4675de3bcbe00ef1a82b3544a73911f207434395e964c2db4750dbbf30b133f7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Size

1.8MB
MD5

9c4f68fd78454321328b47c07f19b56d
SHA1

5d2142b63044aa5636c1c00ed8ab11c113982a6b
SHA256

4675de3bcbe00ef1a82b3544a73911f207434395e964c2db4750dbbf30b133f7
SHA512

2c5acfb7517c7ceb004c8ce4b425351e94360a6d731fb4b7394cc167d1c63a48254553e121df3db0494093baf3999d5ee3bb7883ce7b701789966e7cf0edbe6d
SSDEEP

49152:GE19+ApwXk1QE1RzsEQPaxHN0iLlBUKubZrX+ld:L93wXmoKciBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4136	alg.exe
1372	DiagnosticsHub.StandardCollector.Service.exe
2636	fxssvc.exe
1964	elevation_service.exe
692	elevation_service.exe
3468	maintenanceservice.exe
916	msdtc.exe
3956	OSE.EXE
1696	PerceptionSimulationService.exe
2408	perfhost.exe
1920	locator.exe
4536	SensorDataService.exe
1572	snmptrap.exe
5056	spectrum.exe
2020	ssh-agent.exe
632	TieringEngineService.exe
4868	AgentService.exe
3548	vds.exe
376	vssvc.exe
1924	wbengine.exe
1668	WmiApSrv.exe
2792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a0eae754a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000086232345cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009398a9345cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000249541335cb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005cb986335cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000293eed335cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9ff2f345cb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc9a6b345cb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeAuditPrivilege	2636	fxssvc.exe
Token: SeRestorePrivilege	632	TieringEngineService.exe
Token: SeManageVolumePrivilege	632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4868	AgentService.exe
Token: SeBackupPrivilege	376	vssvc.exe
Token: SeRestorePrivilege	376	vssvc.exe
Token: SeAuditPrivilege	376	vssvc.exe
Token: SeBackupPrivilege	1924	wbengine.exe
Token: SeRestorePrivilege	1924	wbengine.exe
Token: SeSecurityPrivilege	1924	wbengine.exe
Token: 33	2792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2792	SearchIndexer.exe
Token: SeDebugPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeDebugPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeDebugPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeDebugPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeDebugPrivilege	2968	2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
Token: SeDebugPrivilege	4136	alg.exe
Token: SeDebugPrivilege	4136	alg.exe
Token: SeDebugPrivilege	4136	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2184	2792	SearchIndexer.exe	113
PID 2792 wrote to memory of 2184	2792	SearchIndexer.exe	113
PID 2792 wrote to memory of 3872	2792	SearchIndexer.exe	114
PID 2792 wrote to memory of 3872	2792	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_9c4f68fd78454321328b47c07f19b56d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c28387e5d8087f67beb5edbd25871fbb

SHA1
8111079a7cfe9b4140705defc28a73110d0242e1

SHA256
bc1b0f0e296a1d7a39f3d5879239a676551597bf31a7a223563986d1ffa0cf69

SHA512
7bb1b9da036ec303f28fbee24a1d16efaa67970f225fd62438ba0d699ab26a58f4e4bc1a09c03a267bb032d9d4d501544d26c117405548285237e9d5a5c51860

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
db9a1334f8bbc07007472b9b1481d9b4

SHA1
f19549452f9c33eb3788caad0e01788433c9bc5a

SHA256
2644eb4e6778ee53ea0f831cb1d5c47946d8cb643c042e7e8922b580600b60ac

SHA512
1631caf59cc232e1a9165fa06383c56df11d25cd67d22c2e62b8e776794ef3fbb8010581e066adbf78eda824ec488221da0be5a6dc1b5193a330d6f38351fa1e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2de2012c1713ac3154d74b12e3a7e4aa

