3e3c283626fb0a1c6cfe2025ebe7cdeab51c2f25c798b2a3c158c63bf6d562cf

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Size

1.3MB
MD5

b91746fe49fc89e8a28df14f0208b61d
SHA1

396d22cc76cec1e938da3c9638a161a2830706a7
SHA256

3e3c283626fb0a1c6cfe2025ebe7cdeab51c2f25c798b2a3c158c63bf6d562cf
SHA512

b51f0eed07e3da2471946a5edf89e1e3d0ec7d189e197430accf418444a74a466d10c57a38bb9a6638ba221e7865d0e041bc60e42d92e8c56c45d6883a836fbc
SSDEEP

12288:JtOw6BaXMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:76BTSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4896	alg.exe
4404	DiagnosticsHub.StandardCollector.Service.exe
1380	fxssvc.exe
4752	elevation_service.exe
4548	elevation_service.exe
2368	maintenanceservice.exe
2228	msdtc.exe
820	OSE.EXE
4904	PerceptionSimulationService.exe
768	perfhost.exe
3436	locator.exe
2500	SensorDataService.exe
4824	snmptrap.exe
1128	spectrum.exe
2196	ssh-agent.exe
5100	TieringEngineService.exe
1460	AgentService.exe
2088	vds.exe
2720	vssvc.exe
780	wbengine.exe
4736	WmiApSrv.exe
1744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c1311ea2b36a5b05.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c841abd799ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6b03cd899ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032b05bd899ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000377f2dd999ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007535c2d899ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049c1e7d699ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045438cd799ecda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeAuditPrivilege	1380	fxssvc.exe
Token: SeRestorePrivilege	5100	TieringEngineService.exe
Token: SeManageVolumePrivilege	5100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1460	AgentService.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeBackupPrivilege	780	wbengine.exe
Token: SeRestorePrivilege	780	wbengine.exe
Token: SeSecurityPrivilege	780	wbengine.exe
Token: 33	1744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1744	SearchIndexer.exe
Token: SeDebugPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
Token: SeDebugPrivilege	4896	alg.exe
Token: SeDebugPrivilege	4896	alg.exe
Token: SeDebugPrivilege	4896	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1572	1744	SearchIndexer.exe	113
PID 1744 wrote to memory of 1572	1744	SearchIndexer.exe	113
PID 1744 wrote to memory of 1472	1744	SearchIndexer.exe	114
PID 1744 wrote to memory of 1472	1744	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_b91746fe49fc89e8a28df14f0208b61d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:820

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1128

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1572
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a9f61daa7ada4893bf3c2b5050c162ad

SHA1
b9932674410d33cab121f34f0e4c51fb39cadc75

SHA256
de801826106fb17b617e772b1e779a77a178187bfe5ea656ea853516412e16c5

SHA512
f519590f7c63e3d6b413d924a57f5cbc89147cbb8bfd268b1d7da6b65af9420e89c22e6bd67256247a587abdde0192ea6a4b266a44c02d318457d54ea7aee7da

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3811e8bda3ff8786676a471564871171

SHA1
c3382a016004aeda88b97642ef411e56548c1097

SHA256
756800c395a7c40c8521399fbe037d537036090afad614559fcd6f4250f99866

SHA512
43e7c0ee91680d56f7a29a72aab2317c5d498cb6c0a4c30c329fec8c324f7b156bf29a6f885629919734e6131b9281e5c83b5c218de892cdc429e737b663b618

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e25648be1a01fcb70d505bea6219f4da

SHA1
61f2f17c59b5c00d3e40d2b80f0e03bea9cfe12b

SHA256
72e0a33b2b490d1499616861f7902741c7396c47e6569bba7700964014e7982b

SHA512
bcbf6e554c50ac8553087550cbae70033437131815d5396f54bc56eefb92c20c63f27ce92ada8d381bc41b2744fcb442eadaefb9ba966d6adceefe3b0418078f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1e9af745bfd14301ed4d8d4b3303ea17

