4c5001ad86f4ea46e53ac119f7ad60ad5509ff728cebd09cbf971a99355d11bc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Size

1.8MB
MD5

2702a61323056d4bdddaf30f896bf0f0
SHA1

7b97f28792bb58c8cc9ff3b49c57000c4dd98413
SHA256

4c5001ad86f4ea46e53ac119f7ad60ad5509ff728cebd09cbf971a99355d11bc
SHA512

5813285de89e46402d0b8419cdf22db1ab78272fcd1e184df8678bdd4eeee8d3de8573cb107337e29848d4d52d6615b0dfde35b69140bddce8dac60c6d73d2d6
SSDEEP

49152:JE19+ApwXk1QE1RzsEQPaxHNL+YktHRFcbtUKA:693wXmoKj+YwHRkeK

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3508	alg.exe
3932	DiagnosticsHub.StandardCollector.Service.exe
3456	fxssvc.exe
1840	elevation_service.exe
3812	elevation_service.exe
1328	maintenanceservice.exe
4876	msdtc.exe
1472	OSE.EXE
4000	PerceptionSimulationService.exe
1612	perfhost.exe
2724	locator.exe
3280	SensorDataService.exe
2368	snmptrap.exe
3204	spectrum.exe
4616	ssh-agent.exe
552	TieringEngineService.exe
508	AgentService.exe
1008	vds.exe
3936	vssvc.exe
1304	wbengine.exe
1756	WmiApSrv.exe
4972	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7f41b4bca46faa3.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaws.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000030074e84bceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006557e7e74bceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e8318e94bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018944ae94bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ba65de94bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d3b6fe84bceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2ff92e84bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea794be84bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c2c1ee84bceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbcebee74bceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000226295e84bceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeAuditPrivilege	3456	fxssvc.exe
Token: SeRestorePrivilege	552	TieringEngineService.exe
Token: SeManageVolumePrivilege	552	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	508	AgentService.exe
Token: SeBackupPrivilege	3936	vssvc.exe
Token: SeRestorePrivilege	3936	vssvc.exe
Token: SeAuditPrivilege	3936	vssvc.exe
Token: SeBackupPrivilege	1304	wbengine.exe
Token: SeRestorePrivilege	1304	wbengine.exe
Token: SeSecurityPrivilege	1304	wbengine.exe
Token: 33	4972	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4972	SearchIndexer.exe
Token: SeDebugPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeDebugPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeDebugPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeDebugPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeDebugPrivilege	4892	2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
Token: SeDebugPrivilege	3508	alg.exe
Token: SeDebugPrivilege	3508	alg.exe
Token: SeDebugPrivilege	3508	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4516	4972	SearchIndexer.exe	109
PID 4972 wrote to memory of 4516	4972	SearchIndexer.exe	109
PID 4972 wrote to memory of 4476	4972	SearchIndexer.exe	110
PID 4972 wrote to memory of 4476	4972	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_2702a61323056d4bdddaf30f896bf0f0_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3812

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4876

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3280

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1b0803e2b3ae36e9d0435b8e9a26f772

SHA1
0f42433c3212f69211fff9f1d92edb67120b8405

SHA256
514fcfffc3c4a2329b8922219d6ead8c4d84d05878bae449c2707619f363f205

SHA512
add1f12a9f659b156557142e4d3a92dc174647de056a55f36afd9df9095d0f80de4c50d4b19e8c1a80d891ddc2a73731a44c45e9b4f851d564726f97c8e1e472

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
877ce9e1c8740ff7a3ea40159f349881

SHA1
6e07fa1c3209000deb7cf9a5d3e03dfae36e3bda

SHA256
6dcacb9f4bdaaf8a495eb9d9bec00006982af2c92be15541ca8d3d17f3644b47

SHA512
d51f8d796b5e8bc9b52725d2806d8b4139729e6839d58fce7480425520485af79c3bc922564034eb2758adc348b5ec385c3b240d5ebdec0e652b5dfdd634d4a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2cfb9f16e49fd100ee70e2df2ffa079e