SHA1
19c1d3d9a0faf0087867a144ae0bd09aaa7d81bc

SHA256
4b5acc463adb6efaa63b7caae74eb524d84bdea3b72c12c1203b30ec7891c6d5

SHA512
62d2993d173b8d152641b322158723821adbf6641420628bd7de452f9fa4dc3f6e1fa54e184d2e88275ad0e8aaf1f985781dd74bf8123fdd7ccd04179b54165f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
689a2876c351abc7f2663b2fe7378886

SHA1
0739668e95e5e91456e751cc566e7aaa72460399

SHA256
feb83e76b5421a2a3b5db1b720d008ff1b0f22a31edd84316801c22ed1d6452a

SHA512
fa47f6ac3c6611f49dab5d393f7e64b2bfa4e568f4888c87a3285d787a988359ea7c2db661a5e210fda14bd37844cd92b9817ffa34a69c5f92d0a0646969b350

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b7cd561482ef37a20d693787a62db856

SHA1
fbec0c6e133b0e819152569a6a57e1e044148471

SHA256
6cbdcc4b04cef6939957a033fde92db92ca4096249deaaba2d4d79fc01c3d851

SHA512
6a710783bdd8c2c101c8a87dd60aa372c2bfe8a6f064cb013fd1c537461adfb719e534afe9f62879616d9a67712823c6a21f0e47b49ac8c190b1af7816c4f340

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
59a7e511909517b3599f30f2286603b5

SHA1
f10330ce9e1b97b6c2725c2d1176fa2da562e776

SHA256
d29e9a1d16a3c09acb2620916cf8be3b58c4a59c5e5c90159b3297952eaa6b78

SHA512
97bdc0b9fef4317aa5884e9740a6fbe6337e2cac91d518069495df21fe55f37dccb68f9dcaba9b533b881f84cd342a84a6a84119655788f518ba390bcfeb8fbb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
65e0a8dc25d339adfbec65c3a098fd0f

SHA1
722abbf6eba3dd588b48c71f37bb3d1f50302439

SHA256
c5b42894001cd6a8066ba8c880f10b8dd8087561213499b472797be1cc0a4606

SHA512
9af80c2082fd5a1c8c1ea74db422a1c7632f2f6f7b596ddd93144cd4b57e2a95f100844f4370490132108c9ffddb3ae62dcab9907b9e950910d520c61a67cf38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a3477a244fe58f75331c58e4ae5fbc8d

SHA1
9a72cd1bb0eeb887108733be9d7e042a6a0ad3e4

SHA256
0890447891fe36cc76480049aa8e98ad20f7bb57bd805a0c7b55a21f2007083d

SHA512
90a9371c7159e149a178012904feddb0df7f44000cfc3ad24ba3de21c74e913e5383fc6283b880d15caef32628c7dbc22b51e8cb74cef09a79697430fbdeae33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
3639ebafb36b11fb7509e7499d09c52c

SHA1
e504c885faec65b8946fb20f605f0dfaf800c853

SHA256
3e8c2ab20391d1f4b0a263d0244e154ecbc4c4bd7f42390d2e14232554b68eed

SHA512
8da7c2e727a9c3b447946f923b6d1321b849008850e76af795f57c961ccdd7b92c83d7430a63a9f16de6cc80f389c744412594bf5f45366c592e70ead430f046

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d96785942d442db1caf442dfccf613be

SHA1
b04fd885ab061a50a3f4bd663d417ef985d9a1f9

SHA256
690a32dd08fb42134f3bef7bd837e7cb137aba63f4707d542f623486026c8e49

SHA512
98d3551a72e9631d50013fe7c56d18079c6c3d6c60b5234be2790b864d74c46b1100fc3849bd8666697a267fa5aa9f7dae7f758d312e4dabb6509e4c1e306a24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
afefff25ae085b30754893aef8cfba11

SHA1
71a82f5c366d4bd720e6b82e61a508c3f4310af0

SHA256
5dfda9ba257cfb29fa3190bd232af428748e8e146f96ae7dc88d143c2993b873

SHA512
0492e63e47127d7b93ce163024b587043e5c42ee6d192add85a81886e576583837127ea52bcfa7d019396a273182af354542c530d9d43777553b774755e7f417