SHA1
4f9c13f70a41583cc5447415889483313fddda77

SHA256
268bae664ea2771e4b1dc18f7274d112a4056e9da0d1a4d876ad50a8ceb4f163

SHA512
0e532f1704036595ce762a0c03b0738f9f9610c4fe50da54460d935bcfc03b24a63d3ee78fa0096d2f2026a4449cf89f51612866cfdc8534545eb17be23dee07

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5acedd79e8a53ab4cfe2ee5d1550997f

SHA1
95c6d83c0b790128697d0db1c697d5c542dee07e

SHA256
1fca5c1ef603048f74a07fe7f4cc18aeed3585fed6a45b815f5bcc24fef6382c

SHA512
b021a3d185aeaa7b4f1fc1e8a0fe12afbcde5565b75f0740cf8a287e974de95f4e6424f94b2e7a1ff22d0f6085bc996b025e1f7463faf63de1b21968963022ff

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
564141afdb0f2519e71c60c14a29e717

SHA1
707bd86e20b9ced0d1de7a221df5497b464564dd

SHA256
d435eb176823e0356bde13bb30f8b81b0385a23f62d16507f9ede4ac5f6822ef

SHA512
11dd1e5831117ebc58f82be1cc1494d73029d8ce9e662c6af40b3e17a32e46f1121cf5c27c2e32cac98df4a43e86e0681b5e94db77400d76e61c01d4ff4a7f43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
dc4e1d59f015fff31e7903b769f4335a

SHA1
6e3d7847a4a6b51b954c3889b8b37422caeb4dcd

SHA256
1163627e7675f3a0748de55a29b3251a6b6e166742935262e10637b088b4cce8

SHA512
23b5585338bf68e6c095900a2e93cda9caf983545046904736b015400171ac73364fae9d9e2634d6c5a24926c9c101ec228e5e980f31df293886fc3299a5b024

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a7e83866471c992d179947b9d315785a

SHA1
20774253c9ab143ea450e779da579a72493cb702

SHA256
2803ca6c39401fcec7d9dfc0fe2960e01b264c5eb8d779e426ea8232dbcb8060

SHA512
406d98f11bbe6868a03779cfb474aa66c99d322c24f0f952ca623963c40115f8d666bb89e878a1ea2cec7c5e5abb186be7feab01f5136e5b4677864f9232e7e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7a7b82ae090c49cabda044a9b7658d11

SHA1
54f1c919ccbf52c0bac64b9df99486ff1298c04e

SHA256
1873c1f19923e037ad579898ae01be432590d21cc09e8972b6f1f09a51fcf71f

SHA512
79d9d1aafb32e7357e25292cde6ff225381024d792ec041c43124fc542973bf86450aef00f154249cb6e287a52e998c6421763daa460952e4635176712d88193

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0959f277e837f036e8d888a129273a28

SHA1
ae8ffd361a1fc1a0fa8a1b777fccf815081541ae

SHA256
d927f2b8870a5f1b1e4664fd4e6f0ffc23b94a3b8678536d1548e11de670cc2b

SHA512
fe01516fb355caae7e53bc45ca6f9e817442a5cabc943a45c848b65e1d52309e62e5b09951da43131550aafd8748a155ceba42abb03a3c76fa6793d53c35f9a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bc7c6bc943f13de006eea2660b9f0d90

SHA1
a8d4153229598bb3d0262d16cb27937c50b66ca3

SHA256
7d2f1aa6612eb5f5aae785292ab4944a9282b1414e163f7e88e26f96961e8dcb

SHA512
9f9ee5e985db55320b32d2e29ac9d3c309a4d2a298e20232906f4beabe7e9540eb28fd1b4c2089fafa35d2a128441ccf017cd35464fa9f6d3360a955e2cb57ce

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6ec2d1094282423e2677450a9900c37f

SHA1
177e14fd0ae82ba29f9e93b94ff5a13c04cfa3bc

SHA256
24994bd938c105c8d642ef216ebd6e9fb93ac58fabbd1cfa8a8232257276ac1f

SHA512
090b000983d743d1d84ec03fba91a66e6a417e20d8bd0d3e256ac19aa5f8c9c7141a05fa9abd34e5e853a891ed15c35ff832a3a065f108df1298c32de044847b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
6f2aba2da5e2c5397ae9ab93e1b34ee6

