61fdcb82990bd8750b40127a53d4c8e720dd1d9f2ef05a7d8610cf8e5f3873c5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Size

712KB
MD5

7f10d9c99de4e84604043286ded6db71
SHA1

56e5a227ffd24801764a55c17bca8fb095d694d2
SHA256

61fdcb82990bd8750b40127a53d4c8e720dd1d9f2ef05a7d8610cf8e5f3873c5
SHA512

b2ed629697513eabc6a176fa0a5d6ada3ba975d3bde0c680d9a88cf57eefa26d1e6b77331a5c2f47147eff669e77c6a9739e759e8890cf01a85045ac5da72236
SSDEEP

12288:GtOw6BaLMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:46BvSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2504	alg.exe
4588	DiagnosticsHub.StandardCollector.Service.exe
4692	fxssvc.exe
1984	elevation_service.exe
224	elevation_service.exe
972	maintenanceservice.exe
2768	msdtc.exe
2184	OSE.EXE
4932	PerceptionSimulationService.exe
2788	perfhost.exe
1340	locator.exe
3912	SensorDataService.exe
3208	snmptrap.exe
2984	spectrum.exe
4180	ssh-agent.exe
3476	TieringEngineService.exe
4332	AgentService.exe
4248	vds.exe
4400	vssvc.exe
2092	wbengine.exe
1332	WmiApSrv.exe
1712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ea174354521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012982992c7eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b336592c7eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000044bfc91c7eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003438e991c7eada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7fc0c92c7eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e787d891c7eada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeAuditPrivilege	4692	fxssvc.exe
Token: SeRestorePrivilege	3476	TieringEngineService.exe
Token: SeManageVolumePrivilege	3476	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4332	AgentService.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	2092	wbengine.exe
Token: SeRestorePrivilege	2092	wbengine.exe
Token: SeSecurityPrivilege	2092	wbengine.exe
Token: 33	1712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1712	SearchIndexer.exe
Token: SeDebugPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeDebugPrivilege	3748	2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
Token: SeDebugPrivilege	2504	alg.exe
Token: SeDebugPrivilege	2504	alg.exe
Token: SeDebugPrivilege	2504	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4212	1712	SearchIndexer.exe	113
PID 1712 wrote to memory of 4212	1712	SearchIndexer.exe	113
PID 1712 wrote to memory of 392	1712	SearchIndexer.exe	114
PID 1712 wrote to memory of 392	1712	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_7f10d9c99de4e84604043286ded6db71_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3912

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ab1e48391ed73b14a03221076c807e14

SHA1
e281d873d5e023ed491b6f362b9e16cd70462a72

SHA256
e2b0eb9b6ee1ce3618ea469e10683b51ba536018451c0a90ae401f56f10f4a64

SHA512
983498e1c47409b6ff20eab3a245afed0e2e5fd4999fee4ec8f3cbff6a0f46d06e9adcf93f5d6cfa66150961f807d9df4d80afa10ad1a6677ddf9caa3d6ddbbc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
62e2c159c3a2463d846562c0f4c68910

SHA1
e2305d39f2467d377448c3ee9be193b1484137ea

SHA256
42932f56a2692ab770fc81ed35ac6ac32d37ab72543799f57713b4749c3e4bab

SHA512
34d6975ebf44e158db589b1dddd267e828753b203c110190daa8aaff541ea7068807a664b2fad01743f6ba1c73169121478d39d80805dd7604a210b937ff6d55

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
37f9d249bf9381e366ff7bd15c696b7d

SHA1
2ab69b5c54d2d42ff2b348daf67e1ed8befeca33

SHA256
840869fd13b0b348da366f8f873e9c521bb803a1d03f81a6f8df2a1cde51658b

SHA512
8524f05685a6d4da49a00b647527260fd71287035b65af340ac5e8355185fd0a51ecfb266a5ba6cb4c42c1d9680bf508c186bbc5706621645a43f902e86c568b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e7ce6d5220d47135a90eb4212682f50d

