2edb6b1c0b40874d13d2268d1011f4603855d203503e9f796233094b37c9348a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Size

1.8MB
MD5

134943dc864d0fcf25d9a8ad94582f8e
SHA1

b0066f7d27ac03b123b9a1454d99de4e2f3aea95
SHA256

2edb6b1c0b40874d13d2268d1011f4603855d203503e9f796233094b37c9348a
SHA512

67bd8f0c93966489abe05cc67c62da3e43a0243f29ae8719eacc526688cc3b2d0f57469f102455ed2d5c728f3713a2525da77ec2be36a6d3eeee682f32e63bad
SSDEEP

49152:+E19+ApwXk1QE1RzsEQPaxHNJrfPOkhqvq:D93wXmoKJOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3248	alg.exe
3696	DiagnosticsHub.StandardCollector.Service.exe
2500	fxssvc.exe
4748	elevation_service.exe
636	elevation_service.exe
3232	maintenanceservice.exe
4136	msdtc.exe
3144	OSE.EXE
4824	PerceptionSimulationService.exe
2936	perfhost.exe
4900	locator.exe
4288	SensorDataService.exe
4652	snmptrap.exe
4508	spectrum.exe
4428	ssh-agent.exe
2816	TieringEngineService.exe
1452	AgentService.exe
3108	vds.exe
2252	vssvc.exe
3580	wbengine.exe
2320	WmiApSrv.exe
3708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3767d7c1253fadf5.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaw.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3fabf6409bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a6ef46409bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c80076509bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be074f6509bdda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b12d566509bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ccfbb6609bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d09116509bdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6432b6509bdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeAuditPrivilege	2500	fxssvc.exe
Token: SeRestorePrivilege	2816	TieringEngineService.exe
Token: SeManageVolumePrivilege	2816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1452	AgentService.exe
Token: SeBackupPrivilege	2252	vssvc.exe
Token: SeRestorePrivilege	2252	vssvc.exe
Token: SeAuditPrivilege	2252	vssvc.exe
Token: SeBackupPrivilege	3580	wbengine.exe
Token: SeRestorePrivilege	3580	wbengine.exe
Token: SeSecurityPrivilege	3580	wbengine.exe
Token: 33	3708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeDebugPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeDebugPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeDebugPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeDebugPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeDebugPrivilege	2836	2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
Token: SeDebugPrivilege	3248	alg.exe
Token: SeDebugPrivilege	3248	alg.exe
Token: SeDebugPrivilege	3248	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1184	3708	SearchIndexer.exe	113
PID 3708 wrote to memory of 1184	3708	SearchIndexer.exe	113
PID 3708 wrote to memory of 4884	3708	SearchIndexer.exe	114
PID 3708 wrote to memory of 4884	3708	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_134943dc864d0fcf25d9a8ad94582f8e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4288

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f9fcd670e5bdd17a6e6941fba48df31d

SHA1
8326d6dc04d89cbe1fb3c5e61d3c653ac7d69029

SHA256
bab8446b5dcfc2b1c38081a229d52bf2ef1dedcab9dc452cec8a03ed70b2aa75

SHA512
49173f3d5be0fc83ec9e5724edc08adeb915bd72fc1817c63e6e71a391c399462aad5cb7c3439ab0ad909128b30004eca614ab407fdcf6e3815fb6ed01a26f84

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
6ed11131287a5c6e38f13091bb13d327

SHA1
a1c94a34f5f99b41440f895db4198d501dd7ad0f

SHA256
45458cc4aba78f74858ea6f5ce6a317d5a504cd7c220daa446217a9da2fdd045

SHA512
abe1037f2d956d1d4b753fc80cce7ec781288f99288da9e27d2905da194b41a1a66f82228c74dfc12823da9da670211785eed57538566a26da838f69c745752a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2f65c4dcf66a533f02c23e3ef4d127e0

