091630349fb31f22a455cdb410f45eaf3bb2a6ca09dda7f9e31be6c8f2bfa066

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Size

712KB
MD5

0173ca335597c3958ca92f3892dc3f4f
SHA1

085f80ad01f0cde6ca88080ab0e96a650473a4b2
SHA256

091630349fb31f22a455cdb410f45eaf3bb2a6ca09dda7f9e31be6c8f2bfa066
SHA512

d21adacd4626658128fc5f000a2f9403a3d5a396a99ca5353a918f83986ba4f37ed075862fa031b19212d44b2dac636a288216c316bc7feb49d858e04def9850
SSDEEP

12288:7tOw6BayTNjYGgpK/vnRsmH5Ckt73qfKrrzD89f24pWYbCXGah2JoHq1MGJlyw9/:J6BRTNjx+mZCkt76f/24pN+XNqNG6hdn

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3524	alg.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
808	fxssvc.exe
2500	elevation_service.exe
3964	elevation_service.exe
3968	maintenanceservice.exe
3024	msdtc.exe
2568	OSE.EXE
2196	PerceptionSimulationService.exe
664	perfhost.exe
4280	locator.exe
2036	SensorDataService.exe
4436	snmptrap.exe
4480	spectrum.exe
1588	ssh-agent.exe
2460	TieringEngineService.exe
2744	AgentService.exe
5116	vds.exe
2072	vssvc.exe
1660	wbengine.exe
964	WmiApSrv.exe
5040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a582678352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1035d28fbfcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068516b28fbfcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb7a3428fbfcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a8f2828fbfcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5508a28fbfcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9ade928fbfcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeAuditPrivilege	808	fxssvc.exe
Token: SeRestorePrivilege	2460	TieringEngineService.exe
Token: SeManageVolumePrivilege	2460	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2744	AgentService.exe
Token: SeBackupPrivilege	2072	vssvc.exe
Token: SeRestorePrivilege	2072	vssvc.exe
Token: SeAuditPrivilege	2072	vssvc.exe
Token: SeBackupPrivilege	1660	wbengine.exe
Token: SeRestorePrivilege	1660	wbengine.exe
Token: SeSecurityPrivilege	1660	wbengine.exe
Token: 33	5040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5040	SearchIndexer.exe
Token: SeDebugPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeDebugPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeDebugPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeDebugPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeDebugPrivilege	2440	2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
Token: SeDebugPrivilege	3524	alg.exe
Token: SeDebugPrivilege	3524	alg.exe
Token: SeDebugPrivilege	3524	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 732	5040	SearchIndexer.exe	111
PID 5040 wrote to memory of 732	5040	SearchIndexer.exe	111
PID 5040 wrote to memory of 5080	5040	SearchIndexer.exe	112
PID 5040 wrote to memory of 5080	5040	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-02_0173ca335597c3958ca92f3892dc3f4f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
53c513a6e348c6010be702974df772e5

SHA1
b3fb950d8a60d83dbecd20e146d2b01a08f2dc26

SHA256
6384298ad7091529ad5a9327a23f5ff6866ad511f9bb14276d5895aa541ff452

SHA512
d0f50f751af5f6d7534e8af827200b5619cfd0a5c95ecff7c16080001a7dc85fa02c3cb479193c2a5c5fc9bf3e517b28acb9ef531f0d46b334f136022ff94f0d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
5ed79cd8f39332e3a671cce5d8e45617

SHA1
737d57e8ddc49287507e9bc9fa038337512cd77d

SHA256
1b34bb3271c595b926661e9352c6008b830c4edbb8ddd5b887170253f6fd0d7f

SHA512
8d21c5dab6e52f032cd002a388ccce950b2842b34a2cec6ff4d8b09c3ce09a185b8b411e9f9836d525b6dedb5bbf140af1126270c73af0afb5becbd2658b0e5c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7520fda6043dba11b6427e0041dcc89f

SHA1
fa4759ada7ddbfa292914aad7c8a440d02695f05

SHA256
095f09d641e041d28e0c511c5101cbab0df674d5d0b8a088830b69c752d1066c

SHA512
89f007efd5831df7082796dd99a6ac82d3a59607491baca75bbd1263ed64041fb3303614f6160a94b0ab334b713e2f4461ed4ce35d485b42c7710fb5074628af