SHA1
66e5c2e8fbcddc5317de6ad49cce4ebb0c095608

SHA256
55dfa6ef6d9cd66fbb5cd07d059ceaf90324ed999ce44b3e51d2b15215582a86

SHA512
e958aeb2d636e67c7fe5bb3b93ce4282fe97d61992a9d73f6db5dc2cf81086edfe43ecac0e45bd762e3ca770bf2826a2c24ac6ea20978d99c8b4f892df106af3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
8464e0141a2a53e086a1ebc8292765f1

SHA1
011a0ee017175f9f1382c4e2d260e9f137e8a1e8

SHA256
d24fc9de4224e61a8bb3a180e9b77b53aa2e6e8cdef4b7fb3b974cb8e7e62de3

SHA512
b7d6569003ea2af3b299902c4fdc1a4af1c9fd513c7576c7f1b8d6a2435328dafa1fc4e33651151e03e01ca22306417fbd7dc9bc155c4d5ea6a2b43156aab9f1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
0e82c6faa10471dcde826b45331365d4

SHA1
14d86bd53ea8d2560ce01f6b7fa4f6973468cf5f

SHA256
6ffec581457e45d00de4e231ab6b16e521f00c4b93589cbbae1490e38e9226a9

SHA512
e479f9ae2466848c88375744fb04eb5a2d727d60742cfdb41b630647450ac0853e5f218bb36acb0d99b8afb47851633aa531b403d97c68c3aba447512ea88824

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
331fe50f52b87e5c050fe9a060251e33

SHA1
953f561d02d9178a4f64d55616391ab0fd92b3af

SHA256
42b78862bc64fa3d0b4ce3bd023b8a8f5cccfacf2e3e7e16bc8023d724ae81c1

SHA512
266bb9ed325a38330295dd5042f266534ddfa1b456c0a0c2a7c33912fc31f1427f17fde5326245a24c9d984088eab0fd5a8ea364820132c2bbbcb0ad755ca3dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bbb961c23bfa7b893ac643ead6867e6f

SHA1
bde6910e1cc71d61e79d5feaa97d1d0fd0d03376

SHA256
5a8f143a44a29600d244581e4234b017adfd6b5b5bcf7268f2782647b20a9fd8

SHA512
d79435a11a14fe81ee0e81cd70d0c4188197c421db8d7c355c0f65a1b1b6cbfbb020def995c839bc057bf1b4cab33384ddafa0fcd10e762b020cc6a1a1293850

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
266934fd27e44a2d07f4cf977716593a

SHA1
1e456a97df08d3baf9ea64a05c3068c859385466

SHA256
a26cb8680702d73ff8c42451eca7a26939b4cc04be44a4ccc5ce83e411b5204b

SHA512
f3fa918d77ab93d375cb0312300a379482696c852f36d77b27cff4069763450fcf57207bd7f55ce821e6df514ef8c111299440a64dba855b879d1eff97cf4dbc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
148ee8516128629948c80424b009e8c6

SHA1
0fcda8a4bbc8e6cb67fa1ec97748b04c8ed5ca21

SHA256
851b7007ace05aa76d7d5424177d2b4904ac5768dd9cb133e2844faef7de340e

SHA512
32afde80d3bb2860ca47b55d0f780f08b64a82b32f7c1e73d248a286699432e3b75c395adcf6ad7a361338096dec73e75694bf6554660ab1e501a79d8fb3ebb2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
60a7c5b9a7b6b9cbf23d26f7c2eee0a3

SHA1
3b7530a08f2c31c63448d45ef35f00f30985ed12

SHA256
afc78b61e355affd03bf6b2db32ff41df8c6ea7007372dc424990b32e5c48221

SHA512
ad7dbdc1713b32cb255fc14564c15db47bf334859d72e219317be81895f9f6c632950070556efee7d526da03fd05f4a312c9479f6b6025563ceb858a74d17661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
4ec05a2fab5f82e64b8915143ee423e6