SHA1
2587e0498f5944332117a928e8884e24772a3538

SHA256
a3a0a05ed80c6d3a58d8d5b73c152568a2a2c4265b0057a50581372d5d2bc4a4

SHA512
32fbeec3e48bf1a7dbe60aaa1edf910e26058da129c605e5ad420e2def500f7baa8101becf9f7f9fe52ec6abcb2f17535145a9296a440fb69ec1e2f426e358cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b75a490478a494c29ab8bc7c372b8cfa

SHA1
bf31dd38ed87a031aea2fecb46521319ea0c1b5b

SHA256
e1b98103eb31ed037db776e26503bd1471a3711a27d20078ded5edad498701be

SHA512
96b47ffa2e56c64f74ad617ad18f7bc25f778d5662abbd98d059a1d7ff23b857b06ed5aba46e398c921897811ca551e7c7ace1b55cb2596d60a0ca179908ccf3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
12b274b3335a8c82b8293ab6c718cbb6

SHA1
c3546be82c829aaa675abc27cb3f97133b757fc9

SHA256
c742204cbf1aef81903f437cbcd90ba2c37d0be82b472a581d1216058134748f

SHA512
696f34fb686d53e2f0a1d6f8d941a214ec34b510fab4c0f2d177780f0376eeb31e65cf8e2226a9714720dedec93b1d4b9b4642603f75e4188cf8d5e93b23354b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
90c6ba9d44ee2fc927c4401a5cd32b03

SHA1
c95234058cf63bc0856b5d2aa3d81696d1cf058c

SHA256
af676b37b46a4f2b4472baa43937b1d43e159d9f9ff3e1a85991ac2b9e22121d

SHA512
5a5a2495d8474582fe02c00a4d70b0dbb0fde4cb299ced8aa2238765ca67914cb73a606253c9719622e8d7b76812f8944963e206d84b59ca2f392d56910d17b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
47ce6d15e19b8a66c9257b5f3ab17292

SHA1
26a3c2c7cedf69525ded6dbcb4b46889f29663f0

SHA256
a913570b30a65162bc8223c07c7dda36bf0a738ce3db183be97014ded782247c

SHA512
adea3a0b594015b2c08142c2f4460dc6eec0ea78f7ce15b3f7f989a518cc16e76d30af8ee28abee6b7d33650f291b230caada5447b9f122fd3a4eac86b5c1d22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8dc6769a082c54a61e487c87f43e7a92

SHA1
70f43892e43254d8ad47d23b5d2f264bfb1d02f4

SHA256
84db8512af94d5669e10865d8bac25552ff18905f30c6ef925acc0d3577b9d45

SHA512
853e71ac1a835ff510c6fc92df8871264ce88aa1ead56da76b3d4c0228c32dadc8c8a0d31444f883e1969e5cd5f9fb0565dae427b60a9ac2ec9d08e98b5d608d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6f52e480030d4996fb3845778f8a081f

SHA1
c950ea7b176dd3f77c4e3e45ece0b0d2f7818e10

SHA256
e69cefc2cae5ee3cdfc9ffb9947fc23d2190122d210a030f47b86d35910a69aa

SHA512
d429ae118ff28b244fb75c9cf5021a5dc5e53f617c3bef6321e0b0d0ada0e8dae9c5ab98bb27bc58b788b1fd2bdedeeb9827ade2a43f8a3b11cfee2733bc1016

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a50f93a98213aecfe65c987754bb7f4c

SHA1
19d1b9a3d52167fb558bea1235ea876ac2ad36ba

SHA256
4b569a016754e8d8db8f4a31a701e7c823ac1ae4977001ce1cfe9d90611cb892

SHA512
2046d2ed1ba6d6ed1e1931bfc20ca0b5c8783acf8fba4bc3da27488405a9af9b8de616754f2ee6332c5f557572ac37cd6831b8485595f762d368fef5f0310f02

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ba63a1c33cbc10247165e1a2e4111447

SHA1
b1c7661104940ea040d87e204094add1a2244142

SHA256
92cdf1d24e49b805251c7304fb45e70788b0a8e03aed17082f3d79340364881d

SHA512
4a40179b6c6ca7be65640080c688479e9420f7893020f18afa5a68e392d1f7cc0951ec93a4ed739139d184371e16ab528438b567c9b5ee9f4ba944e8577e550c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
617412c6a2a78ab325396ccbbec8d696