SHA1
28d32c65fe4ad7e92a637f1ab37ec8e5978e45ed

SHA256
4ad0d4c8c3f0faf0154c57018bb22b19cc52cd246d19eb66643d5a42cfb30f15

SHA512
152e68f67ceb56d7bc0f97d152bf97e2c125100aba0cbdc995d1131d75dac0c8719237ca2b76fd0c6493aa650c1bb49f936754354cd58c0f5dcbf533162df2b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
48e392bf02ba622bd7298c4a4946f6d1

SHA1
be527954fb3addf1e419c78c014a1c22e55b44e3

SHA256
998037bf9828b93bd5d1e420138d2ea92b522c7424fdbec4f51ab949a921b998

SHA512
fc4254a3430b8bea8fe9951024d7e4e74286d0f62b230cd9af368ba59605b1c2e2e1e6271417b907da656943c71d88b6077a1f7c8551616329cf64af268dd888

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
51046af6ff36ee4ecaef5d554844516d

SHA1
55756dd6ad3ed0e2eac31d6d7d56015357fa00a4

SHA256
fc111687f17b28fd2f824738c79534000e16478d3c836b63435cf9b4a71eddc3

SHA512
a4fef9b77e2b1bed8a2c8303aa5fcb7d5dd029f5c78c30489be5c7f8229b4130d31847b784b4912410d541542ff0838290db3e80b44b06bc87b117b138b876a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
67c6079e988f94c042352606e705052d

SHA1
58e4817de013a49e715fb64972f22ce982192ae0

SHA256
cee07edf2dbef5b25b785c5b20a542d9aaa6d393c27b35d5b831ff694a39728b

SHA512
9b3383c901de63eeff2cabefcf910d8f9fd1a8de51f918b3dee64b59fdcbefdbee605d3f556b8e56e63bf413cc57605aafb4c1e89a32e8623aff998393f8377c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d33206717d803e759b75b71719362a85

SHA1
a0b879886135b940dbc87e20ffdc87d0d1bf7467

SHA256
956c5d449b217c3685c4935392e8931269026719ada4ee6c623d673a636d11f7

SHA512
cb18dfd25c3b452b55739cf3b2a367df705df319c7f7b5a48b5d5d425ca428fbd247b4cc592149deea553be707fced17781df5a813e3c662a86e5d64352bd8bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
51a34b7626d3e99d066622b25c1273f4

SHA1
8e2c69d2e69e23dbd6973a14f2f5f2ef38a2550c

SHA256
98c834b892a49fe3e83c6a492b8b40ebc5e3c136a58abe08866b01e1cf24a5ee

SHA512
175085fb89d8f3388a74a9c0fad4660bbd377647d48871542396746cfbaf858f4bb1efd77b626adc5d960d207eb1f31c319bfd0cfc79c82d0edc453870cb14b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2da43123c191d85efd679c4027f70001

SHA1
0ff4aa27b29be19bd4e70ce15cf74d40ef85495a

SHA256
82ddcb3468cbc554d6c3eca2d3e2b30b5299d9a7076e5c815a9744bf5a185fbf

SHA512
7554c60db2c6655db5b005e9f361cdd79cdd6ca13945929c33dad1d823f87cda8502c2ff6b37ed7db13eb5649351c64237f37c8d85857d4429878587ab1c766a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1bff98209d41956eb279edde5d98824e

SHA1
839992479c85e562d65579a1cc3f215e4685029e

SHA256
7582dba36cc470a8f1f3020514d4491c8cd50c8b47c0c8124a63be06af700d7f

SHA512
4cdcda9034a647077b27a43e418f575192feaa993edf6b49a5c5d7d22c0a2024add038f68a86ec53ce45633def886ffaafcfd0ec25042cafab227b2ccc4c5267

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
01c025d3da135c73979a76df56b85a55