SHA1
49cffe309dca6a0682f3cdf81d53bd7c2b09806b

SHA256
e899601a67b52b56aa273b0d29c33cc54e54e84693167d7c4d0ccbf51a6fd218

SHA512
b1d68300956804f9bd30541fc41fefb622a16e45ade21a15233c372f280497126fae9d6ef83d015b963dfe66703ff59f6ff538d9766f4bbd40d9dd6a38b2b02d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6f8440c05c6eb08ebb2b08cf6b5494e5

SHA1
4fdbcd74f6fe8cd7b71f7563e0e9d8de25bc84ff

SHA256
6ad202c0159587b6cbed35448a428384f063e6f2c00bc5a8f8f2633910068619

SHA512
ddfb296aa42cf649b5d88118a3ebd6ad535c2a5eb84db0c3382e8677a23d06f46b33b62fad3b89e3e4ab867e211ee4a630b97955479081aa4c3791e599067770

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
17fff5a49882d722598ab7f6e17c1ce7

SHA1
c92b3b2bc57c64b2b207631034bb60d1eb0fe97b

SHA256
2cac14ae960c10b461daea5c4c441a6752bbea97fe117a90075a9665e1247ce4

SHA512
dc43eea5f8f23d367b3904953c1e1a752d9edd50ca3efb300fe86f508077b5a17a902ac1d8e7a66e1f1a3ea597b8b4b2cb4fa7b11a30b108a858beb09bcc08df

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
88b58dfe41182fcf438a6d45c0dfd24e

SHA1
0c239b5396640c16eb86cf0af52fd40d4ed4b2ce

SHA256
7f026a8697c00417b380c53e2f725bd52a4239ac5cb9b5b24c5e226c5b9fdb1c

SHA512
333ed87048cb07d8becfd073e2da21703905d5e22e5c4cce9959ef71c29f044986e1d5a6f430744d35fb83f95d2c14366c70194748b8cea45ea8b920ac2e127f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9581ef73433695fb663d4e6802737dd2

SHA1
0cac2ab017deae37bb0ac3ba4e6d43eaf8bbb071

SHA256
4288c9953dd5b239574e5eda153b69d34d020fbad78a2fcb4dc20f1d1aca00cf

SHA512
8360d5acc79903c884002c5e34b86de02e4f9bfc060b9d34d12c1fec71869f59a996eb1297da8ebd44344928f37aee2622ab3c727fcf7fed89c1eb4378d3c032

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
247dbd5da682ea441d1ed87d6d321e47

SHA1
a750a47700cf288aadc22fb75910304a7c0d7193

SHA256
60e247f4615f21524f3656d7e0e3dbeec5f0344cb8ecf4c57d30e383509088ef

SHA512
a47da0d3e77d51a8b7e116069906fa18ec05ba6a259ef4c9d60e9d94727d2e574b40126e2404b830b4413a8567f39e7dad867ce96cf169561d488344e977de4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d5c07108230ad1bb18b1654fb1970c7b

SHA1
3b6974c603637cd59744dd620a7d6193e3f0ebbb

SHA256
d6f8e1774ad9798baf60ac401ee0a63d4e7922958d79d19dcedb460b7f823b3f

SHA512
dd57b8a4d7d961e0b24d9edda0557fed01a37a4e0651bba72ab222eb7cf5949f4e550d9bd48415aed88d4c419f8c390a238fbf4bb0b8f218a4f520399ee25de4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
14780e5a50a012a08a83b0c15d364c55

SHA1
84760ae80b33acafc8372772b517aa77c1c6fe05

SHA256
4329b37e33a2be99fab3faf1c7054f7065e117c5992f1c7ff4e77be52fa5e046

SHA512
6bed56dc5c8fab0c09c7701a4230efc7548175335eed274ff84000b85a3a43d8b1370b6e408e1bafffcd76d80b3962c35a79a3acbe2473767aa5368b0c3348e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
09c12ac0056272cee8ba90969606617b