SHA1
b4934578af2e0813032134deaf1e8a9a015557fb

SHA256
63cb632bbac408e16d0529a83530599d1bbd71b7f0fe03d255905c1a2351329c

SHA512
b391a2b7bb7fa8f6987b13b5fd249f8cea60c5df2c63738edd6a72d6ef72ad42f738607ebcd5e475359a56091f3a5c9358813cd26d685610f4fd1e2c0ab05383

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ac20c5b5fa470f9dc89523aba76c6728

SHA1
24e03245f16b1f45409065e3c5405f328d2c1a21

SHA256
298b920ba2190af29f6420ad89344124eb198c3d87b8fbff6462d354b1a02bdb

SHA512
0f3a268d05955ca15118e480ab14569a45a0ce3e3032fdc364c7d1bc592fba398298a37f31081375ca516eee97a466aa3cae026c697d31241b69de2dc9ac96a3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
76edce7ae84bc1bab257e2bfe97df327

SHA1
819ef4333a6169bc2f42edc0b89e47ee8f1f4153

SHA256
e0d17c02b8d5e7c59f692b4e1f81b57a0c688bf06016ea556644314ecdae9f54

SHA512
dc7aaef9667e3e609f6afa7f8a8ae69c6050d6aacf4bc72dd8afa07ed3fa73b0c0541ca7cb2373a31dbd4d0635899653efd74724064b5d61ee36ac9ed1e6adba

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d28a8bb01a44b13728fa87fc82e0708b

SHA1
3ed011bcf07ed6ab418f780fe801abad6c85e867

SHA256
0185231bcda3598d5c3282b00a4793cc38ebc0cec2d23964d5b2b2141c85f0dd

SHA512
1fb0bbf4514fa57f033aee88dc7a30d9262448cd0193114100a714c8a3521a1aace25888b77b6f4c05cd3902f33798f694942650eafae40956363878ba7bd151

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1c548a2cfbf4b5c38457490b88e0dc74

SHA1
b51873a640717c5d079f02afd71311fe2bd1657b

SHA256
bb786704c9a6411b663af300189222f6f1737b706946fd5d4f859e42b070f48c

SHA512
52fdb0b9a2d7710867444bd7b72ecaa673c34b84066a6c6a63abe3270c5e4755343b590bd5a574e1de567999f59968660e732e83178845fffdd9efc307a01b75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4aeb00e55b6f4a722703e75f07dfddec

SHA1
7c2d16312d7ce9e095f2ce95b60deb6574837ecb

SHA256
1d0eae26758920a1e34ca2d048f2b5f78387e88524411b1e6133441e0bddabe6

SHA512
3e3980b6d3b70eb46743ab23f5b8d05b4f6b4dd9a2bd5e04f441c4aea7168bf2e6e64131370022bb4cdac51c7ed7ac0686f38fc59e791a31039d79062b05c73d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
abf1a28a51a249593e23e72c8f93a387

SHA1
1e9f39b318c555dac4e971dd8b9e3f08a480e759

SHA256
a3702d29a956ec3c375ba3ffe705ab99f8ae077e86374fcbbe6e9e19f1392d46

SHA512
55ea2239ebf5e1fa2f748ce808322f659c7847c12707b0e8ce59811fd3773c41688313669ad230e49dcc308be647000fc6d770d8db9c8226e28ed0623dd93d47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b040f2646af752b5d601cc950952c8d4

SHA1
74033d6fd595d5220a9bf276571e82cc3f73873d

SHA256
497a898c7a378266dfda40eb992b9551fe6ebc44c3627d4d41edeeef55490970

SHA512
cc59b038abb903970de86a98302e7647ade3c0be5e03a1577c2d639d9fd339c35c616877d6a0e1e6f2174497e106a15291ad94d97dc92ad4bcf9ff11d7dad14d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f9537430c454fc4407463b70c8247067