SHA1
4b9675f5825cdfc1192d3173baeb22604864f425

SHA256
57eb528581f926b695a64a73f207a3598e297d3e1696aaed009ac7326912ca6d

SHA512
0aa7f6bebd73aa8d70d0dcb6900cb5f7b99b4762bbc920e92f2c489aecec9b92a86bfb674d7c370b893fcacc8faae96fad71368eb4145d1a8bc3f2c5d040a10f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b990123ffb379d5e1ee437a1705351b1

SHA1
1f351b86d3fe74c7e517df226aa8ff503c57b90e

SHA256
8e34b872891798655dcbc48c21454bff1e8849106f7ea055a62cd006f928020f

SHA512
19063d2abffbd97b347a59c78999de6dc2b928c4f914e6170b7c99a005d3ca15079475163ea40b52c4f6018678e9cb959c92ae9737da2ead826eec9ba1f00fa2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bddf46c3d2f77a4ad8ad166744f9abfb

SHA1
c8b7cf2c1cd79179a670a8a33cb064140a1b1093

SHA256
afb2d79073e41bc09c73ac1c3ed84c947e263a38ea8e4cc215df20ab9a7d27db

SHA512
5748b2c4fff9f91b872e3f61385967fd8bc3e076ece87b8edff6601cebc8f2154edc0fdaee0efead278e84743e05e3ad93ae954f7189aa0c3372279837f4b892

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9306317f70e2e47fa27214f6e6fb962e

SHA1
d237b263040969df0e1e2297df3040943abc826b

SHA256
42176960dd7a0d5b35fdb96f8a95e5745d612dc3b31593253c12bb33573987ac

SHA512
a338ec35c4d15935194c1ed681d6dc0f6ddc74a53207be070b800b8c4501253422b4de4bc3de96c66de221a1a77dd278ef62c19dcb55f15ad4f2545966c8d61a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
dc4d21fccf0289a2f482a1cda83f526e

SHA1
e21385c78ec058681bdea71353c837a664830289

SHA256
e14c3b3e12bc25f834de833867cbb3085b74bcdc15e35918c8352f1140800dfd

SHA512
fd8bc193d0f2f2857d902a504e432edc8bc3b0207ddc398c44a391971b7d0c6630ffcf0cfae286b4c067b9f7bff658b887ae52ad26a71b9628f57ff54b8b6d28

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0690a3aa6c6f59223a377a0643add0ad

SHA1
e4d9a5e54bbeb77dea687b7cb5b6fb4bab9378ed

SHA256
22e660120a791fd800bcf0f522dc332cd3017d7a4a625fa61936d0243d8adf32

SHA512
9e1560d86eec91ed401aebadca88b614f9db515cf174726718b188c06971fe1c6a3f8671a7fc24254cb60fdd65bf0fd64795c1d4449ecc08b2e055c9734ef624

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
b26474562a32b329a263000f04bb3ee2

SHA1
d033b82b520b3032fb57dcca2c6a04dbcee39c56

SHA256
93fdd268148545b63863dd02a32f1b4e578f191a3c0af17b96b11dc8bf6f16b5

SHA512
61302d9f8840477e044a6a5f357afd8791a8185f5f44896a499ee41990729babf534a5876077c1c484a0fe3cfbd81ce262c7e93579a07908e1bc02e776744604

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c9d0f3b4c95311f20a7395fc0672b5b6

SHA1
6b63f264e1de330588c453a9c49be0eff4d0695d

SHA256
fece5dfdb62217241b743bf397effe578a7bad749e77cf03b068ad9aca5d1689

SHA512
c8361116d6ca925e9e430d0e4ef358d38ed01d7a7a3598d5880db654de5fecf632d42139be4ce95a2b2a7e913c418ee671b1b84d45a5e71f9a6f931d5d924a81

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7d7db8980d43ffac351097956fced912

SHA1
c598b5447e6bef21345cc118af77c6af5e1c9dd0

SHA256
0bce30a942b552354f7daed853fb6d7b306a9e705fc0ac01029b1c22db6081a2

SHA512
465b62b04053be96199ee48cbc2b0a38c8f97b20a975585b4e45dc43519394cdbb827969aefa03c17bba801d738cda7107b56797c1bf82ba61aa593feea365d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
03bf155f9413091b4554c685102261af