SHA1
acf55a3d48c23969c5f2ce1fc7797c5c16244db6

SHA256
e702a86e57d4db369b55ce535df382df1ea02ed357c69f63f50c9a3e6a8ff6e6

SHA512
4dd8bf2ee3a82d6a2f07bc7b4b8fec56eb8d626643852a040ace2e3d4a7fcbdcc127231d9a7c40fd1255bea4723129cfbe87dc00580128d26b6f730d595b167d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
46633f284d0f5d5d0908d20ed76b2e35

SHA1
5bd79c496b0b678ffd434958d87381cc860329a3

SHA256
7a4ddef36074ce7dfdae4dbd691ae45e1c1d761ce4532b79cef11b16ec7f1f14

SHA512
c96efcec57c6d48da5d5a87b5ed384a58213f015c8bdcfdc11033ee61ad7533a74157703f54b4fed791ccd0093d08a6be1250f199b297f13f9601c8e7ce6cd1b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
403e65fecce5b9b668a230241b489427

SHA1
1f69848f040959017a85080e8bfe18640b36869f

SHA256
3ace982ea4ebcf52d18994b6a155db5394b702c5cd06f5807f4b2e14cc57f436

SHA512
ec0cdd1328bc1f9dd2212da01f1ee9ce0dcd8147218b089772c6c5745d1de6d537b509a0e453cfa1879097112f9cf9029a724a9de2e3315d944d0deed5d49fb9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bc0ffbf400c5ebce2176ea56c090a123

SHA1
77822d0b57c8f6997975070e7cbc5a040f75ffc7

SHA256
787e025129e736cef87870df2a877043858ace8d4a2a96d944a6d8b234991486

SHA512
92dffc3772703c3a2e60bd722dcac2e0b271157e221f315950a595fde7a91780ea509b21c9a67542f07613a9ac4cc54ccb21dc91e672802a8d17b11de806f02b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
aac93e1be68033dda473a13ef1e70424

SHA1
be21d7dbe803c3a674696a877d1c2b7d92b80840

SHA256
c2161939ecec2dbb46de194d83a37eac2e1c543749b8a0e5612e8fc3d75c2b7d

SHA512
5a570be610aa48718e723a420ccbb7249110f91fae02af4fe9f62d3e3fb3240e54b952802c1fb69882cfc6869dc82c80493d5f70608ab965cf3cd86f07360752

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
aabf52bcf763394417f947893639ec51

SHA1
779ae6a3444b80698bf2db448ecd0e1ec6e9c395

SHA256
e00ed516aeb5046237f825741f7155e8c01cf198cb5b3de62c8c8893a3a33fc8

SHA512
75ecf6cc7a96c86f2afe3c4a1b168e7976a5c227d8c43b8788ee0b42f7b1c0efb25e4ee96202ef2c5b44dae19bcf87268d8c3c148d465d4dce4eb7b9279e3edc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
09fff6bda8647fe6e0ddbc59bbf3701c

SHA1
061d2b18194590bec1877924aa7b28d740eafa61

SHA256
0f1a4ca68bfd269d36b2295c6d4a0a2eda020eff8f33f55cbc89652c397fa131

SHA512
57402350f44572b53d120ded7199e8b5b8abbabc97a23f781f999e0bc4ec3ad712c99e836b3823b790e2b079ea9c3d27daa6fb2a62a533ca55d20e6d47b11350

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8f966455d8a2586cff3331e224523486

SHA1
3b96570ff0aaec58e08d13f1386223087fb5bc5b

SHA256
bb6154ecf30357edb09959bc5d29ad23846e0184bd60db0521eebf1251a3fb4b

SHA512
48468066d3e9e95a3015233ef727df6af454965713469ccb22096ab0a1e4c74f1675389f343b05be0d2b1c7b9392cc133584167afb68b48282f8585236ee2050

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3e944c9c7b28f392b0285161186eb729

SHA1
222acba33c77c1efec5f9455e38526da29bd0df2

SHA256
212306e5ee944cb460e7d8b4e7cae1232dd65ae613ede79cd51aaaebb4efc4d0

SHA512
614a1d0af1026a87b806394f45f090e69004bfe62b4724196b7f02b2129a3f3ee9e96c699859b8c2dcb6fd702d1879ecc118257224dd85ca846ede3462949f23

