aefd3a1d99c445aa5978d3c9a7eb97b7118ea39df81d71267cfed74c720514be

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Size

1.8MB
MD5

80fbc3b952b987db95f8be0c82633d1d
SHA1

a81d66d9afd57c8627ccfae77af5a9011e8c0767
SHA256

aefd3a1d99c445aa5978d3c9a7eb97b7118ea39df81d71267cfed74c720514be
SHA512

e4359354107aa858a3feba578151dc632c63997430f71fefddf0b13e3fc51da4a3e83ec85b55636f969441741637e4575d508fb81daec4a46fb87b0e56d21765
SSDEEP

49152:uE19+ApwXk1QE1RzsEQPaxHNH5UbU62FAQ228QKl:T93wXmoKBqj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1552	alg.exe
2728	DiagnosticsHub.StandardCollector.Service.exe
1900	fxssvc.exe
2132	elevation_service.exe
2872	elevation_service.exe
4468	maintenanceservice.exe
2540	msdtc.exe
4888	OSE.EXE
1772	PerceptionSimulationService.exe
4812	perfhost.exe
1744	locator.exe
1520	SensorDataService.exe
4800	snmptrap.exe
1860	spectrum.exe
856	ssh-agent.exe
1196	TieringEngineService.exe
2212	AgentService.exe
3188	vds.exe
3120	vssvc.exe
4584	wbengine.exe
1444	WmiApSrv.exe
1512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bf6b29478beeeac9.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006903f67081b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040faaf7181b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb52047181b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e322f26f81b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075b4067181b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab80f77181b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000baee017181b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeAuditPrivilege	1900	fxssvc.exe
Token: SeRestorePrivilege	1196	TieringEngineService.exe
Token: SeManageVolumePrivilege	1196	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2212	AgentService.exe
Token: SeBackupPrivilege	3120	vssvc.exe
Token: SeRestorePrivilege	3120	vssvc.exe
Token: SeAuditPrivilege	3120	vssvc.exe
Token: SeBackupPrivilege	4584	wbengine.exe
Token: SeRestorePrivilege	4584	wbengine.exe
Token: SeSecurityPrivilege	4584	wbengine.exe
Token: 33	1512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1512	SearchIndexer.exe
Token: SeDebugPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeDebugPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeDebugPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeDebugPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeDebugPrivilege	2920	2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeDebugPrivilege	1552	alg.exe
Token: SeDebugPrivilege	1552	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1172	1512	SearchIndexer.exe	111
PID 1512 wrote to memory of 1172	1512	SearchIndexer.exe	111
PID 1512 wrote to memory of 2436	1512	SearchIndexer.exe	114
PID 1512 wrote to memory of 2436	1512	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_80fbc3b952b987db95f8be0c82633d1d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4964

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1520

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.8MB

MD5
3597017e53ade51fe6682a26577410bb

SHA1
fa0bf33983b5595c2d57e53ee84bc5e04afd66ff

SHA256
0d6bb1295580700cdf70826fa2bfb28cae0c30aaed71cf17fc307f2277ad1897

SHA512
fcbf9bc519836e3f9d81c8ce9236a2e886ee08275aeb5cfe7c7b2ef8c9c6d519e5350207d9a31cace85d900b5bb8c21f5f4703855dae9929df820b615699de03

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
95e777e1fac0254a92b0324c81a2d3ef

SHA1
e103e68a4b3b5f33e0dfe2677c931eb3e39c2734

SHA256
47e14c99b8f4e1635cd4d63b24e60b8a4c268943d95c296d9a31c909c5f17554

SHA512
192752ed930bf7e79d5bc9b6b29c5d289cdaffb6d0dfb762128c8c4b4718eb9e3f94c5927070d9381686c2e04fed312e77462785aa360fe28a9293e154987b77

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
fb1d5fac3a4e59da2d16d1e6555e8190