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0098876516c3718bca9ad3066617c493

SHA1
a8fc673f7e86dd9d4acc7a26f6b55698f9c210ef

SHA256
ad23d26bc091eeee75333030c14ffb444e3e3ff898f27ee339772dcfaa7f6368

SHA512
e9af29d6675f0218bd7c7042c7534a92c608a8978fe58a8a57359136d59c595d0f620b666d22a681d22ac3871c0ec0dc67bb38fc653d9e8da8c4673935fba2b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
baf7fba1e0963d3144abae42c1609bf7

SHA1
da46cd45f0c75b32ff48758d82773d7c531bc86b

SHA256
03f3e3e3f9a8a87065f5db3e3a164f78b7eda5b2eedc0495872f237fb00f5d54

SHA512
e0a4d0f7bcbf5a48f8fcdf626fc0c4626de29891970823a64dd8ad5de6610a539b1ee73356c84141131d9b79b69300ff28573c32890b0ace052ad28057800741

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
82a195ce14c1d9b336254966a412fda9

SHA1
13b21815981e5bf5532da788436180d3ba455f0a

SHA256
652db705246b7bc2cfaf149c153bb4a4aa99989e6d8661edf4414679684f0d0c

SHA512
2fa6610287a1c90103b9755550d1e777f6718a59e6ce8c1b3325126bef168307d0a95b44f30b4dc0a3adad82acb752f5ff5a6daf2ffa60450a45336f60e91b67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
90ae369b76b0ca56135dab1e11040e25

SHA1
fcf05116516cadaf1bd6fbd30426be3d40e7ca1a

SHA256
ee4ebf6c95e42d21d535acf44016c3d29bc4b0661e4d84bc666fc9d74d1f3718

SHA512
1c467af47c39ea3b6265f953e04363351532c0defa880c771fb061a0b5e0cbd014b5b9866ae3cb042e6344eafba462c9752f1055e6758651b7e599a852f0046b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
079d3828366abe357915d2521fe90675

SHA1
55860388635de7173112e3b1022e20f1150cb0f7

SHA256
d7baeaf9e8ca98f5e4e83b0f3bcfd88cecbef18bde9006509af13b18ff164309

SHA512
84e158e192f2912cd537f480c0f9b5eff23d050cc6503e6970c782552d3e7ecbae61b9a0df1455e97829439809869b1f0ac7efd843b7d4492863b693e95a1913

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9e308353f2c16503af81135631cd7ae8

SHA1
2e44e9f18d4fae0294e2813d7209ec2b95b73b62

SHA256
df4243b770ede237cd2a8ae7d7ab56af83f686526f1b57c0404e569ece9d5d04

SHA512
d42a1793c65f38fe8e7317d7d0081e24025c833f896914859de0fcde841008bdcd7ebf70e572dbb553e60a547a24ac00e9f8d9c8f3c1199885e52610506887e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a3ce7716bd6ca0267bfa02c7c556e84f

SHA1
94cb1334ac73ab7876b1b590fd6764d6cdb0c4d1

SHA256
8080fcd4352c472fc884a47bcfb199655106ddcda92116ccd3cb4b739ccc3443

SHA512
ea5deb5482e5385dede50e85f6aa73924229ac70789af05b49d3b15fffe17f8cd3dfb8c3bc11e45df2e7282a07eb3ae02f2409f38eea780dfc1295661f795748

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2a9c26ac4bfeed89419553b552909e30

SHA1
88ced20b02ce7e744b2ab5d01f4abd782e9fe0ba

SHA256
8bd8d7b8304c27da3aac0b6e251a9e102de6a4c2eeda42073465d93fd589678f

SHA512
de9f7a5dd01a982eecd5bfa07d6341ad2a71fa5c81eda8e70696c77d91ad3c3581a27122570a3b700dc72ade2c1411a19c6c7bcebb39d83685b17c1bc92ed160

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
94c0abe6a9d09bcf3c4922e39fa35126