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
89bd8b854010a7885a400ef2f9447ea2

SHA1
b5fcc7a17b4d68d97d48de6597fa6dbf41b1e70d

SHA256
22e3092f5aefa736906f09d9236c800b4a309f1aab41a3bee6c2f11f4d1cec8c

SHA512
805587737c9f4411abea443e971a33b3963b978ec79d107ea89d0ff81f058e3543199c0cac232b1045db159a53b70cf63a1c8b6827148f5b8cdcfc7c3596ae4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fb34c0d6eca0228ce92f58fe01a3e20f

SHA1
bb7676d36e1d32ae745cfdad08cf88b288703a7e

SHA256
3a918aa1f9c19053a603eb611e03a5a1a982819df65e0fbf3bc4add6ac942111

SHA512
522c5794490cadc6642391c396b36032d27beddc0eade90d7dcdda5be9a5bbe35e6afbd5ec4b2a41ee4eb92769ca5de42cafd8f2f3865527eeedad377bdca149

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
157e340c01564bef44d8c56db98d578f

SHA1
0402101d66d1308c2460fc726899999454a4dedc

SHA256
6cc8faab2a7e77cba6f8f132e44593eb1a673f69bc0aee71218774839bdcd702

SHA512
ca1e32683ab59fe7c5b951068d3320206dc83b4157033f1d2fe3dc7f8877fd80845787049ebb50acdd236110456cc6c77e12bfff1d08a380b25993c89fca34e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7244c50f6c089fe1bbea1d5abf6ac06c

SHA1
db9642e8dacd9cd41e08d5c7cbe360a3ffc48415

SHA256
8d2a7167c4004476188d4122ec22e34034377ca695cf688e2b4dd532234cd91a

SHA512
2973cdf44c4c89ff380974fa94d57e0c4cca6bb90c03183feed53747e53623f600c4ad347cbf0b4e23d2c8c136126f88427ebb441a204143b8e71e341a24573d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
d7b835af2cf39745e6548dadb668e1d5

SHA1
871fc9d948e34bbe539403e00de4323f9d9c463a

SHA256
bd0d13c3687a0dca9642e6c7865fa39f88ce01e71ee329985603932d81d59d1f

SHA512
b29641ea8ad529d18c00e15920a6b72b7ef6131d2dd3c52f224afad962d71d28480e46112a82bc59c318afbf4942e4afc241ded0c4b0ff48a474d124303083e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d99919cffad28ccae5411b78bc640573

SHA1
694db3d8c4cd5d84eb7b3de7f792f46ab06b592f

SHA256
d915c63d6fb342f34e8e423f514db1e13198fb874e11f31e4af7eea38ab2507d

SHA512
c6c751f527baade53a32844912237ea366a6e77775c80108a7a38f5b93ebccdda5c15ff08a5890b1a4362d0806ceb4e4315f0875190782b508f0502d8f3c89f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9b4c288094544a6cec930e74e04f5761

SHA1
312af2b073124231af5188d66d93ffbf12b3a3a2

SHA256
2031b426c07b2fc74aece15ea37a3e2e0c38b7ab68f531f05b3d290cadb3e268

SHA512
28c1cb55a8eab648c9cb7100ad246123c879c78f5ff2c5892ffcb3ee6a80d3c92c36f814b4093c4ca8ed839775dc8f6eac93c0891cc7773913b8a77f84ace5bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
78344aebcf564a79fcccfa3b53c3e6da

SHA1
cb2eadfc331fc4eec26cbd40888d7b83593c852d

SHA256
b9e840ee1f5014c17e42415a4244ad69d5aab8217aeed8f8abac44acebe464f5

SHA512
6638490177201191ee82005e080041fc899c7e945f0cc866bd60528cb456e111777ddf85d97921fae567f47f011436378458f7b03d03ebd37613b272e5aa85cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
856f4f85b55da0bd7c48be28659162aa