SHA1
c24ce1578f62bf584b23613db04ab525c2dcec63

SHA256
8343474e2b760a813c1af1ea03d80578b6f4d3ddcde9bc1552f75c5cefcc9ed7

SHA512
6a7d62c02e2d37dd8ee64066b6855a6978442a7da73cbe88002f726e72d3111c1a8687d4605b4c97657c46a17816b00fb8c2f7d10db4b51aa6834816c2da3ea0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
01bacb5d63130bf05f5d3447c64f50c9

SHA1
a34134df73154f48bf37a2566e2c2001ba541d42

SHA256
094ffc1506208567bdcf43ab1c753fda73e82c7e21b14a446d2120dcbfe30688

SHA512
4c0b79609ccf255892f20feb9a2ef5805491722b12d80373a70f096b1cfb75b10e29a3ee43e63205359f8375d6aadf676ab1569c0d3a0d6788705fd7633d3391

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
782a9515230dc2fe064592216a2bf4fd

SHA1
6b28550d30c4d0f6e5c6f992476ab0628534902b

SHA256
a922cadffde01224b0dedfe653b0007b92dcefe90f9a8555de034db37078b7f5

SHA512
194105e2a6faa8084f7f53507a61487ffb58f69f8c5def14a641698f9147723353384f5ad96b949ec79cdefa3093397539f3c2a69281740f4467a38c00237bfd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
69df0b937101adaf3e9f4f9dd00660d1

SHA1
526a9f42e560dc17a2b08e46ad1affcea71f4b4f

SHA256
0d7658c75c4c7cc6f39ef022057586a5c05652a8e9da44298900bc4bbb48a232

SHA512
e35a89e4af22e30ab33a1d484bdff8b85e487fdfb1b0dd5128d1db09b7671b1ecc5acf9e0118258d9480a7266c84f2c6dd37f78eaaeda30ab71759f177277d97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
146814c54a4e1345a83d3223436691c4

SHA1
8b42e277ca2152f0192f022ca4d089e663712f55

SHA256
072f874f016d7b1fda34cdac72d7e7064058f53cbf4c01fce727fe17a80ff192

SHA512
47b283d633b9961a3644ad2e9b4a915e8ebb893b1cbbb0e1638b493480796dc44c5b6897c470618ed6cf0ddec96569780752ace9b8d8bd5ae5bde302a14bab51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
66cab11f68b5874a91559fb2981d4300

SHA1
5f5f35bc4f1d0645acb463d79d127a9ba879906c

SHA256
a747b5d8ab3cca8543e9e018f7fd650308e4aab39c9d1414e18260e9cb390379

SHA512
3ba8fb7eacb60ea20c2d901765e6673c85bfe6d33de7499885c413af911e0b69f8cd18dc65d724143722ee9ab4e0f6489b29f69a731e821097bf2244038fec7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b9492b4242a099cbc1b0186c2a4cad94

SHA1
5fef90dc83522c5cc324c96c29535b826d2993b9

SHA256
7d536f436ce38363d7408e92214985403b652646c2e796a6186d54b496dede27

SHA512
885ba3453298912b5ffc9f8c57329f3dda7b931f8d36cf3a1b2c422c5fc68604addd39dd7797b7677dd145629d43bdeb632ebdeb88f8b5e3e27e9a567bf5d811

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
deaa9cf5c1f305f49d4c90b3ef2b01a9

SHA1
aed5c6c65c4c3b1a2394c403e0735009221315a2

SHA256
e9c27b2540b784fdc5c2e84ed2d69a4120e3a5e59dcb7cd6e79c10fc0d05c955

SHA512
1596f7d91f54df24b4c2181bcbb4dd26cabffdc7249dc7b1cd4dc32897c1341206a01c4887a5b8ea4ff2ccf099b0d58f3da63200e541f57dffdd577da2086ec3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b27e7bb47c07b376ed678f40e7429bb5

SHA1
07c3c76a1398191efe1a85729ed6e3aae17bbdf8

SHA256
c1eff588a0dea82593151a0d3711a9d4e6650142ca45b418401d0e2fb0f8ad81

SHA512
5b1b0a18cdde2810ecfe3edf1a1c0ec15871ff14480f5103462d40914e7c1a5544bc25e449b52da04cc50050db29da57535ff543b4430eb6b6ffa3d34cd5ea8c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
edbb356133bec34c25523e072db3c554

