44182a5d280a065e26e1822a5eeb8377a326e366165050cc6b28b3ca88eb911238d2b1a2c43b038cfdfb6d521e8a901ad7a343c216ab5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e2b0028d3f8fc37b3aa5688d83397b17

SHA1
80443eba9ebf67a8b801b0b7a3c5b4421d85c17b

SHA256
8344f9d66ea7793a89e15da7b12994dd4d1be9441e1133d8dbab940dfb7eadc7

SHA512
b0465d2881ed152a78903600f05602355f87c4407a1619c0cea89a6cc00ddd39d3a8443444ca5628e7762472094d5c985a9118fa5774493a2f31f67d1081e281

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2a685c8d4682e8188f15c191a5fa7a8a

SHA1
9f7393ba58dc9e61624e1554c98930b3c045f8cd

SHA256
7a7992aee5e666286b5195af46553d6c107cc1b2f4e1201024311b88b3b2cfc4

SHA512
079fb1df5ac8b366a1ad44c782e4fd0de71225f6a6a07b9da938bd9f59759912d61669c51d9f4ee6a30674e8796d007d41b207794669cf17dbe4b99746e5297b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6c7252e8f2650ab74f703340b0069765

SHA1
9920ec3ff22d12af9956f0f946fc36b4ecd31f80

SHA256
da8f08e8aad63da1de3964aff55f7211b7da24ba34d9f67cba23a747a2b17ee3

SHA512
f1fbbea21f7071083a0a97eeeab8d22dad4a48a01974e63b77f77a3b937a9af9b0d4df6af802c40e7764a55b87dc38d00e2d94d47fd94feb096569a4f4f830e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5eef988ecbf752771c87791afb4c5c0d

SHA1
d8372d3779e14d370bf6cb8a1d2ad7bd26f7cb8e

SHA256
1c2621fb9a798c1adcdf481ec7edea0c5325a61dcb094e331261d2ecace6253a

SHA512
02eee08919d12d554d27fca2b98bc47365de9654cfac456fe4471aaed1c073843e76c31c20c4ff447bb4c7ce27f8c564acf5e60205350422930faa835d1d3192

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b6a98167144c48755f0d65a0c4b263be

SHA1
29df1ec4ac6261259bd73ae3f0c70591fe609325

SHA256
0e44215985307c891a5408d28b2a50b568b71f2e1f1a1aafc36944ded871e7f6

SHA512
02d107af665ada2027882816ae77983249cb18a851f56d5d5924234b62d3f940a24dc34c6e376805f3ce2e1e989ecfe3f055383e8d43f7eb366ebe608e40d8b0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
874a511e2982e9af2c929f21b3160555

SHA1
8fab5fb90bc8b53a12e74ae72a32a33de4d14754

SHA256
131f3452b59eef4f596d844a43df74754dedaadd6824bd711889e35ee8b91c28

SHA512
e9bacdd2ef594475c6f9ec10fbb6f4fea4c2a5f8257e41ede7313f8bff90dfd1b6dfeec96079193026614b4f4b0974f6f3cd8faa843d3062bf850f537959061d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5fdc16c1e590be64bee5eab76a9f97cb

SHA1
f476f0fcec3b7da394ea772bd6b3f0480bf7b5fe

SHA256
576a4bb2f880b5f63ddb89039bfdd37fb400d34452725ba1f5f88ebbe06d9776

SHA512
4a45d5790f488a4da6f9203e48281be39596a4ee01b88a1c8fb2e5e4760db25253d35fe2919b34d12c2024b8a4ec08159c525aad00e417cc1bb3f51aa94883f5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
23e6342277bcec4ee349767684bc80a9

SHA1
2867df29b0868e4df8f963171f89c4c7a5a12d96

SHA256
9b8e2dba2a33c2cf883c638ec5986c9981fcc9661691f4e7ffa32b150b5ceed3

SHA512
077af8b559ef0a9a3eea1228cf560be9d90f7c394893d16945cb7d89a2e63002c333e232f611d954c4349d75b7f5b61d25d093ff8f047a132758a72be2f6f69f

Download Submit
memory/640-1-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/640-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/640-6-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/640-73-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1220-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1524-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1524-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1524-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1564-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1564-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1564-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1564-177-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1600-470-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1600-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1668-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1668-472-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1700-250-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1700-642-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2052-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2052-511-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2080-638-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2080-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2316-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2316-237-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2384-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2384-75-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2384-85-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2384-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2384-81-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2532-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3248-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3248-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3248-43-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3248-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3248-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3752-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3752-11-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3752-20-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3752-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3844-461-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3844-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3944-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3944-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4008-262-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4008-643-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4016-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4016-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4204-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4204-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4204-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4204-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4472-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4472-427-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4560-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4560-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4852-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download