SHA1
7f52a343f4d3f5a43e934bf851bd1e8d8db33b0e

SHA256
7d885135273ea11ac45fade8f2246c3131a304629973a10ba15293b638879a37

SHA512
c5e62e56b1312adfb98df6d9c9933805fe26191d7aa7614540765d2ab03d7385fe5bbdcfaa33e55f6e973221537ad5a780bcc63e6123b19ad7963e2800ad1d5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ec5eb2bdf59ad7d7f54abecdb363dce5

SHA1
ebe2c23d6ed9ab8e743d10c24c4b1589a33f61f3

SHA256
d963319b51ed503927538172f0c65bac24f621419c05823cca25779f0d07b047

SHA512
0b6f2476b4862c83bab1a5d0c5b5f0c0dbe7e028a7bfad51b9ed8f6dff7a7189f2558a4291b1ea5e26f349e721ac9a68c0259540489debb4633ee9840634f1a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a142883dbcc37b7000cdec58973dd362

SHA1
c7a8323311d4e237c5c7eb0fc88bafc61848e95e

SHA256
148743fd01c8cbd46a6ffa7198c4763aa62200a0c93d43c8ad2bedfc31a86d9c

SHA512
44052adffcda14fc8ce9818d0b61635d97117b77105af65b025b8c3a0e37c591c48543a314d45d161517effb586330cf276a5113cf2b24d1717dc4bbc1079938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
0de95ed2b78daa713e98407635dad1bf

SHA1
e991d0992650f9d147c6048b8ba5af0646786732

SHA256
bc1f89f71a2c9434940917616c47fe8878aecfde16229aa6902607decf583f2b

SHA512
583a800a388e1b598ec8974f9d0a4a6bae5ccf7c5998397a7eeead60ba70164483de6d452a773f7ce1249d31d834b1b805cbfe6022ba5ae80dc8283bf98b37ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
211430ced244adeacc3b9fa8d1cb9585

SHA1
a4a38bba29976ceed7e18cfdcd88924e23755277

SHA256
64edbe2b484f67be1550ef0131244acb53ae377a1cd9be3f24d207fcfcfa65c5

SHA512
abf6c67553540700d0e7b13a404bba9957aa05507ce33da8d1114361f365c179cade1f9489f37d18e2f7d8c9a55cbd505855bffb9ea38c2701ae80b3b1bde386

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1454cd9e0679d7912baaf764ab356fd1

SHA1
5bda746fee86f924d5118750e1879df59e7a90e7

SHA256
bd60cd5521001e31eff6a7f42e433359a5088645917ee6893bb1c7b1fd05e66d

SHA512
66e72a92155662cd5544f261d957ac6077653ffb654cdf8e7798f32c96a095ea9900eda53bfe3f1ef3d4a4d7419377b54abebf2643920a74f4a96aaac07e7cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a3d65d0c71897d2e746c52731de6b15e

SHA1
ce32f81dff58cd379a8e4794d78f7b926fe34ada

SHA256
761db38f39debedf6a1e33e33a91dce6e09da8107b56592ddbaf58b1c2cbd908

SHA512
853b6c522d2656d8dc9976df6c9fb43a155d6d9411ab0c0eb24733f152a3c906fdd362f54a0ab8cfdc0db7fbc4b49e0403477442764841948f172a9943292139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e5ca8652d60fd5227805ffac075ed258

SHA1
24ab4e7a807a573d9aa2127d7798847d9ca8956a

SHA256
ac0bfff086581c8cc4b877f2f1d4fc0e0334ab700efd237dca393dc416199a31

SHA512
971169d2055ec11fd02f93040109c3bb33c3cdaa361df55f68fe539c615dc3be4c8948d68c6f6fc3c78ac5117e69f3e4d808d52e5c59958a4e40fd93b5381670

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
67bf03ddf1d76e4cb87c15ea93365ef3