SHA1
570b6bf6613b5d35221db3de7ce133822c6aeaa0

SHA256
81dca7e774a83d5b86852a5d8058582f0bc8f3bb0f02c4b0db574f76d8a83c53

SHA512
39e3d5e4e9430a5f55e5a389467fc62aba207272edd7ab5726c62896e8941d193b7a3407d374af0ec5e13086ae7fa31907e63683565c3e4a32e6be05b0853ffe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ce50ae72c8eedeacb577349df9775b2d

SHA1
381cf6b415fa7933cc710e78bc2990a0404cb8e2

SHA256
95c9a4a42c5016c8bc6e3050d54fd8492e256f4227e868ca5bcc3e0264b764d6

SHA512
3a93ecd9c1eb98fe1139143ccfc7ba2b39a652de1728835c3f6d7de1f989929a8114733528c63761ba20b274b49b005af7bf343336e0c05e21da0bf627f322e4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
dac9134a7770073ec72318fdabceced7

SHA1
30e3afb818955757edecf0f578faaae41bc5a4de

SHA256
ae22787468d9efd9ce830885ed6a650dc7e011d8bbb707923d4e613f31f92522

SHA512
6e4dfc5b26395f1511c5d0292eaaf02df9f7b246ec2dad1d287b02e199290daf7ac0134474fcdee6ce215d776c79e75197e69345292ccd3d9c6631f709d98869

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2dab0c059323c4159d258cf3f3e661dd

SHA1
4e0f945ed6228633dd59d73e845efa3c72a58fd9

SHA256
94e995dda09654a63f85bb26f010ca50143a9d816274d5af74114d5f8e280b1a

SHA512
0b04397abafc0bd340fe2bf64ec9b397467ec561ebaef84252394bda24e2127542a5ff7fb8cc148bf3a86068256d3766b389e54f1f7c789dee92f0a10b7b01cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f209d88940df2ab63b8126d954c91625

SHA1
06833f403f374fbf213f18e9fbfe28cfd75824a7

SHA256
f7de8a87c3229e1cf83f2b301906121e35cdce0dbf69bdb31d3112641b41650b

SHA512
d19bb3432a8b712d824552156f01c564ff2cf0ac8edb0cf906e295029f68178d370faf7b913a2d446f893977850391ad5039d71c1187d158a4f38e9ba8d15c72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9b9c48a4b12d4c73462029ba6c674bcc

SHA1
45d4e2c1f698f1d65b74ef5689ff475df284afde

SHA256
74ba35b0dcde586e3072ab67b5b45db91a98cace12ec2e09713cd614f3ae3f21

SHA512
13746a6bf08786fbd62e2664890d2118b6e65e26da3933dce11667fc2486294bde159513c4120ea42e345286b076d8f489771f18831d86b4b4bc27a0bef54e38

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
792b6221126451c873f2981d3c0f28b5

SHA1
5d9963d81193bac7223bb64d0f07c063cf9df57f

SHA256
818ed12c4c962f9db91ca34615b6094734742e8513daf5fe8a996fd7b1318778

SHA512
22b483b4b0e1d47108232d57a7daf56fc58524bdfaf061210ddfb32233d90099d09c198f6a5d14fc5aea8d05a290603546d8f8ec10288313dc7cf2505e2bf69d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
89185460a49d37cbe51890808982302f

SHA1
35799c6cb5369fb157e46a2b507f11927f99c2cb

SHA256
c12be4f2ea580021d6aaea75082a2e7682381bf98de74ff86830dc2fef7ddc40

SHA512
ce2fecef1c6e27a46fd5df257dd164aa964ed198a1f34de42e5ac5365289af70ef5a3af72acc16ccc0c9ac0d7424815ab11b52c97f8e7764072ca0c4e2f012fa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f3225c0cae0294bac9924239d75ddce5