SHA1
e83787e7eabfdffb00c62d8e484f3f3a0c871b2c

SHA256
9fedcaef5a7c0ce4209cae5af848727abca0c18d00948d121f8165aaece1e26b

SHA512
d1577ecadba7931a48e15476ec44123f6886c62dc586313a86876ae49d7ee16d543745368c0db47a9b691435e322c19353f18f07f4e15b8c59aa18a1592a69a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
31bf58cc3c4e6e5dcbad843bd8e73c63

SHA1
ecc833e911919428081dfa384729f1a106823264

SHA256
ab06ea34b1dec54ca45a359802ecade17d652df124583d975a0d096932367dc1

SHA512
8579d2abf9fde8aadb66c21d4f2294a9ac71f68c6406cb20f418327623bd9e1e7b14ebf9eba57e161454d2f05ca578da4bc61b01d1aca2fd30ee914ff3176e8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
886fef056375b6abfa92e9b7cb5558aa

SHA1
ad12c2351df35562b80c67ea8a6feaa10395fd94

SHA256
bf96fde0f1ca9b80c8141c1c1ec946fcc287686c3c8b98510997294fb838d690

SHA512
97c60e1b040f84c241fb2ade9f5eb7b41c87383ae7b1c313c941d6a479f26c24505ab12aa3ee7d95d2475df49abc1f8a1dd92d837ccdf23ee22f1c4db0969d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8d16d169f1bbb26259df118ebe53f61a

SHA1
de11327020e58e205ba90c59b54f4d1b3548a39b

SHA256
2a6e5bff08ace518905dc4dfd4de895609c53486ddc3a353efd89e198982d8fb

SHA512
8527a0f7e8a84f16fbe4e0142efdb6eb2c88ba71fa25a22a194ed6b04a44b8363fa0ccc07ea1a0fb203ae5b17c5a8a93c8c432d37a35a514d55faf1a23174b97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
23a4d34245a9bee69c90b1bf326061cb

SHA1
ae31c02c473b7666754d118c41299f1705c22578

SHA256
3b59f18f76b048516a650760ab84cb599074b09189427b3154c64d5b27d3269d

SHA512
2e3a45c3ae44b7d89c3a3d3b9c38a0f42e4da7d9a2e69dc6f1f222543faf533f9b33175b460a3538971d3e9a72eb4c573c7a193f40f3e616169525383a46481c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
b61ecbb51a0557c0284779c321188e91

SHA1
6d018b3aaffeae73adb0154f51a2ce168b368f42

SHA256
a660c3c2c97d04ff02db897e039740a0c97ec22055749c34c15c1c994ec3df1b

SHA512
f77783714a5cd64a2cb4e5bf3d7e7c2535897bf3a71fec274496618aadc6577e539a4430f59d3a1d93d55b6adbef2a0f3abc05fe297ef84edd0899be8c7d2689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
cc42a05ec25703d6876e836aa0d5e83b

SHA1
51f523b29f87b0c1516d6dc1208d760dac7b5bc8

SHA256
2a7e5893abd08b73f63a292e793b153c188dab5e6920753f6836e1a43bb06ef9

SHA512
1db6418458c28696e91b479592490265ae10fbd67af2dd262ce34f86182de8d3c70722947b9410624c8e2297ea1f98f02ab7e0fb7b9609c1d4c9001fe565c7b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b4a7230a5364ec87999224557221afb4

SHA1
0cc3d5f0d021bb7e198fac3e1a50ebec8190479c

SHA256
6e9e51747a4a8c34b10e6d6bc2931dbb789b0d26c4adee265091760196e43535

SHA512
0da4b510623c9321af790b12ac20a3400ded04da7949c078b4b033297b45ece15c2a8a6fb94ad7713d572494b172b0520f73bafcfa98e0bcce28094a9c393c69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
29c0b45cb22e6dd1088405176f6a87f0