SHA1
46e341596cd19cd40c1cc22536d62a6ddb61d212

SHA256
b88db87a554ff5d3f636eb360cb63b91d9278aad9277ba466938cd56194d156b

SHA512
0dca70d8f3ca66e7ff3afa313a3ce6873fc991ba7334c687ccd6a49ace96f5fa74bf5089997953d72acd9e7a7ccca8f0092016001e883bc9df9c6feee13803a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
88771b7ffca5c85f2589d4a91176d9ae

SHA1
2c8913e001ab3dab2ca364fae0fc69c3d2e789d3

SHA256
ac0f96cfaf33fddfe918b92c6a2101a084220fc9947c19277becf61bcb9a6500

SHA512
e3e108e1c856cfcd48a465a836397d7c2b1415d5283b696e1eecc7ff99ce7915006235d4326feb261f9a5678b2859297cb3455e029ab382db035b189bdcce9f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1f061f5bbf561659c829b4fa6c5c1513

SHA1
9482fa3f3914648853b27eced8985bf0ebc89dad

SHA256
4cd1bab601e15ab11436f2d6d7cf871fbf3d0d36b2cdf92ed573567d4aae6c23

SHA512
de876edd4b0897141551e3cd57fbc6529dc79b10dde05178afa8796b1975e9c93ccd397b03b932b76bf64d7f97365a90910c793fd3bc4cc9c5b8cab9d0f71306

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1c1e1983985a458dc678ba987dfc81e9

SHA1
ed7f52809538201089197dd4d1efc3ee7c9ce846

SHA256
bc3df24027b16c0377ab52f9ae21e1533105bd91da5a6816fbe3f968ffb1c2ee

SHA512
838f5285ffc2e1f5dfbef32ddaa70e4eb014d9bc2e8ea364baf0dcb71d5970bd0704969a2d44254582e29405194e10d303bb91ab18b08135b6a6e2adfc5c06d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9d5173db8f8e2c6d0d339e9d159a9bca

SHA1
eb352c3a32df313f813b6f8719efe29b88f82aae

SHA256
6435c81faac371370e6e62a49dab2f5d845964b145777ae1936ca45f868c4be2

SHA512
2b871bf1b4225a833d1b4c70b6066760dd00bbba855624e456344062252b3af217a7c81e03e1d5815dc97db93cfec1f53e4931dc93813bfc5f573036125ea4fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
801f4ebb0d5c641b2567a74386355c27

SHA1
add7efe77b4b57bc56e4900268fe983c0ec31787

SHA256
3a1e8383b9de9e8b5cefb5e66dc86e6425099bdd13ae5a4935f9b55e9273b897

SHA512
b6939b05c37734585ef4f5122ee2d56ea107f40ac3d4e2020dcac50c54f544a608a2206a568f461ae5b95678b2aefaee4ce5ca23e6a85b4b673b841ee4c94117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a965136546c0c706d96a32186ac46e81

SHA1
16fe6d69db78c4230f159bcb554462999e92c8e8

SHA256
bb1424ffddc38921fd5db17ab59c8f09657e1d75f7e46e8c91831981b83b928e

SHA512
6c5ed100de50b7cb113a345cf51b64a0f780bd53b8c811ee91737f22273a64e50dac45d9e2e1bb75a6349aa98351f0b18f8a2a7f5eb7a3b2cf38146b76000b8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d33f6705e3ce8bdc2174db36ef376815

SHA1
daa809390c4b124b218b94fffdea92ea84d31489

SHA256
7895449bf96277bef624034c7d4ec1aefc9388b8c0f6acb0bc6cfcabbe1531d6

SHA512
52edbd263c203d12c1b1fe7d05103bc0f8c4ee62d213ba36b760a67c56f7002b3d96df39c12525d377e245b6e00772470f1f8871f6ff3d28aa90c38168c96752