SHA1
f90757679e5412d9990030395a498816b0b6fa13

SHA256
920a136cd3590100b1f62e988e5b735db86887d08179f707e47436e9ca7c4893

SHA512
ef737f15ef5dc165e08a39b93ddae33f1f1767109ab82673196e36e8479b34f4d3ae79badfb5be39c06f83e361d4f721cc5cdcf7bf5521773244ea958289de63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8af12b93f3136c335429c7758b5cc310

SHA1
feb8109cb9c96a3f02af632f8e628d2245ec0cac

SHA256
a339d94b0fba48ae0d00639a7e23416ab38eb6959c878a5a113f246ef22b5290

SHA512
1d8ce9a6b919c408636da93568e58b3b1366a44a5f5191eb03dd046b1fb322374e41b3e6789ca640f04e6af3c4e78726effa6cca0cd152649a0ae80ff7cc1261

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
47c934c1577e39cb4b3bf3f721778470

SHA1
03a51cc9f1f194e93d4c3fdb00bd031d4d5690ca

SHA256
ada113f15739aa12f1e4f7bbd9815198442fa45eb81464f652cbfc10fbaf6499

SHA512
57f022b8c2d4fab297d031f8855a8004d6e9852a0930bd2066fe277dd999c4f529c86de317a633bb8a64e95aafc6f1d8e6674ddc6f2d0dfd7e5dca867c8ee525

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
56f9d738f557737ac02f39f311ae4734

SHA1
82ba7e53761335a9ca52ca77843e6d5f7580ab5e

SHA256
96618480c152ae80a4f662bffabd0020ff7317e16ecfc39ff89cb9553c64eb3c

SHA512
7bf0adb2f99a890c209e337005163555cdcc82c1ca955a6957438211c7ee894097bf5e4d1f6475adc551db15851ce3992dd140908a67f8b93f942a92e3e27482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
007303ee0a29b1c909c6d961d74cd47b

SHA1
77e4b4141e2e00b2c2fbf894f9beefcf09a255f2

SHA256
ca59ed6fa72b6cf598e839f1fa8f9cad5c67545f4f638eb0e2012275b4a2aca2

SHA512
3112906c79d0abe1d00c806f84a603593bbfe7d789c87c5c05621b609aa1554ce523af45a727b400c00a49cda310315ee0428d0f1f1e197698480f25e33fe099

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6e2b423d168d210b5ce94d55bddf3039

SHA1
8201cf9561d8866dfd8ff526c4afec0799a2d9a4

SHA256
8c0841350e54d266a275d899deca044a7efc3a0fc0dbf26b7896c6b15838a9ed

SHA512
c4672fe2ade396942b513695baf69c5186e7e5bcf34834a77deab0c74fbcc548415c9b32c14a8dfe4523d7e2a16c1c55377cb292dcd0fc17c07994efa689c559

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2e5b13aa177d76d7a8e3133933f98252

SHA1
427956e374b604e5eec44f16a882e45c121bcf54

SHA256
6a9064be63a47dcdb4490aeb144d731c83664a54424f12552f8e04058c384d6e

SHA512
3b2da0f97478d2419b3b669d609e15cc4be445c3e0f5ff90c6a148ffdc7f6431b5082763b6170c9cf23371cb70b34cedb053a30b2debb1537483c94639e0713d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b51c0ac2d87b954b96d71cc2f15b1a4d

SHA1
ec2b15417f50f1bddd059447fc4ab6cdddaa4378

SHA256
057606f7b48f5a6baf223f28703a418f863770f92426ff5be2be4595196c5ac2

SHA512
f816f05610459825cd9f192ef10df933123c0a80a4b000c0b2d11d40fcf74d52ccabe9d397080af24606077593fb8523d0c465366b7c7e58a5da59061fd6c0d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
bb697a34df685178f664bf990d8d5df7

SHA1
164ce4edcd4bb30f68bd7aadf57152d1187f0d35

SHA256
6c901ef53875c7bf2a8d540cd46b76db93b869206d324c68d1adf138842b25df

SHA512
bd1b0a478851c6e496223a8ccf542400005610febd37011ebaa2a1cc7a100d9952cc428a1f722f4dd8197ebbfd01be6aea49c210786feea5990185196b838965