SHA1
07dca5436523a0a364ab9e01d7ec9351f459ce93

SHA256
fe07723adda833ccdf0e29801e7ceb8a5320e9f5fc1087777aa36423a9709fad

SHA512
e062e002220b1c2f096baf6b06e68967879fc506c31e617e975a7502a541e99c6ab54248e2417e2ffb7a0dd6fb73585ebc993667389cd017447366bf31aba9fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
7f8f1fd023b83dae8de3fc69a35f280e

SHA1
ae2d48bdf2aedd5e81192de436f1f7887b2ec11f

SHA256
3288b5175d1e0ec108a8a4f19b51bbd823a217803cdac4c3a4d696fe6007670b

SHA512
7966166793568a5cfab74cbe1d2f944362e56c281d6b31eed1da46feb25a88d9449efe29dcadfae9df3f782dfa414b7de5cee0d10f9063d5e7642222f88bed29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e764d7c02c7b4aaf42577c652337010c

SHA1
31f04963f4e88acde42dae4e2335bcc42dbe9f49

SHA256
8c3e8681c86dec16f2ddd1a4a0e047951a4d4723c90ef8a1926a6fa49d6749c3

SHA512
42f131f4947cf9fac22ac7899ff5df9adb416f8e3c9e64797e3e6fd3d4c00b662587714b67659894c61c9984139e1cd0fbb6bce90321801e3b48f1bd961d87df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
91f23b6e5ed03e71cf3e6e17b4871a40

SHA1
fea4edbf2d73db78420d2f6375d46f11fa6071f7

SHA256
1518fc0dd27c4a4634abe03f2f1f35a831055b95b69b0e6216f490fe04b0f7c0

SHA512
7e95c958024a69515aa4e97fc377c736520cc47a8f98eecac58c4340d993c7e1b8348fb6fdda70a27be0a2ae5187cab8c6e6482872dab37bd39731476f18d279

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
dcbb2bf1a3ef9abbeafefa1a94864ce5

SHA1
20cace5ecb2ebdd3b7447cc3ba5285228de19902

SHA256
5247e66a58f755cd40c0717ad50daba352c72599f41f03fe3504a8ac0c820739

SHA512
d1efd2778090b5064d76561e45c94c266d7d7614ae2624e55b5786668f8da1478149da3e01f5814b994c14f199a858c39694c7a45b02432ea79c89d0432cc4bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
da932fdd9fceb471d08d248b98283a0b

SHA1
37fe16dcb37d3b0d73c226222af17a8e6a608fca

SHA256
a93a7a294173f0cee1d9f68e35a3d5627aa69fe2e4ec065de15912560d677af8

SHA512
9d1517e23163aec45111eb32f3b48a49cd8245b3597cdc2749fbf257a36b81db1deeac5a9120792f0ea8001c0410abd99705bfd70e5c2c5b52bb7636d589d0d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d54e67321164b7090c2c93de3d108ae5

SHA1
ecd8fb5e1bea528c1b874141bfc8c922afcbaef3

SHA256
2b90a7237cc3244c72eb801c126f448828d94edbc6bae211175d3d2c8623742b

SHA512
6532075ac1821efb194d5dd15b37a818e51f8eba9d03237f286c924ca877655c9041c574634c6672d9cfbf90151c5cce5ef020e6a13a457e69e8c0db476c6ad8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b246839f216425b518f2af8c96b97ff3

SHA1
370050a43adc9970d29bb5d795f2bb13fe69aa52

SHA256
bba1987a8229a39bbc2ca3d3e61a3182f321e89ac3b31fcfcb19c4e6e211046a

SHA512
ebd1bf8fd2e45c9ecfc8e706891fab4fff2abd8ca9dc1c8578c50bbb3b13a85080d2ddb97802c0db6f9f0614eee651608e9f646e82064b914cd5083d1ed12d68

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f5e5d2a154774c7c7d0f945fb2aeb4e0