SHA1
f7e1719f6462e12e7c3f34f40e10a5f00831e1ec

SHA256
36dafd987b0386de30cb87914b828d6aac4f022bafaaaa6634b17298423a7253

SHA512
5ab02fb0be92e62a70dc862caf548506fec215fdee4b5589b8afdfcb75e4fdaee8f4a7503b9dd9826eb37629c9e8eac96024e046b02bc8a4217bd1a006f52250

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
7797e6dbf7b1683fb6deb320de3781d7

SHA1
f744d13619b95dc2c8d126afa0f45897b7066910

SHA256
f6c7f8e121ae4f386b3757359634772643496de890ca938eae0759af6fba237f

SHA512
e3d5206e75ac4d907f32b41a23e6fc3036cd15f037a769056d7999121bb4bc2d32837bd20c1754393501a85addea38eacd3ea60b245c088d284ccef13f649894

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
44b28b2fd25187242733fb0ab531be24

SHA1
1075327032e7c0f0e8bacf6b414fd8c38d549557

SHA256
2540ee781f8906af235d6e4214faae9174c24326ee519031669595cffc858446

SHA512
35b935cf5d2127f1034f3244909d24caa64a38c702943bdf1834bad5de69a01dd8c7efea53e62fafca00827b737694552ac4e60a6bd59f4dca999631ebb98b5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
efb5e1f8f4d2a5d1c0212e200a014b2a

SHA1
3ddce893bdc0bb58e023db1435cd9bb5ddfb030a

SHA256
41b132dc47ab10969f14851f47723016e0a237876144f98638c22011ddd42eea

SHA512
93c5f5deb360b3296163e55b645698d79f2c8746117e4d9452b5b3abbd15fd5026360914cc6f1c058062418058fa7ef707bab47ca61160877a5488eee9f1b1f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ee7634fa6ce79eb526b133558c2d022c

SHA1
2dabcffb9d3b4ca14e9c47c0e0b6d851a43de51a

SHA256
0e3139cdc4cc21215962df694d7a87f8dc8d713527990d7a6f3409b7852559a0

SHA512
21b78ea6400ae74a7778a522473b8811886403c7a211c85acf9c54c7d7cd13cfc7008ed40f8bea490975e55a44152372abeceb2d8d20a2da915e6522d49df4bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
23ab368ec535a9a8a555d0c55b3a3bdb

SHA1
e948b33ecaa4e76940ad9638a20a6846c7c9f61f

SHA256
e8fec9a007590d022c3a6426305c546c54459ff3ccb1e6e66f24edefaf2f790a

SHA512
03c7b1b4f7f2eada9897a80920ff222b69c81a2da6ded2c8d36a72d59c2dc8240535f2ce480dfffa4c285a3121ecd68bda749cbbea80d6dd36c3558ef12b089b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
b78d6575d6719d0d2d9d47010ef8477c

SHA1
3082b8d60c579f226b2b313b56a8a1c73295803d

SHA256
cb78e8784be882dce370d6489de9d8519852eeeaea2c09204914ace576906faf

SHA512
58c3be88880485d5865a44797183d4499379714c9d886cd15fb9937220cea01f085225761c733175dd7c4aa999d7a1c4fb44c862dd75d4313cb06ac96b0a4c31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
afaa3dc64936c454c259a682572fa7aa

SHA1
350ab29544bbb121a2d96e701c4bdc7aaeb15b59

SHA256
8b172e8eabd7d080a7bb995dab272267cb191e74d414db6a7bbc74319f97ba19

SHA512
27efc6be07fb8f56a7ba7647d2565b3e80c1bae4b2916c79a384c58efa2d11cf2983ada9e6a4f5b02089a2111afe1eb5e2d1004b46171be809b7aa261070977c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
19bc6ec0d33b49692eb63e5b98724487

SHA1
d41d40452911350c8b2a8bc02999b18ab25f5dfb

SHA256
08ef20d7ed584a6b12a383e34fe0f1a02ebbbd1887deed0cee968f0106f798c1

SHA512
48f8577970d5e3a4db9ffa949e3b013816965b3d619a88f3e768d98c46c84ce0c062234e1b4ea51068de5991cd91c63d83f282df2adda0b16e172d8a573e3c63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
f3d331af3bebfc648cf6c8a65d54c49d