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b02978ec838160224991c8f8e28507b8

SHA1
3ab4b73538100b9ea61eb86e20fb1ef2e47736d3

SHA256
3d6fc719844cd630a418b1227f378f04e67debb8020de68fc460f0c71352d3bc

SHA512
4ab6e8e6234a6ba776bfd47ba2dc1b89ec39fa4d8b673b3a40b469f42bfcff1a620f1ff8c9d8e3c881bb6f03271ecd64806192be303b14e38135d7af238ed29c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
aca25b6f64823ab69ec9b7c3256cc4b8

SHA1
82f589b91976c838c19a213749c88071bb8ca493

SHA256
ebdc5c38c23feb4c8876567a3616e4dfc7e3359ff875c3a644faf6f98b7e3445

SHA512
c17dbe6b91cd6be54e396384438ce4799e342a0c189f8bca7feec9f61e77558b8734f7fee4713cde3d38e043e6affa924b116afc03f42acdcddf54d13df8817c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
faf9cd2778af8cbeb98904cdfc5b9e1f

SHA1
70d68b8dd32872c00abc46ccf43aa2883c7e6c76

SHA256
56994f9b5a8d643e0e0b092013c7ef4df741a42b73afbc69f810916f4cdc1d9b

SHA512
ab7048f82bb0766243d81c51be0df87142c6d988afd516ef4be56be390aeccabfddb2f92db5e83bd25da621698588af3c48f33d34a12f305d263e9587f725c54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7564cae19848aafb17f857cd25238348

SHA1
a70ca1089853ccf79838d0194f4c5d7d8b581355

SHA256
292f803a93fd25dc103dec58ff0b5b2c809db16899e686bd896b4876de479801

SHA512
4312642780811fd1718ebab13352872c0a90535a710b1bc19f8dd5e9fb006188cdd7ce1df3cd2afb3347bfc2ffe2df9863e4d8ce531a99a7291fed82a12af908

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
73eabfab4edc4f05926aabf302560c35

SHA1
b038598783b8072a4fbbad796492307c5e38661e

SHA256
1b376f6102458674fb4c790c296a066c6e84282f23336b590d0f42cee3e7301b

SHA512
a306ca369bd61edbabca9b7880e023fb0df0153d9e01dd621db92fef57040cfcc52dea0eca511bafd4331ebc1f8355ced1f7a2b95c6beb360f46f258e7017499

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f4b2419cf8e4da812a10ada1306c5706

SHA1
d60512092af9bbab45a1711143b9819c1cebe2a0

SHA256
d1aa0939870fb64a97328716ab7480a999e83a3f9af8291d8d9e05963be0ca69

SHA512
b27ebc7de4e326c81c25e800ab799900f51d4bdac22028aa49ec90b7736a97e60b242f4e0e7fd5653bbc5465997478f18fa604b2a27fa6088abecf1c210a3ff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
be3c9b995c10321a35b88321e3acec58

SHA1
d6e93b0c71730e2237efa0615e14435da3108a42

SHA256
b866553dc5ee5dcdd053975d14d98b64a4a4d4166ab9d75cbb885b8aa3f4bfd1

SHA512
05b019e36ab3c3877a670eeebefbb8cacc66fc7d1c22cfdb9e236f8490d1cc8aa45e8e4854e7af93396c708dafa98e638731a2541e2b2837456317237c61d0af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
df2be6932ed4b0458f3403218f5b3c66

SHA1
108e76d80e1ce78c95ec6b23c66ba2d3d825b62e

SHA256
e2f70fd4d953fa6d22ef702a17a59db4ce54d849bc7bcff19d240b9deafb8bca

SHA512
4c5b79336b2bf4ceb81707f0dd2d1f147c09877b6d21f47409bba28ba6e097f9e86cb2cb9bca6b770e9ff3849b724bc5969443b592af1e332d988a12d8e873a5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c2d569a95727206b6420a14fa5a22b1b