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c81c23e6f30ab8acc9fdcb38e3da75ba

SHA1
f6896b3e0b617f1bb5acfd7a39c01e843db9f74d

SHA256
e5971202377170d363d445e2ecf89ee1b614f85da30311b2068e58526ea854af

SHA512
f14de732d283f2efb45bd616bd7d585ec31de7f43c135b6583ee6ed488dcf968debd5da66f9d7df770a28b504f2b95a924e175e1e0109a959eca58fd98a3729d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dbb4d620bcce6e4af9514caad5531fef

SHA1
b1b86d78c254ca77f2e945534965e466bc8a6104

SHA256
7ae08ff072c2f3c44d1b3d60f78a2b56972a0805a33af9c009efe0f97b81bdc6

SHA512
6bea4b7b3f56f9311b43755d5628362a307f303db688985abf84ebf0f19c29cdf5e2d806b5214054d6de0cf6a3c16ea9ec2fd65caed3f3eb06b54cda6bac9610

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7a10cdd02a9ee9631b6de827d713ba1b

SHA1
0e9b5c18c12dfa43e166c853a68d1b0a466b39ab

SHA256
fe70abe889be01216d49fdc98cbf9675c81360a11e1375a0bbad6764ff7fe2f9

SHA512
c78b6cd8738660284da7c06593231ba5d1f85a6c72f4d81bc9f7d2d9df09e878418fb964abed789cd9009326e0906748cf0ba0af80580b1d6c99d024981542a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c964aa01ea2e1d5360c270bba266dcea

SHA1
2e03c054d15c6b928446a9b4ff98413b3411ef8a

SHA256
69c267cc3428f9adb21fdecb4c173c573698898704378f41491186aac68ff822

SHA512
6a19826ad4ad1915830b1c4069f143cad8ead405c3847d5d488061fadaabbc97923b6d0d012d4c54198765dfca53fd6cd91fb3da25820465e6797b38f3e4f1a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d5a3e46c65d6b3a96158b5ff8f57ad35

SHA1
d69fff0814782e62e912255dc671cfe2a6698642

SHA256
2bf510626395977fe03ef1de49f417ce3fc1d5f54d835ec9fc71b718f7a4d75f

SHA512
75b1fc784392c41d76179cc86199ddab80b07cf3b9d6d66c21aa0e15d13de19b7412a250fc64adb32f6547f19c7e087a6e419770d0a5e8e9af4bc6ee7dd6e752

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
24bd13537d3d1cc36e92609a4d256015

SHA1
c638ace0811c694e28b3c6869983c733d476a8f8

SHA256
4e01face95db06ba6eda95321f37128eb004efb3869a1c89694c5b4945accd89

SHA512
48c7cd4439a556b1be21770817c8f019d5a8dbbdaa79b54f3919433045dff826dc3fed35f76e072a7f486b1c27ed50e7eb9d42a6112383019678e80cfee661c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7328035ebbfba641835eedaab785d242

SHA1
2f19fe60cc65cd650dbade8c2a3c9f60a67d4d0a

SHA256
bdadbc4659da103261df8484911dcf8c3baec0618cf5a8639bc1b82f580b3e3f

SHA512
3d2fc19593fc0bfe0057e11b5f6e40da1326f057fbdec795d4ddb0032db36908266218968c4563117bc689d84eef95a72b94dd9ef57fd47b56701e0527b62107

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
870e87156b4135492097cbe1df97ec1e

SHA1
977838d7a9d38891ac4499d9df0769295a877238

SHA256
82daca25ca758cafd3f99cadbced2d58807e05f438a5dee81b6c9c7cf768fb45

SHA512
e14d30f51efc20fd26d26d1ce5f0f9e799a4a1db11e32076405d9cd91a695d1e5dd121e7fffa14fcaf98206fbf1a68e2dd332beb8d9c74f35de127ad0308629c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ba48568d49129f2da8ea7a9c2915ec86