SHA1
d2345044dace73865ce61d72d43fc84617a93f4e

SHA256
760e665ecba234b10c1c97f943ad74504594db15aa676513954680c302be8b3d

SHA512
34325b5c96b5902220bb8c9be40cbf69141c5f326a4a6603c1c6009992c4f9647ed4f6edb3ef5a1ee2f5e26cdb75727b4854e5444cfb683c32d95d03d971a6e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
83a5e041920ee9cbdc702f06a404c8eb

SHA1
2c05521c955296c2e101153f51f6621cfdfeb722

SHA256
03ac5a1a9d6fc7c03abe5ff9163850c2922a8dbe0ceae6a67fc87a674df9b540

SHA512
5e8a0b5ebd1f355d74a604c3806ed83746b270a0f097edc17b4e3f6343cd1aa079ae8453f4b4942f3ea225b148ba424a18a5b35cafcdd6736c0e0fdec3eae9c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7fec86ca70f51d6ba019d258fd208ed0

SHA1
a96c555de4af24fb55421723f9d9d2cc53a8713e

SHA256
637447e101e440e009a28f06589c3bed6d2f6e62d3b74db074a0bb40920e8b75

SHA512
9de88daafd335954e6431db208f6b13c468b2241a67365a63afb769a0fac578ee881f319f951afbfecd50fe6c227384053ce6902d971dcf6496425fec05aed6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d1fff1df94944fb4b016fd549b4b88b6

SHA1
5f808525bf125b7a5ef03e5ec83bcc5a4004f503

SHA256
8330d436ca6a2bf368a3f3121eb874858cf300db36909945e6a2c1c7b1cc28b6

SHA512
ed8d456c76c20382c17e8446adfa800c10536af2f84dad7cd6519b8bcda375b8eeb56b0357fe2e633337148e422648cc9a790ae250bc56b3018693a77cf28c21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a4a1fae7a5cb4acc635fa6cd89865172

SHA1
d36f8ab1a303f52b66d18e48839cc29c952cf8b8

SHA256
2b20877206b4f4df5a4ca39d51a603a15f850d6650e5bf13d4390b8ca15a24b4

SHA512
c3e8918aa1c94099d30800ad6c693ddbcb6427a648085aa7bb50969ec4584a45d77481e54d64a476cb0d76a0c564ca42e925d2fc7d7f9f0804dfc81d0f60699c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
305798640d47ee72f0d0271199f75515

SHA1
bf6671c919f2359a7f2f5953d80f955514dd83c6

SHA256
763f263fd806fd1aef2bd800d374b25f8e777e205d2f64e252e8fc2209c2cf20

SHA512
3af49b793771e5598a95b00f77d2b8da6f39da57aa28529ff133364c32e313996d3e71c9d0b3e029a67f26bbc6b183eb0d68379e1cc424169dd4e32a1e587311

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
4ebb949e0853bba593fe68aeb0076132

SHA1
74d85f0223e2ab0cf65bc9fda2074cd16acd82ab

SHA256
ffb5b503d00cf73448297543a60c3d1a8e770e6b6479f89314bc10a7d14d3fdd

SHA512
4aed2a9cd93df4a5134bebddbe67ac2201ec28af6fb54461e93d9d47e0d5fac7e05f74c10a15ba2174d82587883c68b12d73f23efd81ad04d68b1b4668f1ea4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
dd4346473df19bebf83f03769ccf7e67

SHA1
e10959a911d5dc5cac6e1950e212d803b049186a

SHA256
d507fe0ea2405bf33198d57f36e86369b1855249628a2159242a0988df8849e0

SHA512
2ec297656f05fa3bf82fe11b27d5cb526a56e0f316a0d57472862d45edef74d741fbb2d79df25fd2d33766385f5940a8d76e35d41fa8a393c2aa9d3796f2a5b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
7d270a60c80efb7add2b950ea33c5142

SHA1
65b2db689fef97816bc58af31b48d880c9e7b178

SHA256
09d425e8410765fa62191e623d9ae545fded5172b687874e7bf5225fe6401564

SHA512
937d3f3c3bdafd1f4c1644f3c62edff5f06e1915d58ac7b127d8e4e1eeeb391275013fe9396e79c8e87abc312a17e974e20a14ecd68feb4d962142a8da2cef9d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7da872e0e64706445c5ea20bb3dae516