SHA1
82ea68863fb0c4ad0a06fcaf4ed3ef9933f4470a

SHA256
ef76075f2898f7ace6f5c17cee1cdea9cfc828aec0c4dd06676ae785832a00e3

SHA512
15d4e7f2e9167cdd12c1d9809133d925d9c4109e9115dc1bdac4ead070d7bb4642c2a3570ff2847b7a5582d9a4eace7de73dd90d2a06568379b9f192a6b9dc14

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d2c78be0a5a888cf9142d42eaf8bcb00

SHA1
c2ecde3e80abf9e5990a23fc82b9cf8d4dad1488

SHA256
2611bc3090bdfcaf196b3b1911bd862b4c8c84fe8a7585e229ad19b737f0f98f

SHA512
a8004b4ba9f39210ab6a4ac03bd2095fe0ef4adfc1a62ffa089426e4362f3967acad7c39a36e61ceb3601dbde8a504bc0fec4047118055886c107facbf42fa06

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
fd6f4debbc553f4db07a93c7b6109004

SHA1
b6afa4dd65714fc10cb6becd0bbbcaed0d91f8e2

SHA256
44ecbe0d6a157dd67cbf9dcacd9cb0064befeb4a29ade647e18811ee08630f3f

SHA512
01228b6f7a2a5b59489b98132bfe1d62eefefb1bfaf72586b298f7adeab8c2c032175955f5605d4cab1370e5e246ae8e2144a5676d28ee57f893aad7eefdb187

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7f54d59f7220a5cf5214379985b00546

SHA1
93d95d8066d8d13f3d4e331314a97f1b70d7a497

SHA256
2d67827e350fabbab3fdc19dc3c44f59026371e2e8da4fbe51c153f95591498b

SHA512
007f8e8c47a1b3175b32bc3cf52f753827051946010672dd64d31aba0c8d0a96d660e5e6ea59b8b2da03018ba5d5c3d16f902da8190c58d2da78ab0fc06aca9c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
38292ca004ee9c72fcaeea25d702167b

SHA1
9c647a18a3b008566a2185cc95534eeb39af134f

SHA256
976b4a13b659131255a7e36763e2570d97b59ee997a74491a0accef97a63bcf9

SHA512
93a1e4fe66c1ff1c1afc9659fac251ecac269abf1f3981966d35df41fca175190f6d391dcda15a6b20d3fa4d2c1e4635a0b2fd6d07cc770a1f2b3ee3c6cd5bf5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e1cbd8732ca37b318e6ce534e19f5eee

SHA1
03634e4009dee4ff2accf86b3b8b80b90983b97b

SHA256
509e4c46725b43eb40c9a8e48d913462d3b5c15a600f0f4c902f8775156abafa

SHA512
3a2dbcb82303cee72e06db6c1c4555a92c560255e3eb1dcaa7b8a2d6c20a71320fb9d620d86b91688cb2b62f46a380ad24f8da9f107b70e5283277c7c75087b0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e6aca990d1ff94e4c743d9e2b6d5cbfa

SHA1
1d892b9a413738986ebfc877e9a2ac6e0837b5d4

SHA256
1c9d0b7013b541a60f02f2b128c9b8e49cf0e500066b2714f048f62cbc396f3b

SHA512
6e9a121b8f8803faaf53de797e63b3c7466c2917585b614073a52a2663b010c030da55c102ec9833f171bc79c2cf7f837be39851c5e390235316af505faca122

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.1MB

MD5
5f19b2d7c98c810bad3a66650d8fe623

SHA1
4f036d934428b8fffbcaaa7105624fdd5bd3d732

SHA256
0f2d77e5deb70cc6f13e8cd91d6f46428f9065372eaa3a6e945fe174f592221d

SHA512
3d82d05ca17d1b2d4d57f7f50d6dd658d19a254db7cea981e81552c6f15cd565407f287fbd0c961ce7f761366111fd3010e48be5e6674778c540598e8dde1239

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
02d45b6536ca54336ec07162e5689166