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
96c03c10780ba19189ea6e3edc27acd1

SHA1
5a02d81371b9c1e1b2ae038f44c128c8488d414f

SHA256
4f346db5ba9619bb5ce627e9fb076ea67760ce5910520f23689afbaa3b74f1b5

SHA512
17ef74db45cd75abe901f8014d70d1af9bb6e76ce6151f82d2afc5e4b85a8ea89e2c452210f238223feb3530d82c00373a2fc064f7f380ef94dcf6b0b0bf8ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b53ba0f569a1d4edf51a440dabe109fa

SHA1
ad7ce01d51db26a3f29d30e3fbf865e4b2feab36

SHA256
df866c87b3958e040d6c2ce2325cd15e520994ddcd86e15c93a511c7bdb9ae3c

SHA512
56804a5e6ecc698d26f76ff4f7299d0ce945f7596de2f8755aa2b3a99bbd9bad92e15f28d0b826b7df8387d02356fad518dd621aaacb542ff4aba4b482821da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2d4bb49373211034246310f3d52160db

SHA1
69602e5121bc503c76346e6cd5ec261c75ca9642

SHA256
12ed68e6a9972495e0f566824dd5d6dc4f914c27b75f6eec492f39bc997e261e

SHA512
17469d826fbd67640d1ac9ed4c74e18e342e05c6fefb9f08a721dbdb4855388d5fceb19efaf86698a04f51e2b6f2e0d461eb00b0b662a6d02f491900f3f3ca90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c9171568bfa57380ac2602da53e10345

SHA1
7514ceb9d250ec4c8e041aa7b0b6ebbd4a4c66fd

SHA256
f031a5bba6936a4d8f25f48a042254a71c00a7266880cafc1967a9f660aad6f6

SHA512
dece654ebadb045e78bf2c5d53e1212f1463f83f4d500044aed7e97725e4181db04c6777ed3940abf7e967332ebd0536a48578c2e552e1024c19e9ad7652fe2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7865e4a1d476aabb11d86e7ab9aba629

SHA1
a870d6b09ba08d193ad0d79b6321acc3a791d519

SHA256
23e60b27eef1a91867ee0c00743051a5b6496687fe7ffdbd1e1b0fb8b3c750cb

SHA512
0eec8baafff0ea78288b75fcd59dd08015741a9ba805017f37ea198a2de0f50fe9bbc8256a88c1305e94909a8b4c55ff38b614e9280073f893e66a2f8dc07f54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
547e9179611bc1b5f0d8e94ebad634b2

SHA1
765a2a140f937f4e5bf927fa9d07604da8954b88

SHA256
34e97e8b95317a06b001492422bce05967a2b59ac9cebf972f78c4738734b1ad

SHA512
84d9c503453f59308befa49776c2a6eca03a1733dd24e4ba812a4cb63e19b7d95b90215b6f1e727998fa81858ca31766f30a471a32c8731b9701aa5c51c4e417

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9720c54b25906528550be04d15001442

SHA1
2ab7bed57fc7946a5962a1beae6249778926ceb8

SHA256
584e44d530d59b12dd720993cf3a39c66c69b16063bad30bc32876f1f6be9b21

SHA512
e3687cbd36df8b55bf97a6ccca3efdd5420cf27c2d456a86487ea929de807ec41382fa0f65100e3238dfed5f866ead2c878d0e50d686c786b70d6d9b81b07471

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9e7662e555545af6fe08661e21435b47

SHA1
ce4fabf385b87e9404f1c8ee07b117bf8531ac4b

SHA256
b5581bfec12af94bfd881ddebd160c2488eb990248cdc64e580d02c41f7769aa

SHA512
081e96a22343ee0cb7e6fef339cd94d250b5e55fd049bad04d885d30ea0cfea427669a14a69cccc59e59d0e308b96c873926062217aaa4a5b1dddf0998e17879

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7afeb97181ab2aabd68ab8d4aa429108