SHA1
eda78b214d390978d72ec8a05e71a285143e1414

SHA256
ba16a8ea7a73e4a30d906ffc2d67236477c9443d4dabeddf48708e4dae84446d

SHA512
de89d7a08f78a0b3d4ca5dba707eb619f0934f1976d9e2fb81564dabb2f2b7dafb8cb2634b7cae0eea9f80cff18273764bdca501131d5a2943dcb2fd52db2c45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
7ec4c127ee5798f482f4c59ed42331e4

SHA1
37e741050154e3d5cfd97429afa4908e537e0e7a

SHA256
08090779b6405132d631200c89791421dda613267012d61f9f91e0cda9d535c5

SHA512
d0f67be0dc44f14617b37400babb6b729a420ac4953fc9f39134aba1c2035d61d525a9ab258fce91597eb52d21b9e8b8120d1ab4180f0fc4545af9a5896225d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6c298538ee92f9543ba51b0cec49f2fa

SHA1
cab8425e7f7eab077309a212361260823e1337c1

SHA256
7387ae2a89a0ca0064fc285458363e12f75783d1102902dcd4deec95ab40c3e2

SHA512
ab64b19b82381a6d71e19a93141e50631d389d4f8533c14b4e4b1f049cc3b47695d6f008f070c5fb4c55bf63638b58b690a04b4da2662d7beea5647684b30028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
de63aaf8eefb9348635f584ec069e69f

SHA1
9eb685a3115cdc785bfbd8317e87bf3c162380ff

SHA256
aa99a68b164a21a91309b4569463b5b0cf4b32ea1d8699119c6423acaf6ddd3c

SHA512
e50f822695fff1277dc66e499b7ce6db7c8da03d2f950226d7a105cdc917bdad61e4d98d072eeb0a7e863bea5c4deffdbb70cd939f6862ada609d72553967fe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
4d3ad09f8cd3d04328d259b667d7bcbe

SHA1
77c73b7fc469ddcfc5e367e31521493fc77b289b

SHA256
aa0d41e368a4aaf17ce614a6843cfab06a50875b5cf62a193ad49194200948ef

SHA512
389090116c601574188700f6c9f29b9a9007c62f862a2974b048bfbb928646502fde4b885e31b2a02d74b0a983e31f0affb8357e2cbf7f0d6e9031d0662a65ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
ef91d337160138cc0ee78045aee55ec5

SHA1
708fa6ad6b56507b7a8ae629a79f04c4b91719b8

SHA256
0d4ce743b24e5c9859cc243ac4cc5092c3f40ee07394be4eebe5b97b7188137d

SHA512
e2580206ec6143e916fa589b440b1e68d07da628c17ba32dda287094fcfec5183288a52c351f56454be20c2d3995e6b3481823ff87b4b9cdeaf7f69efe179d00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
716c319686db3c59cede5f332e8aa144

SHA1
3c8c696ef9804058e58a7e2b7a6755b93332a01e

SHA256
59271a5bdc772611366a6b5cd68ee2caf139d6ac4557697d70f09fdecadd5e32

SHA512
8d38588e65d803d46fa3502132ae4b4b7b71bb69e31d75e1837a30de3f366af4fc3134961a72e9a87463e5959678e9812b1ee856917949623f22c8a3bf60cabb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
20f7e4eba79ae00c25e15b0ab9ca0822

SHA1
183d17cb7c4695198f4329db914531eb819b8a5c

SHA256
27f9cf6ca4300919e68651138d22746877b70bab65ee8cc9d9c245cca6cde676

SHA512
05fe1c0529e49ea9f6025b3497d94fa3cc402830f223da4e684aee954b50591dae45361453c78aa9698999dbbbcc757f2cd31a622a03cf8a9132acb65eea5065

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
be13793df98d418385a9474e4231628f