SHA1
22a4aaab888102e447a969ef13e6a1813f68b5a8

SHA256
589cdc6486b3c5e5a9174b893549389d1f501f4769268f34473a12788470e576

SHA512
a806ddf9f4fba120a9777de722472afe89226fdf81e8909c5202ff180832234a64a9e5a72e0ab0a08d528874a07222e143557c47bc078c2e2f2c26ded1f2f9f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
65ebb5e4788b56ab9da2cf28dc8bdbbc

SHA1
d7a282146019504300dc22242facae3b25e9e357

SHA256
dd6c2fb89fd5ceabc9efcf84946721d88bf1e54fdd06e0f9def59e15a53fb813

SHA512
d6e75a8d5d6e35d8d73a18f1c1722daa15e20e5bf80f7830db7f53a239220c38b0a86f1701dfb5e676b7921dd2b655137ddf20df44680d1246ecd4e0ac2f30e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
d567976c9959c4224101518890b10066

SHA1
6ecca8403d8f39f2e176590aa14626ff583d8459

SHA256
758250c8f34d12930479b7a1a9455e781ff523369743064d4065eb9d7c350daf

SHA512
1efff93a23f940eda48c0c58f0faa6058a835e39a8fbcdcaaf14c0d5b9a8f58743cbd40c165a691fecaf1543dfe9e1214517dd96ef9ea7f9d989337d7fbba620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
e8fa090f55d6dcf46abb0a62c1bda235

SHA1
23f81df732b77595cbb536ee0d0805234e3ce7ce

SHA256
500e51a48e4f8af27e544a50e5208c25f29d23fb22115ca88f5398b9bd2cf532

SHA512
5e50348a7f65c6281203731ca1b2bbca88692771c1c858f57460d5a4a270b42d12adbed7ee6caad9563ace952b8a48f2ca226cc7198784640ad93a26889a0ed1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
756b8aa529d03331f10bee1bdaeba146

SHA1
5665e2c14a6ee66e513789c4402a8ee4ee89aa48

SHA256
c50271af42cf2e66dde886e3f529b972a225079b40fb48bf54310fe0f0292e25

SHA512
eb09644a3060f6ad156cd6e3b72ff51a580c26dc669b4745c74e5d9cbc5dd194bd20ee31d5c9106d7862d939776e4d89bb3ebb485e1e9fc21b2ffe8206d0fd29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
3d210ded344362b777636217c2123f93

SHA1
b239024cd4d1eac314c2ca0259b77dafc0da496e

SHA256
337641ef3de8912bc9dc1d886305f5bfd5277c5075b5624cba163852b6c4bba9

SHA512
a97ce2cfa4822e5056dbccee7bfa86c826d54ec9fd19fbbaae86048f543e72b30dd3272018703973f2b0467a7d3009ed02ad5ff1abea99549f4b2dd4c4a1f89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
7148ea37d0ca1ca0991ece51c1e3be05

SHA1
30d7360ebfccca240ed098406c48ae8a065cfd8a

SHA256
cc489d69029ea0c63eeb250ec51d53180a7d5e2ca71060732bd9e26dbd668a4a

SHA512
1b5d4252ed8329b76fecef3f6fb791a275dfff0e848ea3fba8b2fc7b8345630ff00339f604d8ffccb09b44edc6537de5a94f2052addfcfce70e15e4e8d6130b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
bffb2c61b5b802d70e5fe787b4b3c482

SHA1
a3fec9ba166135437c7a3a571f4c50b85d92d283

SHA256
0e7f2bdfc0a6232b4690387029e9df3d5fd806089eda3d89ba2411f808d1e288

SHA512
31bc63c221f17f7f4c60216989eced580fbcfe15aca040460893a56c75f649166dc20d78ab33573dd153dc93b40967ab8f94b8153696b4248d6b4349e38ab82c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
fd0537e64f84c03e351d999e48e33daf

SHA1
1662a9a69215d3ac542b7796965df58b68e9a8e9

SHA256
23bd4d050583bff42818daf5c353a87df0ba62133a8312f2ae3c53e0c3707db9

SHA512
4f8127bbc49311df3bb0c3a13264c2694694d35e6737982172092a88da46afb985e3134c360900b4b42ec9e60dd99c02581a2caa49c685c73a2b038c4bfc63ca