SHA1
f7c02fac9b193950df42910b1666676c9dc24469

SHA256
454f024088843ca6ce58f39c1cc6d923cee2ff1d64725d2547e0897a76929860

SHA512
bee0dde48da9881609d8d558140c410fc970f8fc0efaa77d8ea7aaa34e88cf578aedbf8f73c9b869fc37f6a95f0d22a1fe5211e3335b8d787af869deb8eb4492

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
30bc36babf707dc342aa62b9c8f9adbd

SHA1
d441e739d4d2ebdb3fc26c1b22735463a47ca262

SHA256
a08ca91261ef4310505b42561af98ae2657ce8cc59b750353e065cec801638e4

SHA512
ba96b10cb750476d91e326b05f8d724be5d4c2b043aceb107071ac0cedb73eb35aa19afcd86a8ab365186d3b894e1137184f23e1b55d3b8b735d392e1d95d21e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
dd1ad32db1f11439527cf79c547c4fd1

SHA1
c7ae3dbbb1d647637fa0d4239a22edf71974a8ca

SHA256
0c37c91af17ff3be7c99ec326567a304db4448b609d7b9d173d4063ad10c6cf0

SHA512
aca796a5c640544b2cb387cd28c4b5951d9aedcf5fb76acee8b2db39ed8400950d3311874168e5a7ea2a002dff9101a58a1cd8815bf5b475a18397ca5149fd32

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1a96ca21465c975bc80e46ba614f7686

SHA1
d1333568f7e96428c7f3d6da3a1e87392bf7d438

SHA256
bbd9aaab92b5f48789a006677add08bf3cbe61435bc6b40f8c9ece013d3f4b35

SHA512
cf32771cb43ed1d63dd227310d59fd453cc3b05b0d69a40afb1f672d0aa1714360c84680996e528e032723f0db9aa8ca5e2f80a09f6ffd7b2e5141eb83787ad0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1f34b175fd575a9166b517a25785c7b7

SHA1
7958c350308d25e6f47e98d25a24866e9f5bb689

SHA256
e0945b2e005291c88ab0f6c69ba964581705a56cf344c4b7db7e0d259018eab2

SHA512
fef7342349be6a730f217febd3d3e39a9fe4cae025c8fb525368dbd737fa7cbb08a967bc4e24d1c621e1392c15f0adad16fdcdd60067a9217b373891115dbc78

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dd72bbbc6eb1588db62a349e9d59b198

SHA1
effee10de2482c424a4129b4a0618fa8a61fdf2a

SHA256
158d7e8017e1f77aafff256fef0808defea1a609d8426f3be4bb45151092dcc8

SHA512
eb928d55fddbb4204451ede8ddd9937c1d581b01ed8674f2e095be702599af1f2f12d61bfe30b31ed0faf890043e242d12cd84ca33ac58456647d033747e391d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
93185536e44e1b907d2d18485d821f7f

SHA1
03aac3c941e795153e74aced8ca2fd5954ef780a

SHA256
7f051fbe0a27792a3c19ddab2bfe3d0d7c7af7dbeac5881074b0d9cf84d40f25

SHA512
7cc147bbe8ef5f414b833709932a37f06c7b6b47b31bd160dd3dab67e1f78d73d45b3c65104bbb836884af7ae6dc7b9e9927bc9064a78dda1a5d22f974e166e3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
551d2501da016f298462ccfd68033af4

SHA1
0d874864723df6522f5ef8a57fdc4bd1c9c9fce6

SHA256
718c408087effabb0a28c57726ff90c23a9a95bd4586ed58d4f908e4af88ed75

SHA512
fcee6a3086988798fb169fca575a77897564f2b307479d87df05cf5c02573812d9b7b623e401744a4e2557c19be59fe0e3e64bf7e8aa9e4bd5b0487436516427

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4c9d33aa770b0ca46e33539425d9435b