SHA1
2daf4383f2a9999928b2623a0b27f3751d29fd50

SHA256
d5d762eb3a5212b2092dc4c823e47765911da4f109ec394c71f8249de184906f

SHA512
233234f2b6117b5c4b4e01bfc9944387e303d500b8f62eb55cd4903b7a455b7ab21f6f48721daf38ac652dfb786b87c0f98b9d14dfc400b7e4eef2fdb2840bc2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
cc0a435ff1515ac8ffcfd11c12b163f6

SHA1
60de815ad12638e96fd032225cd21056caec1f3b

SHA256
355f51ed60e7fa50189eacae82077c36a21f627907b62104f382a77c2836d65c

SHA512
9446169d0d13d4abf61d54ba52b94afc2a7aab9a784f093adb94f34a1124baea34497bcf259c67bdbcbdda10607db46640548e90df750e514c8dd6640b075d04

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f9a35807334333eb4c0a80cc73ebcd14

SHA1
91c8da4bc00c9d53fe0bcdbd46ecaa0fa16c4ca8

SHA256
1d25b18d7f34009eb8e402f92f401eb6810b487eab83bc97ad6193f2a2cc6636

SHA512
eaf010cc34e903281e549229b403aab1a96a8cbbd436d91fa978f8ab49c51b572b383bdedfa2a39ae4560a62c5f6c5d59045076e29f8abe821c9a1dcd17d7745

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
702c6b0a13b37e4c46716776b8133f85

SHA1
eae9ad8438e5ab59976c45318c9f5d17be205c22

SHA256
636a3faeb9f1d70eb0cbb48b2d16b117924365b104c22c9ac7ffbc79e56dd876

SHA512
207e144a2580dcaec48777976ec596cd578a481d6f32f42323be006190550abba76551607724f3369cb7211a1ddf29667714a2872363ce4d28612458d96a939f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dc15730f8c42eb2463d3aad65ee7303e

SHA1
21e495f65f71076ba351301c311c7cda5045c789

SHA256
10f48f005e86a936ff2d352ee00d50683a26d34313b17d5659a779539fe6e67a

SHA512
716935817537e057d9d316d23560109bbc1ce05678fb10dd1a96407a91d8b6753296371e0f15bbe191d09ae7e53cb30bd32a728dcf4785e78cd732a9c74298c9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
64870fca138b212b16e0d50b9458a90e

SHA1
4a5c228938f401eef1a92bfccc059a2d0b0f0122

SHA256
628a687b4c00fa90551fe7a4c77b82f352bd33c93e444166a3ebb3ac3dd97024

SHA512
d2405922045210b92e0eee3a5a95defec53f95da35a461548eed7a7ce8552a4677faa84e57017485373ee624735e1ef9e4808a73e9e03b8470a9b51d486406e9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
02c1179c728089d4282edce621f83ae7

SHA1
2abb1d6bdb7b73f7b9bd61df88fd342b594db921

SHA256
47de7e08c2faffd84ec990e4ac2c1264f431d588cdac819079cb60d4a5569f95

SHA512
2ddf98a0a42275991f5689630841c3b1b30790162af3a76facd8ee76f34018f3d44ceb02ed35ad06c71e978fd51ee80772e7a463cf578f827ae0d735e91ced8e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
41a6afbae120be7318998b75c3be7525

SHA1
928628b8c32f5f5576a28cc2d9bd1665ed72a9de

SHA256
69f2f460afd635445205e81aa90c2ee9523620a84fa6ebcd6733538a3a1d2786

SHA512
678c0c89259315f315a60f6cfb2dadc9c12619950bd4057f5a9136eac858904655d11d949c0620f93fbfae07d76a50eec7aa0a89452466dec4b18d3e95c5554a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cff5d771ee770a1305705f1e813cce2f

SHA1
d9661ef1dda49ca476c7fe5f57300057e929ab2d

SHA256
d74a836a36a2b8abb184ebeca71d3f49933e6a3a11fd1cc8262b113765aa59fa

SHA512
f79b1bc5110c19d2ee3071f1c0135f40ad0e1e1ee72ad4bd7c08efc6135675f528a4c897f74ab7affad9298b42eb5361ea8bda9d9c712eef75b10d3bd75e327e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cc7a212a06f64ffcd7d44c57e0d3b565