SHA1
c2bdcd9f9b8b603f9ca28446495b06a4c7be6711

SHA256
89115c320400de7b3c1f8eaf08fd54878e3a1e161e485df0d3e3292adc871ad9

SHA512
a97fbcef050b87c6fc105ca65b96ea4af57e016bfa6a3a253dcf59278d4b51dd991ab5f03a0df20a856bea0f50f4bdddba82d08748708f2f40a01c68681c7b1f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
305b9ea20f2dc594956cd05ad2a7a3f5

SHA1
2f32971f8bd56f24c83e109339f49c46dc1e4962

SHA256
c522792197a0a149fe46942b4ef748c6aa948df137a622d7fd352a6119313d1e

SHA512
c3c38f19b5014e8643582a456453d03c0ba4fcf7ef76799c0becdbc0946da87709dc33541305900b1a37607f42c90616ca4bde4a987850b37223c1e9be5fbd4e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6f499ad608a4aa0149e5de3bec3c0f95

SHA1
5459ec62af606ad709c1999b4ccabe62e7647f7f

SHA256
bebd8ff1c3ac76058f52cfb2ca5fadbf8d677088a8bf76856d0290d268f3b724

SHA512
486fc235e089efb72886b84cb73db3a3cf2fde60b508dcf0635e3044a4e8fef7e3bf9f8b4c13d8875a6ded60f53c1eee89c66e3ae5a15690508e18c0e1c7b0ec

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b36045eba6ce345fd6521b6d5dc8605f

SHA1
c1a31163f9e8ba97bfd0039187f777d1fa243608

SHA256
dd780b6c7c23e5e9973e0d5f90539631ded4f9e1dbf3fe37514ea440d6ae6e5b

SHA512
1462bde22177baf8e18d2f91a7dd94d31c73e0c144177183dc1b8a945ed4f2f621f40b3e4ed2b92035efea380c8fe41c884984612fd4d9d9a9e442058e342252

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ea44b08106a6c9a140a34a5ff0e312c6

SHA1
8ab3953886c25c320487f1cb1a5ce5475f0459af

SHA256
aebf4b1c22c1c4c8397cba764cd4ede4f5cfc397f7a16d09034c9c1cd570d81b

SHA512
2968d31368b6657e532fed7057bff1ccd8c9ad5a792a8fe4e6c0d98ef1ec4f26f7bd1650a87feba0d96b62de3e3f7c94b473ef531b6e23fce185e1ab135ef44e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
46d7e16ddbcb8a2af7087d56e3e40797

SHA1
175fa60c8710a37b0bb2ffa215d209bea1fe4f3e

SHA256
79f1744276485ca50506338c2fbe73adbc6be5173dc3e18fae63e706c439038b

SHA512
2bef0b894145e64a4468ab39c14787740f91c157220ee7e4746f492139a5543821937d1c222a5ecd92e74178ac08ab896822133acdc3ebcd88459cfbc723d32a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f251791fc9e3aaf13eaaf6bd5796a335

SHA1
468ea3282e3d8961165b7d0e2d1d8a76f39c6a9e

SHA256
e87391a16dbf05edd0a93d53c996bcff575a02fa9537c24e49037d988fc31263

SHA512
32ba0d65128f95ab1dbfad07a29d1d9ff6b20ad7019073732cc215f4fbef40bac0f81690443f592f19993264ece6da2f726886b37664b4600c21122772450b26

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
457210e97ba00e76b3b2eb9201d30c53

SHA1
45bd03577a316060ce41ec69b107b933a13e3e55

SHA256
57969403bef6f0598b401452dbb103bfde3e7253a5e29eb12f9094f6f227a0fa

SHA512
f236170c4a10c947e797943c8924ffac35b034dd7580111533ea698bb7a5bbe9e77617d0eef0044dcbf56e396042bdacd29b79812c76d49c5aac92789a57da93

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
1fa6010ab2f86126258c20bc959a7dde