SHA1
68b34faf1d1b6fa6dec6cfaef8c8247cfe24ce17

SHA256
54f7d8ba2916769838b4c46415a31a1c39a2b6e4fba00aaee63db3a2235abbaf

SHA512
1ac20589e67458f28911e0363d8645525b3a7e35df65b75c7c4e6beceb6ff16b57d730916efbd6d2588b099c6ddfaf350c6f4d625b857b148c05f48a127b2279

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7b8a0eb7562a6ca21d7a12d5f0be7406

SHA1
12bdc24bff4cf948adcf6fa468235557ea3de0ce

SHA256
3c8befe6fcec1d3b6863a877d800e08ad21234a15a80305bf4453d06bcbae440

SHA512
ff7dd94374106f8c58d55116144da618e3de59435ac5f3919b04e662ff9b079a123776ca3ab5400d7bf0b198261d26888e4e84af7ea91825d68f5eddc56e06ae

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
cbdc6dbddf2d3cbacdbf6712a65008e3

SHA1
b8d5e663b3b03578ac61ab24ff46d7f102e0d8ce

SHA256
73aad5cc2a18fb4428b75cdea522d074f27486b48277b82e8cd404b7ab30ba19

SHA512
98f7fe72b824f6063076f51d32b40768c608b00a63a81edcf72024579d5d7e50926eba379e3b6422470b5f3ad922a34447de7eaced3a9d04c182ec9b0cdc180a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
145e90f2d8a0564d2afb1f73e15879c3

SHA1
78bc27956cc64f8e1821720ef14ce16895429303

SHA256
ab4cc70109a97d26bd59ee70e83bc83dc2e9de9a9d8868ac5e86e5579f45adc5

SHA512
d85d3603d37307cd5083a236808e61f6157344f629e544130fb10fb1461d98e6fc9deb7ea580615e0187e9a9572e06797feb16ee6194ad04149c0bfbff6c1bb2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
eacf339a9346e32629f89528a8889c3a

SHA1
cec0abecede31d8c571da498ef174ad9f397dc46

SHA256
75da22db05a7cce53816b2aec336aaa78435ae19e929853ed207e66193c44aa9

SHA512
74ced0433c0589b1ec12e34f0ad50f1e330306f84429f4e62af22940b21b33b6320a20e3c8b74926f4ef193111698d4c61d7824f7d66122cac54e799b734f577

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bd7b4dd6ca8964c36bc9cb68fe1cdaab

SHA1
63a669724de90c1e4526068a89f9b344b1d41f99

SHA256
5a8ca46cb45599c6aac0afcd86497e5c58c8358e2bff5cfc6fb1cb2d836158ed

SHA512
bf7f8ebb6a6e7786d8ba83c00922a6365ed19855d5597eb2c3c8394955a9d87115bacd7080c51270103d65c54495704d2a435644f016d08bae5d48399be567b9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e7f736a4bb2738f2d53bb401c93335e8

SHA1
7533fdb3dbdcbdb0c0101d2e72fba505d487eea7

SHA256
039ff45dde99ecb2f12ed910a836e200f0e641c6af6d4c345150bc02cfd8feac

SHA512
a1385de563ec82f0b9c56c6359f6abc97f4d6da3be3a36062730eb2d3ce4058a55ddcf500c0415e49b3878a97f62687a9584f5e1e0579742bc58a191ca1ed9fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ad6784877296465e23f97e01e60699fc

SHA1
42f2594c6c233904262e638d35aaf0583ab97887

SHA256
035ebfef53e2e3bb4b18d696a7b260de6b35db7daf59439913bdd5aa60dc73e1

SHA512
ebbd1a36addcccb5be27dc3cdff2c00060d10af2844b56fe2ffce1e3d5bd137ccd8421bb11ebc7c31e9896b9282020b8e0bbd98015d3b85a43828a293bc56668

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
31f6d96389a57c437119665ae8199367