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a197503bba9168dd08ae2d9499fc0d5d

SHA1
588bb44010d8aacd42500512cf40431d1fe36a18

SHA256
b788ad65ca37470daf09424952e0ae645d0942c2a4b75ba8dc05efbb6a327bcb

SHA512
4bb54d3fb13c850c012b3a77ee5d8010d88880c8244522bc92e297d7f4295607ac5636298fc1f5ad94fdfabadbe334224a3859d3660a6ba07ac36f24fd0f543f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
7ffc278a66d06558d80e67bafcf5077c

SHA1
54c805e2d5b530f5ff2507e0ad50f63e9fc0e7c7

SHA256
4ab7da21d1dee91b498b4f688f53ddf42b9df0164b5c2e75b87b5c47343d3ecf

SHA512
83a394d9f926e2ea0293fad6b10dce011c8d955c70905e0530fd0ad25203db33fb467d47b3950c0fed286979fd5f3f030968c507f5bea9eb389d481855d8a25c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
d81521a1a43bd317bb349343eb842cb0

SHA1
d63c4eb7ba8029229eccf200dd0fdb0eed4aa3d2

SHA256
f1707d7bfa29cc6780d6e993468d8c4b7ef295d5c37b9c9111d8b70ea79083e5

SHA512
38570cdab37f87ad755d53e0cd781da3f395d8ab39b1495bc32a1a5aedccb493dc99244f69ba2b75ac7855da1a127bc4a3b4ff42e373d04ffa8a571e72e53b1b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bd40555008ee6a503a50f5481bbe8cd3

SHA1
9bbce255657d9788df3662791533df6076fbde3e

SHA256
1f8b0901068971003e41e1472e3c53d6b9dc7f94b71e950a2f814a2240a8aba1

SHA512
a3a0e6195c5b279c16fcc9c9d8cbb51c066da7616d4bbbe6e5f96528de69ae653dbd5b253cc7921e4bad3290672f60ff039a3f9f61144ccc4cfa43c35f04defb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ec5b01d435659a5863075acec0091451

SHA1
8f9810feb1043c106bc237def0429f8ae3599b6a

SHA256
eb3f7a54dd75352c50a7b54b33017680b2087ffee3b802257f394b970ce74b1e

SHA512
e5d749bd037a87ce7531bc7769ab5fa0385d1d6bcfb0198b0be04dfc9df5c1aac4e71f4e2b40679c303d42c3105e73bbf172bbc9fe6c5d2ea3bfb63e4c955d67

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3343a7cebb77d121b90eb90ab0293c30

SHA1
4d1ca1355a1a6717918e1858e421e942550316ae

SHA256
3225efe20705914a4e260fff70f2d2bc3dd928303477970a1a42c73e4acf1691

SHA512
e74ced910b1cdfcb5090a29836e10f45e2a81bd8ff7f0df693b232c318102ca4406165d44ac660ecfe8844d18f20bd2e496c5d56a428ac3f13bce6c71e74ae4a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
556df022bb4b456771f5d8eb56afbb3f

SHA1
014839b91fc026adb07845928538ad1cc5986325

SHA256
02978d8af56080723018d17261d798479d56db588957d3d60dea7fa8f98dc6ad

SHA512
14777a0ed641d4ee1dc46e412a5016330cbd03cf5a0d4de5ff230a9c4b0562694363d6caac81c36986b31a14c8e91724469ba607568f42e5ae8661741ef7cb1a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
196d418586518f021d123bd086275ce5

SHA1
8261025bd39c0462b0a94780ea30ec228a84fa84

SHA256
534617cd17b1197dacfcf78bee08aa20a0572e23ba743a8514d687b0bbe901e8

SHA512
bed4b63ace8eaa4a514fc8fa6df734a0ef0d821b7464f4ac783243e094b3f82cda60aacbcfdb27de89d246797238889c91095ae13ebf307ae53960a08a944791