SHA1
05bc9b7c8231f7fd1948d3c5c5a2bcbe5aa2445d

SHA256
3ecc41d99d4fa2c212479ca67c4ebb2c0bfd386e0da48db8c063ae3c1e6ea4e2

SHA512
5d0ce95fea27b9381d75f21a022582005c3a1909f292cd3a34e2079f9dd8f81d65d92a55984eb82ea06fc5872e54ee2682b07c310a008a23f5c7fb2649ccb0b4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2c4726ce6b119e30d6b072578c10a666

SHA1
bf7835e6dee0e38b8556391483e061c74f8d988d

SHA256
655d4d30347967b0da14ed17e2382047096cbc79129d5d2555bf3b817ea88c83

SHA512
f7fb142db1c6f2cfacdecf712d8c2c28f1a71972b03668bc1b1c43a93dba7da5c25de2732f20bda9e0b07993a8a794227245ea205d246d12116f5a15c9c2b554

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
83d344a5b7fab7e2cab5771d7d5a8b21

SHA1
fab035663209023f9a4a148dd17309832bab031d

SHA256
40830f9aacdc87d7e17ed464ecaf59206f8bf5f3e33bd6598d8ebac6e3dbf128

SHA512
f36fb589bc29849b1ce6a5b1f320222371ad129b9afa10337bf9c1dc27e8107a3b56da568fa6909326b98133df8f4b400abbc340d3d68874d1696df5a79d2a63

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c13c9c532306b6a963100b8eba07d94b

SHA1
935b811337c63b77a5a208960c97bd8aa510cda6

SHA256
075b0571f4f4e3fc975e185ad96f71e0f499364e84ebc518edf32a1714fd182b

SHA512
4d553cb8f109aa3570ffb08823d5352b03c3d2d9c75d1e29e726b2be6bf4fb44d73322e1d0b64f1bb2d9996be4c30690eb9a4a37a200d174473aa6163fa6f615

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3ba0fb60966bb475bc0f4967f7210c8a

SHA1
946b26118d0da73ae5761854c5e94c0f8cd79710

SHA256
a94ba7dd4adb3d57d63056d71f8ceb51a20a36798408e86205d02685fa8c53a8

SHA512
07e2127d04549ff14810a1a6b9a181267b6c1424a2e1da09ec3afde7539871c6e7fce1a6c547efb25b5c168927a5d5fab3097550700e248ae981559a37a19196

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e7a6518307502b9ae2a63cc3e82bd116

SHA1
39ccc05116567768c307faedb71f9ae2f23ab1a0

SHA256
3abc0303385c184689c2dce91f175ee6a9b0574186106e89e60d1981f83380e7

SHA512
13ff52863843c858b0b4ffe10b6a37fabaa694b398e058562d099a8f28dd4bdfa14d7ab1f3acfd51d06818db49f229a58a189508b3c2c3cd6195aa3f882917d3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
9bc7e6edbe7d6c73661005d26686a763

SHA1
273743e98bddd89bbfd9dc0f03d8355840f07499

SHA256
f5a424c0054ec64613a42b6cab046911e00630233a00ee64de79911b6c1f896f

SHA512
4aef194974df2887f6ced7e6a882ec84c37d035dfeece8b745197504a5b5ea09d18e94191a7994187fd726736e297269bfa6d44966c20f3645a559f44432b452

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3392ceca3da32e0b27901de921431e9b

SHA1
bf69fe135e3b0675a905e5610ba1b29b361ee114

SHA256
94e72d8fe29ea4513fb7f74a9cf54fc9d8a3f41b3a12da1b243aadffbf2da802

SHA512
f9d67249965a34e071a288e862de8fc9d44723f1ced473465ade918ff6aabbbaef49985377473aeee92764de3fd318099adb9c5434a74395a733b65f90238b17

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
554670c8b2e286a5e9ef1b08b8ab077c

SHA1
f863266b33eb42db6c9a01c5fab95943d5093f37

SHA256
a220a4ba6adfc16bbad3f67f868220327e496cd6f0709839db87dbdc920d72b4

SHA512
3e47cbc4e397c144bd2f6a8bd2cf9b0937d960160f654bc1e7de2906ee384a95983bd5db8ea678e85f40c437654fe201a2216715690622df268ac140b72c9e33