SHA1
a2f20d15e2f420b65f5e6ca2422635a1b2d5a778

SHA256
a1bb4c45632750db725725aa9b177db066fe664f80b0257f4ce2aed26c36f60d

SHA512
58762f9f1bfaa8d5c8459910204d019a91778adeaf3346ffe7d2303426fc7655f450d3475492ff3e7f46f4e9848da491c979093faf005afc9800d2f73687dce6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bab7b5a83faa458a85698063a054bc97

SHA1
9318f2e92e7deece0282045286dce7f73f775fcb

SHA256
49bcb960c1611e36b34ea1ba2f32d6211be43067ff3900a5d207f8e7535b7f1d

SHA512
4b0e1ca8d881eb8acc1a7bc643db43edae465fef48a0226ccb2e1c218e0641b5d2d5c6d4d05d8fec682a2f3b99ba03f311af76ab70161834410ffa260363c7fc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2a5994fd4b5ceb593787f002704ba34f

SHA1
16696f2ea876f14caaa9779c9697a74f3cd4085c

SHA256
6df00fc0fbbe99f9c9441a9e42fb69e9739058891b00ade1eb66896d57cf44ee

SHA512
bfc277a16fffc5029adc003c96bb286a89eb545c815102627ab03c1ce6cccc47b8fc6c7ad699163c8b229b62d32550417c84daec0bfc409c774afb98d9ee0e89

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee655e2e1f931560a3ec3619e635544b

SHA1
31f139857c0b5ec107408a66c8dcd6c811d7a39c

SHA256
2ef4df199394738c934dcf7851ccd7cda2195186d39fc1ccdca9a83dc2114da1

SHA512
f9e4f17b88aae52893276962a85c30bb2864b06799c47f0014f62d5aebe2243fb689449321d80badccf7f4925b8cbbe8b00d7a29de40fcb706bb1973e490dd44

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5b4e9717dc41274d9c203575b295c970

SHA1
56525dd6aad07d5aed24d0ce684579a9db6e8922

SHA256
f94ef5a19fd92ec01844f29f8825d064cca7d88e9e722b2a6cbe31e7bed05d16

SHA512
5a1f7543f80846f8e71f1616beba8ff0c5c5d84baaed976e43523c4e3a75c07bacc12eab90a30d6fc03feaba93f91bac3f2d258888c014d991dfc7c4d7b2edd2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9ddd979a09ebf5b5ea17d55ea0ea647e

SHA1
7763945f712e1f1aaaadcc0411d0762bd0a35b1c

SHA256
5822037b6aad65b61a6f40a360eef17b49bd430328fb398bd84492654fa9773d

SHA512
80349d8993b43340befeec44766cc412db7abfffb5417e09ca52d9bab5d4f6a10a483ac70bfc70cac2d1775c601b99ca7e56efc582c6258cf9249e63f30f0c77

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
730c7d25eb26dda0a7d6b3cb53c7e700

SHA1
86069bfc199c9d66f66ba5ee9a21ee31335c8bc2

SHA256
729598c2b08abb046254187c1b38775a348d5a987e6af6feeee052407999169a

SHA512
e8f9ede328551c655feeb234e55943f256806783a7dc29c040a93620daea0089e06919dd93a5689cbc70fee5da8a4083d7ff23a581eaae0df7dc83f87a1e52ea

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
26212a1499528696a6b201494fc9630a

SHA1
c3f2419eb15b0e3b3a411b76630a76beb6ec4f80

SHA256
40f9d6e614e69aacd2fe76bd27130f75be00cd766edefba3a85443c92b32bc84

SHA512
cb27ff0d89f5948510a259e6a028dfadf342d81fa03795a34413a061bf25a8486d6a93677f96f5736823362626c38cd285e53a6922e4cb269619a7e4c7537273

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fd95300c1acfe06c5a8d380bc5570099

SHA1
b972e6e7f74a1e6d00191206f5ea239dbd21f1c8

SHA256
620267f760f7849abe59b26608cb41d9a6e8937c2538cd5e8101a762e5ce592f

SHA512
1af85dd112efe64b32b786a91775d9a543fa620cf04c1ccb95dd62380e780f0db63595a2bce115400586de4045a702bfc32617415ea1206cd0b1a4eb620c61ce