SHA1
86bc2a08a54eb34e91bb97578007f19abf614590

SHA256
a0f4e3be0c7260898c2ae3b1224cb185b482f2afd59beb7cc3ec6f946fe7d8f2

SHA512
8f0e175915ef7f6905dcae0711cad79b2aca4d7dfcae1add870edd6d5b1e57e692a1e49ae942aa3f70043b1a7fb341ac1cd7774e74b49d26cda7d25bf27642e2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b7211a61f6f307f22aac3a360787c7a7

SHA1
9aad92f212d1c30541983f979d48f16bc3f126b8

SHA256
849726451543d6a0fbf278fcc1783645afc0723a431a6c50882485e27c776be4

SHA512
3e3a093c2abbbfdee3a4afa8f63b06fde608f240f612ce1eeedd227d954cf0cf0d10a3c48f55a623c2b177b4f8636ccd853f570767309ad5d29d3d92d184320a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b617f37fa1244b354cf54d9e8530a89c

SHA1
7f4b0358bde48b6691a16b69401d3b1b1f250302

SHA256
af4f21ee2abe4353a159b621e6b1d4eeb32547a478348f6065658cf6df6799f0

SHA512
21d0168ba104b5d3d2355fdb32971d053e1ef29259e35ba76989ead964e241e581f4175d40aa7e4a058ed659d26eb54a2111598adc41be1f50af9a1c366fb191

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
359f555b2c3e2d1b9f9f1116e00ac43d

SHA1
00b425221d65f681ea6b39ca67597644e926f6f4

SHA256
4cafc398eae5b3d1f4dbd3030ce41a8b2aceec64b225ad6871b810a868929a3f

SHA512
28c1cf2280b543d00588467d634fad3cecbab9f82a3b0ea580e198e93344a1d5163d703e9bbc0f7c61e5cb4336a205cd161de7418e47bbd77050323c1c4e6cbe

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d35a49b83047f2cd1b251742e8914cf9

SHA1
0f575a7938efa95d26ec4ee4ad30eaf696f600be

SHA256
8efb197b6fd8b9786e060d9f8588387a81ac0c837c29e9381e7ddf0f64222875

SHA512
984a4307ba94c1290d4bc1cd88b81c27f4b356a0f0b52b0f3ea02ebae63ab04a6c0ad511eef3d85ea9607f1e1ec1af03a8accb8d3f7bb0a9fb25b00c07936657

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a1235305074f3653e4e94e0ff8482fc7

SHA1
2b083bceaaeb5c803d128771f6d9cc3b796d4696

SHA256
9c9496be223bfc9b0ded438b1680285d5b5ea2849166306a7bbdc0452d087d6b

SHA512
c62017c19bb0c6d2a369505bb934c03e578e461a685b31c68011e0eecf78c7e4c3be567257f886a3f26dcf6fd9d7642557792400d6680922bf3feffb7fbd61a8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
45578492775d78cacbefc701ed831e5f

SHA1
2f0b7cfbe3e3d0797447e43cac6121ffce6a7377

SHA256
03e741ddefd603c56f0daca4ccda17dc4ae043b692875014ec302118e21ee570

SHA512
b1fab223eabd2ca77e3e942030c36ed63d67a3809d1d75e6e5826e57154b08d1fe065ab59c4d0198ea8ed11c8a6af7baf2875e63711c40be89afd6816fe766e6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e07a7fa56d784fcdfdb3a5510970d6cb

SHA1
37fc429491480540f588bdf6e6a991283aadc390

SHA256
2bb207b28febf55792724cdacd5347ec5f495596add550e992542ac214afc2d7

SHA512
798d0ef08c35966562eda26935e9c77813b0755c57950ec0058f3440b3225daae60888b3347370d2dbb31708b449309b621c5607d5ed3f027f73089aed3c8605

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
804a5695e00a7c6abc1a2a4d3784bc68

SHA1
9704d5167a597ea3cf628daa1802176a306816b5

SHA256
4d6febd08735ffd49a55f62256597e375a52b73032be2b999a55f1715f5893b5

SHA512
0617b7542efb50cbf32f16f7baf8fc1ead26db3e04e51581ccb00ac737176d913329831fde6d395c469b5108f53942dee3cd0510eeaf8aba87bd1a4804e7c43a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4326b3035de523542c1708afaf57b4aa