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0255979dfbffe834043e037ff01ce200

SHA1
0407eff892625e53f4227a93bad8bfa1f02a6112

SHA256
1930c2b5c9e02df48772cb54a815062badaab481f27f48b2ab9e68dbacc08817

SHA512
95a0c55cbf989ca1abad3af159bd3fe7cebfaf09e9913e479da781a0aaf5c4715149ffe45b277169a18f3c1e47fc679e3081e76baa8ee9faa5f645aacc030941

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
bed53d344cf35a3497516e164862d65f

SHA1
42e3fc3d36cdc9804ab7ecb52edff9bf0be6bffe

SHA256
e082f1506efba185a055d3832e9168fe3ed0a1aef8105663ecbbeece7c2dbd6b

SHA512
1a2e3332da370e9e6429bf2cadb18016666f3aece6d0173da07dbbf10b6a8ed99a49a4cb6af6b4a9ab59306d183fb03c14c475f8cc83a093b064be3a9b53268f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
20f8338a9ad1966d1108111b64138674

SHA1
fb5b04eecf06a967af82b76ff2058cce86dbe023

SHA256
1baa8d8264a01c183ded70f7c54f47cd560b4b2a02846d1c46e6c13f5ac96ae6

SHA512
8fc794ded023832d3d5d11a000abb7d64bbeada1c32cfb9f19651fc37b2e13eeacc0c07536c807b1c22e5e03859baca79e4059fa28b283fd5cd483ca6013d62f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e6cafc0ff27448c77887ddee887f98e0

SHA1
d0e00b8e9bb8414ce8b5ed9ad51c1bcb716267d5

SHA256
28b4b23d5a71b7aa4ebb8b3eac4fa142a42dbc1931107bfbd204573ccee3318a

SHA512
4c08a9ba2bea934a10e5dc2fbcb4ae6c42ade771a2c202e2bfaa51b06315ad11bba39fab23c0e9b2107797f601c0ba5d2f5851dca118b69c590e3c817a026221

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
fcdec24f61ea00c3ea44a04c83794932

SHA1
d2405b4bca307e9097084a6e47be7aa764f9d347

SHA256
c679a42be56d4ceb28baf86bcdf3ed3fb2104a0735343db9c9681e29c90aba71

SHA512
1dde4db8f9c495ced5c7be7fd68df9af12b07e0d95899446d5de422c4ea9c12f12d57b88e3cb28e511d69694e268092b53da2345832b4e3ecc8e8159c917bc1b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
49ea1f3ca57ac6db15d4d09e2b194428

SHA1
8ebf035ac1b2b9cefb61f38727cca700b8c07a69

SHA256
144b9ae4a2999afad0a708fd0ab07838c4da92b71fdd36f48bbe29bca600c3e3

SHA512
35711b53e38f3b4a27568ea40c022318eb023724d16973709243c3ea03f9a670e8411d7bca08756cd0b264a8ce8161eb51bb6d68b0452fb12ee76d1a61822016

Download Submit
memory/768-134-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/768-247-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/780-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/780-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/820-231-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/820-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1128-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1128-476-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1380-47-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1380-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1380-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1380-44-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1380-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1460-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1460-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1744-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1744-568-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2088-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2088-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2196-192-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2196-557-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2228-208-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2228-89-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2228-97-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2368-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2368-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2368-73-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2368-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2368-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2500-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-560-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2720-565-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2720-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3436-267-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3436-147-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3740-6-0x00000000008E0000-0x0000000000946000-memory.dmp

Filesize
408KB

Download
memory/3740-1-0x00000000008E0000-0x0000000000946000-memory.dmp

Filesize
408KB

Download
memory/3740-88-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3740-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/4404-31-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4404-145-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4404-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4404-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4548-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4548-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4548-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4548-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4736-567-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4736-269-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4752-57-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4752-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4752-172-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4752-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4824-451-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4824-169-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4896-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4896-104-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4896-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4896-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4904-235-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4904-116-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5100-197-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-561-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download