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6def0d8f95d3ac5cbfa60670ee848d0b

SHA1
0369bbb7217990a16b9652d4e17640390f5c0f53

SHA256
a0491ad8d0112fee27f3c1fcd9a89cf576dcbf3f1ce1f561963faad44e1b452c

SHA512
bb6fd3df74a4ae157e50a958b359d5ff1dcb7ab451a8b99d0434ac3f89e4fa10f10345e6aa7b1939abb7bf5113542521e8002a91ba454f7f2c95bb3456bfc229

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b3f27c95edb9a7509ef226b3a760a3bd

SHA1
f6979f015da71249af23d43712ecff79d85f12be

SHA256
08d3c85d01252a4d6832413205661f099106df89af4eb5ea3dffa807993ec3aa

SHA512
98eab135619289d127973ed770572ed316f09115cdf71e8b92cea772f69c9eaca1f7295379fe44486d0fc4ebf728a2ea36485ff928611ac3c2600a0132ddfc85

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a7ac7bdfa4836377497f488f8b26f92e

SHA1
9b8220750980727cab49cce35451a4504f9c7cf4

SHA256
b43a3e543dcc0eeda0c2403f2ba496b4467cbf66575f97645b9c86c7d698f7e2

SHA512
167f5922539a6a882f91cc1ee81b262716cfae27daee74c420e0215272460a569dc167f80a89c67e4202fcb141552fda5bc03a04a6980ef1b808d9206264fc5d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0cf1eb45ec5fcc65ab2ef1dfe3eec1bf

SHA1
d83a14e046983058ae85d45fc35e96a0d46990a0

SHA256
90829fcfdca0347af45ac68b755c8480c776ed90ba074c2cd439b75931f3c551

SHA512
c0220643fcfbee75fb0de405c1341f8ed6686a0e84a0e57b33dfb2ebf1a1073299f3e39028f2da1e4161304f1eaa710b5d7a402cdbfe5263b1bd827f1627bb82

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8680acecd5a42c0013f34a128b259c19

SHA1
7b209c4a90e0ab8b47b84916411f1cebcbfc3295

SHA256
f068c74363fed3339d9ea2c6112f7395ea6ca26b927e5921c7810e236050c295

SHA512
989b59622860795ffa890f5398002d5e66f5e001789317b4dda3aa41ffe905336df1559b8621acb5824ebd1c9723912f418e8f51af500762f7b0b4b983b87528

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
abffb1a2914f389d638fdb7c7b143fc2

SHA1
64426a128728238fba838bf3db01965010e975c1

SHA256
2eff08261b024362b632969cd31c7777e355d54ce846884e252f7df3394d85ab

SHA512
3caf3d430fb653c82e48a4efcc9c80a9ababa43e23a8b572c197fdb21bc0565eb9ebc5722b1f74b63711c7ea2ef1f9cf4a8c08c0e15563dc2db6a8c705e7fe26

Download Submit
memory/508-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/508-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/552-199-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/552-522-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1008-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1008-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1304-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1304-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1328-85-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1328-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1328-76-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1328-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1328-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1472-225-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1472-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1612-137-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1612-249-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1756-550-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1756-270-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1840-53-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1840-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1840-59-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/1840-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2368-371-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2368-163-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2724-261-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2724-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3204-472-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3204-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3280-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-38-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3456-44-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3456-52-0x0000000000960000-0x00000000009C0000-memory.dmp

Filesize
384KB

Download
memory/3456-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3456-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3508-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3508-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3508-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3508-106-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3812-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3812-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3812-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3812-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3932-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3932-129-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3932-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3932-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3936-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3936-548-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4000-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4000-243-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4616-507-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4616-188-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4876-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4876-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4876-210-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4892-90-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4892-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4892-8-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/4892-2-0x0000000000BB0000-0x0000000000C17000-memory.dmp

Filesize
412KB

Download
memory/4972-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4972-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download