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
2d1330e766c686f3b3b819c82f6815c9

SHA1
9fca3d194ba351df49b590face017e68911625aa

SHA256
115aeaa592ee0f586dd7441b40089366ddf1908eb93b9db056b4f6bff7a92ae9

SHA512
6919d465948447570dc5b46bcf7fd09442d59e02d6027103682a8ff208ee1578e247fa34a1f4d5eee174f0f7a94294941429af0b9ed0a68ab1ae751997e6d26c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
df53cc906e266965018002cb4e0540a7

SHA1
2a6035902405e83e481e2fc32d3d2e4d2fa3c348

SHA256
7a1d10aad4ed1cbc854a301cd94c772b767ce0469b1177f07014990229a58370

SHA512
c4faa4ae09e0bd81428ca529865d1eddbb4e4975fa01c40fbead0d2d62bc9dcfacd4ed560ab54a98200ca0108fa36a76962fd7b7e64aeeb1b299ab9367b5a900

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
900bb4bfbd4df3f19fd3a7b4a4b62cdd

SHA1
e5125881738a2fa52653e1472fd528e212ecc6e1

SHA256
f63665e56586cff0db778207c646537c13e52a909495df35cd05e8eb09d849c4

SHA512
ad1c9b71012a6a7681850bfc34504a8484f23b43911812048331b27602be222203a8f4b3804346e13984bd828be31228fa301399a2e3969a056a501173287c40

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e178cfc1a7b07aa5697d429c41eed0e9

SHA1
b7c75c701eb03c30d09e7f2bc67016dc4d778fa9

SHA256
e8beb384ed3cf838d92dae7d5b558919d078dff21d4ba44291c177548e880a2b

SHA512
5fdfa37e41119f415b628782effc6333e08a0132fe3eda79774d0cfa60ab2d3cc776b280557df47865475a3c7eda775804eb83c41575f92da30ceb2b13a6400c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6914bd24065c08bbbc209310d0852f30

SHA1
8dddf3d31a70c3619d091f98913a3809ee1726bd

SHA256
4d05bead27ee04ef0a5df9aee786fff87b261fbf79b1171949de2ead79c00dc0

SHA512
df6c8b228b11342efc1020115cbbdab6c9aa2d34835171e7075271930cfa508542097f66a0e6682e4c3f89f064917ded259eaa33498ca3c8a07ec8bfb6a99a92

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5bc5e9a4a4d1d0627ccdbfbc75af1a5f

SHA1
2c4113f834547b37d31c574d079e126a3ce6cf2e

SHA256
a019b38bb0970eae63e2fd331373430575d4a6064e88c02706eafdd8a1010b23

SHA512
358c0d3d3beab3fa9bf9c185190cbdff9d36d85404ddaf49a181a23380494e1a9c849978eba07c5ee802308cc0d90954394c1b412ccf63a467803b89f412e283

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b505ab58fe84d154efe5d3b4678eaf16

SHA1
730bc3cd4e50c1735586a57a50589d52e05c027e

SHA256
ac21e51464ceed196540a1e45143b82ea8b59c2945c809854c1091a7b98e3605

SHA512
2ddb172eb61d5a9922fdbe125e7347a1b7f1247d75f38a6d33bcfc6cd35d5903970821a1ddc01010403a20ddb3973e7054f70ca5013c7f82ffe26e9e9dcce7b7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
01f26a5624295563631a277adda7fbcb

SHA1
7e01488f2f192da236417d2f4b17d24636cb943c

SHA256
9748c2ffffe1ee2b58d95ac5e2170189b43e4076744a3b38d0b7af391ee46e05

SHA512
8c63cbdaa13f0025a97a9db57022a5c1082dbc13c9cbbb3eea6b819186346dc21e9d1d4ca0a99ae0f0e59c3a2474f1003e119f724373aa82569378bbc1049fa0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
b67cd15626fce3e1a62fca54f8d4427e