SHA1
fbe81d875c744c31629b97cb49e53ed1b9937cec

SHA256
acdd7ef3bfc1ebd63b3181d73b617ebd91266e890b0c56a9daf239cb297ffd52

SHA512
a5e0d7f4dc7d7f269ba503248e003ce7c805ae0d07a06441dcc383737b80ff9c1d3ea378c7529fbed10425ea137f16e395d2f8a6f13b03ae63a9f186e53c0f5b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
d6abfc637c29cfa623c3923583527b00

SHA1
3a7b57157ccadb3481438852f4e797dd93efcc11

SHA256
c6267e00630b7cd1374050b30c7b7b188c326df92d3db169009d7725523d6506

SHA512
3173cf471a3cd6eba0f36f59c27483dc1753c4d098355dc11e491d1bd1fcb744328867a5cef674a4ba503df5e1789c55dc6945eb634e840175c3a7be1f505ec1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
fb4b4e4fe00b098e123919dbdced3e1c

SHA1
862850060ff9f504a1cbc1dba62215fd1cf21bd9

SHA256
04321a67c8a5861778c6cfd4e0e1304267405b780f4d28ece8d77300db13c84d

SHA512
9a948b4f220ce2e665f86fd3afc1a1eeb33f64f7d1fde890ed7c5f71d52eb60dc815be8843be87e6f3a111f1caca941f2aaa688dd05565024d2f948ca8512341

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
40f3d1c2e265db67a7f71a7d279ce077

SHA1
8b7d0c22a38b6a79f676048584f6e4c05b68ebda

SHA256
87a7a19ae8de67660200a3bd14daaa17aaace9fab9eba9ae5f8d8f9908fc8521

SHA512
1f6ce731d26fe035787393cee18856eb1bbdbdd99342f5afcfaaa80b38c25d3933e932da24dcd50afc19f23674b07f26e50f4be6fded1c1238220e703df6c934

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f7a0f23896c6ee798d599739cad11247

SHA1
460f1a10c92f025a59426fae7261118cd8743f82

SHA256
295a3df45bf588eea2a557253b91cb427447c5fa70ea51c6c0b9d46cb488108e

SHA512
a60a38ba4e2e6d5c135bee4093ff13282dde02b4e3dc9c6a88f79b2259ebb60aa12419fd1f4889891213e495fd1134e801e3154efe155f3f67d0bf192be2ceb9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
95c2f55b23c6c066c6a33eb4439f6973

SHA1
ed5ee66883ce9bc1a7358f64994ad07c7742085d

SHA256
2cc437d127023249f2143a6b08cda7d0a6c4fe79915b0392f01514e8545d762b

SHA512
19e82d71d98dd8ebeec29fdd1682711a461578729c30e170a0eb2744b12be7e507a1ea1c7d0b29b7f502ddc55a7555ae602f812b00f139921a52d5cbd4e3bab2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fb472e59e7fe87a327b0edb608350397

SHA1
dab3f2db94ce088b58d018cb41dea5fe1b49a88b

SHA256
5cd08deab1e2ee7fc0c737206d5bf2b767c52babd0b9790e5d9725a77fb8e2f0

SHA512
297a47589ca42ea4ef428eba43c303bebb1107062f520ca8dddb7fe35233a18afe59da859d01e3fa415247025f9288d96028535d5390f0c4f3bbf7743bd67569

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
401b944f4298e7de71dbc830bca423cd

SHA1
1e1e5116fcd20c457e378a46d51dd64dff9609f6

SHA256
1d03eb5d1b9cf42598533b23b3ef22fbd0d720d84baa56bc8b2a99fcd748b0c9

SHA512
1325ea5593a866f884c3733ff34fb6c2d1a0b533acf52a3405f6dc87643d73d771599f2722783315376ef3d0094c3fac580b5fd745c63764ba0d5b1f21c725c7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7212fd70b91e17ad40fc35f707dfb93b