SHA1
bf46edf7e3a522a496c5f0df753aac1d626d0015

SHA256
423329316b64f0885933789a5652c10f3fcc6b6dc142232164657d25998b503e

SHA512
641800eb73e18a1ec149e82ec2c1a4dac7f83c9155737596482987d2e17af895ba5c3c2dbdb2163454196cb71bd0fb6b4d54145bb6a5f33e4b84294397cb6a78

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
12d77e60efce13eb8f3bf4d6d02646f8

SHA1
3b74ad91dd25dabcff1dba88d8be3616d85bc5e0

SHA256
66ea08e35f580539150b8129fb9fb1349da6ef3aaa5c0906e1c645d5d6af49c8

SHA512
ce8c32b508aaf404144a8f158b4acb1210886db6eb5c7966c8850c05afc213e33d827e4a7466b0177046df68c019b5c4cd4aba5e4a4308a37b6ce941e39ea6a2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
1899fbe1f866cc0d1f0b81d6d891fa27

SHA1
53ae6d55a8df839c8a427399289bd9e9609ec754

SHA256
a2bf8abebd3e6d6590a549a66f200c87990c0472591734b997396c3f880bba51

SHA512
630f3ca6828b7a09fc4b5f20afe7e648b15f946d8a72c3a6465f1170cd85693cb052fea6b654acfe5977df92d7cb657b26fdfeb7bb7d4c162b40b3511f8e4980

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8b0f38bfc35016617aa740998ba9d810

SHA1
0019c1fb6aa06c55cf88b38b9a549f8c887b1b7e

SHA256
203284b28f3c3a2af458c8422c2f7237c772ce03636d0bf965ec782335df76cd

SHA512
06fa9a548f0123bb53cac3c0eb20701b578661076dc25056483635b13be0b57c8dda011dd05359dca0bbdf21309afd99cccc3a74bc53f591f6d3cba7d2c71705

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b4eec9891374fc31fdb07aef536524c2

SHA1
9919a7218641364a06492425ab8161711bdab9b6

SHA256
149fcf0994840d82f0307b57ff1892128b33bfcacb78d17ec3eb1a468c41486e

SHA512
28b6897c9ec40fecad3204289ea3c656b111c0741d621cb6a092a2cc7beee7e11fd1e3da5625f5d51eef5489eecd711a947d5dbd08a4a63bf8ad323190fded93

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d746220c1729aa80df886818fc3a52e4

SHA1
af4d215e6bef454e8e3f992540f323a64c1100da

SHA256
3da1d9038d4875d52d6c27388335db93a92f7448e98251675e1fd6ac7d695848

SHA512
5b98f75e7978dc8f613444cda568f37d6ca3adea5ba00146ac1eaf82a49484fda1bfdc47105ba2b2fa76d55b788f99d130657eea353fcb79ace90aa74d604505

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
94c0a2650bf992466d66296a9464d896

SHA1
73dda82fbe9f1063778172d02d18d79006daf087

SHA256
57e52d60b42f9be98429e183488fb9e9e885d7f709f580b7198f9773516bc7e2

SHA512
f0474f0d683da577a6f51aecbc7303f034abf01de2f7c37bb8f491b77d1f70999d841460975cc7a2edb7df04fffd32b2dff028766b0e8ff06989437ef5161dbc

Download Submit
memory/856-186-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/856-584-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1196-588-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1196-197-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1444-260-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1444-596-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1512-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1512-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1520-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1520-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1520-587-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1552-102-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1552-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1552-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1552-12-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1744-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1744-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1772-227-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1772-123-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1860-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1860-563-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1900-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1900-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1900-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1900-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2132-57-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2132-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2132-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2132-51-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2212-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2212-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2540-88-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2540-89-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2540-200-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2728-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2728-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2728-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2728-126-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2872-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2872-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2872-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2872-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2920-84-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2920-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2920-8-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/2920-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3120-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3120-591-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3188-590-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-79-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4468-73-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4468-85-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4468-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4584-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4584-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4800-161-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4800-420-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4812-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4812-239-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4888-111-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4888-215-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download