SHA1
681421570cb9d31d16d9dd938a5621a04d1bf3ae

SHA256
5d54cf55ac95782d4ccbf36aa03a77c56c4cc2b4b55c3bf26c1861de113ab687

SHA512
9b47fbf6f32fc3ead7147e84223f34b12d83af4b49bb23e1532466a1227271ee9a75f1a5e2a2dbad83b983aab47f8e1b9c1eebf0cd32204c627e5c8d6c016058

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3bc8eff504148131fd017c3d3a3d4c91

SHA1
f48804a819eddf5203277c580097a7e962843fb8

SHA256
772aefccce98648bc573c6b8093123817498145e37a14287383349ed0d603b40

SHA512
66f47e1e90dc60e009ab45f015317094a3218aef0f96a1021c35f01bb60318512d59ccddaa8f1d99dea2700318a3800671ba50bac78b89516fb35f9e549402d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7b36e379fde33463eaaff5c741162a02

SHA1
f12a1827cf9626a3b607274985e63410a39ef041

SHA256
18e2b224f95efded12a80b9857826331d94eb0c1103cdd48b7d65f611c070511

SHA512
d69f6b2dfbb845303314ca55b723ab02641fd1eb244fb72b2974b6d9b4182969ed427d6e1e11e64e315c5573d6d51c423b579544aeb9956f369e3112bed6d870

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
072b1c32d364bc6875b1cf8893a270c4

SHA1
c31d5dd30a3176a546dcd62b2b2ae5a36427e426

SHA256
801212d89c272c5b5a72497133da7ab57ec97d0ce7096a5b422405baf312426e

SHA512
588c25b7e16b62f2bf4052cc612b9569ee1ea48688e743472760e3ca4d2a78eff2584f060673e417dc134c0b0c477ded401de29a505d3c66756689a4f09ccfeb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a11277dde98f6eefd2721a98a443d19c

SHA1
f06651f4c05c6c7e89438c418480b3f6e94a4e5e

SHA256
f76cf82e6294a9ab8c11788297043a6a18650237c7f5283a31ddfafeee79c97d

SHA512
4c0a115ffcc900e5b6cc6bf487992756da6eddc683f1ab0bb7affdcae5b3c8f7e6b9f94f9f73d6ed19475521622b9531cc1d6e1cfbfa509456e6993ba9e7ea56

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3e699509896fe90755e7dbcca7ef0fdc

SHA1
8afe621645780750034ae4c237517cfd0fe45307

SHA256
bd5d1fe2af68d1a034e8360a3a09c20fa17c50455753cd190225efbf7e2a07b5

SHA512
6c54b813bdc5213c8f74ca49fe6a075252c3e14844af95e90959ef0f20da135cb944027c354e5486b09ff4d5b9c64187ebddccbec07635af3216c199b18b686c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e92512cf226df5b9e641c3156a782bf1

SHA1
a23618bde348a24c3ac4a101fd78e4f447b2b692

SHA256
5b55c2f6a85a8a5e31c27ba65573d349f21daef91bca75d775af5e37f243aa4b

SHA512
04d48e75a69d60b17f72b36ea1b164f39b6189845768a8f529a7abf6854c55f02a876133d736baf16320f1a77a2a02e9d6a32763242b6b80f1a3d20fa7931b00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5fbdbbb8cea7c465ea8f33fa4d4061c8

SHA1
3841ece5312ecfec98ac41944de4a3d0adfad35c

SHA256
834ee996f075aade0c59d602b2d36b5818d293c8844a5f1d9f9f2d170a00e9d0

SHA512
87ed7d08917b6ea03e848fecc5800ba6aac406912f03e837f851400598341f5a09bdae885b93ae40c0d4488020e1403000cd8b6d4cb60f363807fbccd0c7e4e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e4b7a4e59d22e46e83db93198585ff79

SHA1
49116a4bd667ab975f60e04810637a99e17841fe

SHA256
48d3607454a6290b76c30008ac1027216394db3b36dde619910a540a34dced9e

SHA512
b20a90c7d27ab5f8950cd1ba0d92de611bb1249c6ffff5c6a94280a690fdc1c7cac105f99f0f6cc5b3bb2b57200618dc126f601ef768603e5f1c705aa423764d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
49bd3c3f13b9142d4cb7c38c4db6901d