SHA1
3aafc846780b9a6819f0f950746044338f88802f

SHA256
b646638ef74eb6515a7111c061df6d7fa0c3acfabcea5725118f919b3da1b43d

SHA512
f10d232d84f70ca23e6a288a8ed9eb2b5dbc2af8c721cb387300b2ce532fac42de02b5eb536cff1e3b4d94ed093be68de23398058549a06a3903d949ff227c9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2b4a7379846bd385650b1d0fd965000a

SHA1
06868d6a3fd8a44d1d64e65a5a6fa20d120bf13c

SHA256
ebe4444f9a9ed1035411401ea3ae350ecb8cfaeecc76b09b5c5c6ba9d4e8f210

SHA512
1cafb6278300a69c964c87233c6b55ee41e6bc669c7d641bda14bbded0faa6c6f5a0e02fb3f3edab6e27f49b71d76d35bc0fe3cc711ed789b622764fbd245b66

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1f174e3cc6c6202ba7d00b4b1c0f55fa

SHA1
6a8770c5e3be9e69e429803eb578cfc7c1ed07e2

SHA256
bfb9736c92b15629fa9b9383bd87769508fcda4d536d8f04b42f6c553609136c

SHA512
f232e69e8bada466d0fa0994457750b16fdb59b877059c58a5d52f0763fee97a934cfaceaed50ce0242d537b27b3c1a8acbb69c8eedbedd201002a7aa8477528

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f11774b1f1c0cbd5076e27609d8f890a

SHA1
9e6a8fd7c74c138789cb3b22231e41d20a264001

SHA256
65256406284c339b901033f5ce9e04370839c3d8519015a1ff857b198317dd48

SHA512
2939302d8922d8ca4000b08bb21b3d1c076f6f789d055751f110d1e683d23758feb1f1a1f6d62681085b19cdedc4d3b4cea8319f74d0b50d0487bce689bfd4e0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
a59c1d920030f990b0e97e7387cabbe5

SHA1
9b58873ee284b36e0d9ca9cf59ac037b741a3d6a

SHA256
12a5ccf3dd078cc1d56175aef00b758d1e91d3330b56d8f2ecc1a4297d063ed6

SHA512
f07ab8e4eff036548053866f6119c20c79061608461b66112265cc5d0f476c4992efff79f542781d75e7b03da166ba51852340a13270f1643811f78748edfa64

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
84de6577820c5e7d5ebf8f13a1877ccd

SHA1
17e64fd729f8e7a6f98d57c80d8f1811df8a95dc

SHA256
0f383a2bf0ee86bcec614f3a7ca9dde6ad4f40d4fe2005454b11f667402b5df9

SHA512
d5a90889365200c29d64b8c219a9634dd828c2360147c97f447502a13382ccb3a514dc5be40fdfb652c0e857a84531a9c07a79f6d9ce2d71dc867e85ea2a3776

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a24967a171e5d87716b66fcdbb9a1528

SHA1
b53f4fe19b49436b9709003cb1d6fe4bf1ef9c9b

SHA256
562e4ab394b2589a2bcf5c256c5f2a4f2d1c70234917b97e8a57f7c3c48d47e3

SHA512
054e7c3f7d0545a548328966e870aca6d7a25348097c0cf1465ab1dc3fd6455c52f480c5476b6c45fd1102c9e195e6c532d9eb73c9ce4995e681147a72c47742

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d767c2240b3b9ed0c293f525262de2c9

SHA1
9815ebb5bbae18a0d9cc393a49c4924645e8499b

SHA256
f8fdb9ce109b70879241bf92a5b91d1f9efeee5ff8cdde7a0a29469b46f55e30

SHA512
5a6400db50a8d23f6e3579f47f8878f78c30bae31664d8706682801963b2d192e8dfd2e2fe4b220eef8040d1954743b24d62bf31cf28aa20db475f8855148400

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
67b6cb8b4fc85c35cde0e77393299561

SHA1
0fdbc1b0cc2680b7d519408638a6b4493fa29a26

SHA256
5f2c87c121adebb2dd408dab48de40128d6bf607ba78947a8d73d8851e2d372d

SHA512
5e602df5a76a6085b362c3b8ea9aa9c24740eea42048630d6d3a7ab26d1925256d99594ec37f4f62a1ca244e02c1eda88cbc558286baf1ab90ee258b553af5da