SHA1
2ea8f9dc0d09b76769f012725fe6b7d6c63cf051

SHA256
c8b516ca9ae74183e94bd4509ab3d702dcf2b338725efa75de011598c4fc49db

SHA512
c173439910e9cfcd9c541f3cbd342936c4ab60b4af4fc75893d099ecc956e52a546fc09d78c357278cebea6abe99d77705402cd63c698c236d96edf3da84983a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
81d7b82bd07cb3acd8f97e3abd9d9e77

SHA1
73d181b3db5313b64612dd26a4bf9be7272b0b22

SHA256
0213e68ee7ed1e3e39e703dd8ab2583fb79ce66fc3a5f4ea25bfa89716d9006f

SHA512
4535d07a0ba327dbef1553d326c928cd85e8d7b8037ae90d46c0656a294b8cd17a763d43406a5977509909ed28d85f0f7c1ff7f32c0ef38b4c903309bbb5cd50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9b7e692338db2314030d9c414812170b

SHA1
8b173f3894b97324e6a5d6493f07b8c5305b8dad

SHA256
40b67cf8b05ba625b2f79d277405cc150cb1317ee2db9275f45282fc72f996f7

SHA512
d19c3954f055033e33dc4e2b36abc6b8601f68cc8c8ac31fddbacc654ad00bda5b87c39cb3b32ea141a9a25ce46ea97d1090302c4f2f2b3b6b44e50b6b863ffd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5867346cab5464a4826504240535ba93

SHA1
b42a13bf55dd86e0f13864bcbd594977bd9a8b62

SHA256
9b7ee6cb42d9591f0730acf5dd76767ae1852dda41aee40d4dafddd422fb7d98

SHA512
825f17c8df3250bffdd77c8256ff086d5bec7c504204ed0a3cc47ca911086b18091ab90a344dcb60adf53996ddb987dcb70ec5df56a0ee3305a71926a011b5db

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5dc5a6f94be4971be018cc28b6fe5f90

SHA1
35ce3233b082511fc0ceeeb6e43b947c864de7a8

SHA256
d68f358030db63519e632c63a85d4c69d9206a2c9cf831e10a3b5198d7c7ad3e

SHA512
59f0303f0e06221a9921d8ce5aa34aefb3f7f22776ed05fc3c5deffc1fceaa6b83912fd0bda4e7ab8aa469169674c4c4bb59ffdeb1092c7a4ea101cf3f18e2cb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f4d77eabd59c550dada81eaa3c70bddb

SHA1
15b647b275b5f2f50266f321678ca6b5b657bb7d

SHA256
afd368e10a91e01a2fed795fd5f177d3bb242d0e407d7e96899a19750fcb7fb2

SHA512
1b5ae733d1a961941050c0289ec474577b89e1fb05385689debf5d8eb3cd0c76d91af790e6c564ea9cf0d849ddc3b73f21abb24ca522d52bb584d96b708170cb

Download Submit
memory/224-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/224-503-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/224-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/224-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/972-85-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/972-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/972-81-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/972-75-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1332-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1332-511-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1340-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1712-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1712-512-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1984-499-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1984-50-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1984-55-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/1984-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2092-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2092-509-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2184-163-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2504-249-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2504-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2504-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2504-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2768-162-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2768-89-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2788-165-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2984-211-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3208-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3208-505-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3476-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3748-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3748-210-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3748-8-0x0000000002460000-0x00000000024C6000-memory.dmp

Filesize
408KB

Download
memory/3748-1-0x0000000002460000-0x00000000024C6000-memory.dmp

Filesize
408KB

Download
memory/3912-167-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3912-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4180-212-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4248-238-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4332-237-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4332-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4400-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-508-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4588-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4588-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4588-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4692-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4692-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4692-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4692-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4692-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4932-164-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download