SHA1
9caf7c3f6e3e0ce7dff2594b4cdb8ba806f03123

SHA256
4f9d54588c459ff730cb3c81a8a39e17c2ec55acad088566caa7db7017d63dcd

SHA512
f337e36a3412d732897951512c5af929b544c045d21ae4bcf1dd6b8aea909f592bb35eeea94d376ed44ee2afb080da410725621a87ef2ce3018077b5bda3fb89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4a231d361c913af4296a229738cade37

SHA1
398bc3d317cd601c0fbc491359e0db2cfe522f7f

SHA256
1453388be0926e94154ae82d2ad81f2d16cd8554fb5743afc3dd53fdf6986cdf

SHA512
93a61bc01c063a8dbc28f42b3f88fe7d1cb828f7ba712c512051afed0709e8ccce5f6f88594698e7a26d7e32108a8096c3d84a09e9d01f3815ad784556a09618

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7c61afb1d8ce9b04c300b184acb37ea0

SHA1
92001b6119945f7f61d06304b82c8e57c346a225

SHA256
c82c6011263084c478b7485aa2ed3f83088e7cde2f2106bb5cec319afcd620c0

SHA512
ab56629b775d44f06db9361777e36c702d7fe0ff9c2e07af21ce48db8bba13cf02169c170d25cba31f680477dbdd08d971c746fdd6e3324dd5b97119f5e35377

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b94152ddcdfa62a1718cea1c2d1204ff

SHA1
379f3db4361e7b57563605598fd0614ecfba325c

SHA256
590a44682d79d5a0c7ee6e0c20b6986e1393b944743706a4bdd1cb6f019223e0

SHA512
041bbf87e1ac2f932a6c9a8483cdccfcaacc54e72d36fc55c661ed6e500ef853fc761a7b00398bdfd6bea7faba5ec3d68bdeb6f0ac772ce8bb6ad0ce64b66472

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f628462993c59dd05a20d5478c83a5cb

SHA1
6b7f40e37e341e7e91d8bd19d3c9634fadaf372b

SHA256
0209e0826cd5fc2744dabcc1bd93e4949982902dc41ef81fba580214a459ef42

SHA512
8d29a21c8662d6f29d63199a443fff36c841c8549fb389b8fe681f32199d1482410114f198c4081542cea626cedb48ac0680c4672ff047bfea3cd67a5c4b3b18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
71f01596b9ff6c8492caa048d91fe4de

SHA1
e426867d38d8172257c6096ec01169b10b7f7975

SHA256
bb33779f9b372ac04c9202499b425f5bc6d7dc2a9353640c944d0a7a09d8296d

SHA512
0ad68d1d79caa1816a4166f3fc4e67dfe17ddf51235957e4fd34b27e614520b7367438af9d47824a1f7de66b62e46bbcbef663a254b073258d085f0a860058ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1cf5b5c2679555ed4cb7666388e6d751

SHA1
06b5ba08195bdaf627de89e39e4d562e96d2ebcf

SHA256
ff41c9bafaf40a7cbcdc00f485e002291523d5ac3dd2213be841dd011a01df2b

SHA512
a02df0059e5947f6ffa814007cf5e2d9a79277fa79b6bc8f8f0ce03f03d899e90fdb9550cdc97ebcbcd6faa3babe12d797ad0511ea41ce57d7511fb28f7935a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
55fd02de2dc4c51e5d2345173f07d642

SHA1
a0ccea3ca69f5f88bae51e060df688a024437eab

SHA256
7952de09d4f08c9a97e69cf4950b07209476747e831ca73b543f913c5d08a85a

SHA512
636bd1cb34b7d04019ae9c40279ab8a1770b0a2449b9fd34154af828dd341580b46f87f222b830de435d9eacf0c3798cfa34a425731cc3aac716d057f21aef5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7ddbe996a3e0d88d98fa87c7d1a83875