SHA1
5ef092b757aa52d77663a2ea6fdd56c4b3cf89d5

SHA256
8cfd5c5d4c6985c2fa1e284279728067a4aa55ab331ac6f98a8140b2c2ebdf4a

SHA512
0bae8fc0ce9a07d8333c8d09ffeb61781571ce652956530a5fe83d11a72f56f372f039c20b1b07bf0bad19dcc89732dd1967b277e83e05d36153b36ae7a911a6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1d141900a00b7f1233d85cc58c862cd0

SHA1
a2fcd38f5b891fa27648de038ca39c5eaff7d3a1

SHA256
e237d3824bd77cc17a1356f0487cc8e982010882fe67ee50b059627bdde8bab5

SHA512
77593a11a600384f08235c1de4df0f28f28b5af1ba2431d8a22e716cf4b6bd023862182baca5da2b54d901dcab3810d72ac63d626d327e504278bc2f1c38c92d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9c983a108b2e0ce909f058dbd820b260

SHA1
db842dd8d38f5c833b1fab42e19a2166cb87e209

SHA256
50f8c11a14fdc7f4f60c8b9430d00aca248d043e450d12721e40069550694974

SHA512
b26585586b34d12cef2fa037d01ff8f5a9c0c9c88faa5f12be7c30e66fe278402089c48235cd382a2bf82bc005b4cbd4d92bec3423c27de3afe98dd532d046dc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5a801fd3321049ddf93af15c370e8549

SHA1
ace01d6f63a5e158e680d6af22cbd51e346059ac

SHA256
85e7acb2b2e71fc54e882906e6e0df004f989e5e44ed05acef55c51d9f1d9939

SHA512
3ad2d518a5fd0f6d9eb16edbf643ad4fa1a4d4b9e2c51a9036958e0442fc989b3d246af331a87d36285a2d2eb25fb87982c508b46111bcb6e346db1d97ad9563

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ced824953becc79c80e4f15668955ff1

SHA1
9250b5db69c3b1c6576ed85070e952549b48e072

SHA256
9d8cf728620c15bfea904a753b5be67454cee23bbd6c826697d7622a70678e09

SHA512
63dbfec0fd582f2b89eab1eb9496ba2a72b26f9288127feebec3648ba77a5aa5aaa37cd566242bc58cc9ecc2edea87f80d71515023c814eb670aa228e4707865

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ff35c29b36af0be5dcc55c5a72b1ef0a

SHA1
8e7d77dd2fcd33c8e845d27710ef2b205883acbc

SHA256
0bb5654fbeb538011019264f0bda5c1c05ad188c1842e430f89096b5bb61c45c

SHA512
70904137023079212baca79a1d4be62d5329044ee878345e53a50990beb6c3cb64adb4301bb29cde6caa79379da8531cf40394a910957e6919abc97b1c762537

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ea41945e366f7340e58acbe8418ef509

SHA1
c639b73b2c28e84df0afffce06f17e4368c50a86

SHA256
8ca1a2a180616e091b5f7181ee6eb3b6701028e7a9da29aaba1985e2c60d8c6f

SHA512
1e22ba3f902506e3c49e8733d65665b62efbec3b9fb4c39340f582cfd40b9a84ca1076be282969d16cf0226867722e970bd45fb9119bc8e8132f7fab544a4a05

Download Submit
memory/636-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1452-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1452-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2252-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2252-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2320-269-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2320-556-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2500-45-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2500-60-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2500-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2500-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2500-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2816-206-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2816-548-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2836-6-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2836-89-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2836-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2836-2-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/2936-248-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2936-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3108-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3108-553-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3144-224-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3144-105-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3232-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3232-86-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3232-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3232-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3232-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3248-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3248-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3248-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3248-116-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3580-555-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3580-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3696-34-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3696-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3696-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3696-30-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3708-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3708-559-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4136-91-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4136-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4136-209-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4288-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4288-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4288-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4428-545-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4428-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4508-462-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4508-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4652-162-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4652-379-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4748-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4748-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4748-48-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4748-54-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4824-118-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4824-236-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4900-139-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4900-260-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download