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b89d060764ea03a9e7e0b49594e51f66

SHA1
5e300b8f0d34a5e1dbdd5cf0f1c49b7c237e17e3

SHA256
5b95f9dc1b0b4d983dce2e1d8f4ceaaea07d7fc1521d1e2c95959da25659a98d

SHA512
025f0dc6ce521d603b1b5a07a7e6fbcc303f5a38f613b0568c6b144447f6fc756d68cc790d4e834dd5e2844ab8ac7e9b842ea2ebee5f19e14c55ef57bc262935

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
edd39ef741ffae243d463c13b0c62139

SHA1
6067a09dff11ac41ff2f2fa28e147769de3019aa

SHA256
7b64edf2d97c9f23b16c51c117005b44471ed8b3242a5b4fb23000b6ede816a6

SHA512
5c60505aded202966cc1c320b626503b1503dec6a311d37d03c6af6ea861247b77e6591ad3dd1a97680cd0bb928a820bedf5faa8e053121c9a1d8445dd703eae

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c0d0692c63e5e09b0d7eff1ed5cc3a4c

SHA1
4e374638670617f297ce1429c5d6b26c5badad1d

SHA256
b71688fa7397946cc9c0a6555918d18edbccb056eeb67b9128410243f3ddb1b0

SHA512
f079ced86d6014cdc30278c77f48faaa193d98bf2e03a06053d92a866ec505564f9f987d7b21ae0accccdcbf1b44bb01f93118d42548cdc3f1d5848f8e976ebb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
51aea87cce76d116b46c532b4dd41565

SHA1
38e05a83d6d4d5c980640c182681652ef895a6a8

SHA256
5590f38bc3b1b8cb1367586714fb0967c2ed301333f513129a57c50023321e7a

SHA512
fdf1a2b2e6bc3f66273d814d53504d6bdc53265d363956ed3bf1aaeb3282b11696e97f8e2c10e83bb2a85549997911b680d845dfa8d797501bd6834407160e67

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
e877175124608cbe525cf07c9a1b7876

SHA1
fcec8c9ff182cde70912441543132612d614613f

SHA256
cdf472945885fee35e8abce8ddd64771d378159414c4bf129c87fd6fa63e9103

SHA512
cb9d865cbe8f2c4d1a4596dcbf1298e98ddd647cdf853db3aa5660550cc58fa7a7004a1b2b6f0539e436dc23f73b1fb37282d32f4042e12c2554f9a03ae8fbab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
62b398ee9b9178be619dc6867bcd4bfa

SHA1
b600097fcfe4fa196972ac6010c88c944a16d652

SHA256
fea6fe334462151abec5ad37258b9e2af9c5f41943a4d60c3347bd322ce37e75

SHA512
7e311bbbd3f632309d2ba01635875392fd1a43272ef561a85e5b5637fb254372c75f2d0ce7c76571f7dfb4ad6c2778f1e39e1ed1de3caf75b91fe40273a45c21

Download Submit
memory/376-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/376-527-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/632-199-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/632-525-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/692-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/692-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/692-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/692-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/916-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/916-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/916-206-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1372-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1372-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1372-128-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1372-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1572-405-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1572-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1668-261-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1668-531-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1696-125-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1696-229-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1920-138-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1920-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1924-530-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1924-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1964-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1964-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1964-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1964-54-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2020-186-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2020-521-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2408-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2636-36-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2636-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2636-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2636-60-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2636-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2792-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2968-89-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2968-1-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2968-6-0x0000000000980000-0x00000000009E7000-memory.dmp

Filesize
412KB

Download
memory/2968-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3468-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3468-82-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3468-74-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3468-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3468-80-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3548-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3548-526-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3956-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3956-225-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4136-11-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4136-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4136-102-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4136-20-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4536-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4536-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4868-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5056-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5056-514-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download