SHA1
4ad82701cb82bc6b060c33fc5203a6605e793264

SHA256
97870e0559376e6e23dff066918a99351d03487c845b9f1139928c770d624773

SHA512
12511030aa8943ed2f1a6176b16be11d435c194ee9d6f452f0e8f998c315782bace44abca6c7f03c28791867eab9040979537ca6607d21d16e526726323a06ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c02ef88cf211c3c79240b47ec97fe7a1

SHA1
8bd216cf765ae747d1a3f0f98a7a76acaa3060cf

SHA256
e10197870492e8ab15d0772f9d9e53aaebb1b81c5e6e095f134275bae7efceac

SHA512
c6fe26f2f6b6ee36598fb4bae1acecbca398b44ed728100ac94a40fc11c5bc5201677d32eef386fb439b821ae011ade03a58630094b628f4e938ff7f000e7a35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
96fd6c05a0b7b349e416d0629b331231

SHA1
8e7f9c7db06f3cf79dcc05300a1e53c9b8e67577

SHA256
bb01b4fecf3bbed838377115223bffe18e57844947c0f5524c6927acf873cd30

SHA512
7da8c70c9f26d4f46ebda5186bcdcdc918beed9d4f340050be2cd8c54ae9e820adccc0d2db871de67b2185ca5d9eee02cb4cf0ddb1ae8d22c36c67fec1907e25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
03f2083e30051f4e98dc820d53ce28fc

SHA1
8db00c14efd6a46dcdd910a910d9a94b40bd25bd

SHA256
a129f47abb659d50fc1d4a48f71ec73991f08d9c35a99aa4570595bfdbdbd493

SHA512
8b849ebae8e7fecfd61a9faa44e2a5be9cb3840e634ddef638b3672119e4d5932980e9e520d880d8e081221f1353f8c4bd4bb2045fd1fd639cd8d2147fc04153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0f7cc10623146e99a2d97baa3d3d7feb

SHA1
4ab827f212c8934bd3f964bf67798f9e9971705f

SHA256
76f81f84a2e3e1ddc0b9f5e105ffc897afcd971f732ae23baade6e6a2b28fd23

SHA512
7386c2922121259ac00c2c337ac69eb980c58c800134dce799191f186924006af4c6c9d6af2098a1c6d66f22dd150be684f8e65a9c4650a329b5e203d5e9fe36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b66d47601d7c1fceb22925a6f95977ec

SHA1
51b1f9e37454ba7a74ec9d51f00b782f996a6db0

SHA256
9134cede7d95e93e4921cdc6c6c2334dc98116199ef534aaf348941faabfd53e

SHA512
5892784b1d3ef120b520fcb503e2b91c6f0d52c9e31de774ad540dce95f138c31bc32d8434ed8a0c92858573bfc2bc4252ea3bb78f8aedd057433f83e7c4b89f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b23b9a1f33b10d8040e40d186e48fcb9

SHA1
2c4e95b6d42a47a2cd30cc63b9d2e29584ead48b

SHA256
564f8e0451286b13b724a9adb2471f6fd6887bba479624534444832334efb502

SHA512
dafa88ed289bd4e77f032dd529a0cf4337a328c4017538d7ff05fd6416b637bce56b7aae5258ae04fb1a56f6060577cd88ec452d57a8f0c72a9c3277e42866a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
00690a1e5b5e04e0a0f8d21fd680fe94

SHA1
e59d71d75e5dfc25d89932e91c961cf23f960864

SHA256
39036441c5b1d1bd1f3c3bdb80fbc7ab4266b762378673a82cf2e2784a6b9631

SHA512
d6a4b0264a35f6021d8c37edc104f77f450e7eb3a3c518ce18adc2de05e3c4cca9d8c1c993910e9f876288be7552cf6026f198e047771d28aecf4fd3e7b2e4f2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9632995a7e7a246bdbdeea4a354695f0

SHA1
e3708336e7388888544c7ba288196f9a26e69551

SHA256
9ea189930549c35d1435dfcf555f9217056b2915f842805f4789dba578562501

SHA512
f23013660ad3f8febedafdf4bc520b7fe3daeae44c88c81daca59a307288aab4237323b2f6eb6f8de1def8e8d586a70616ee7ef55130a29cbeef43095f7878b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
69522f1e83ed9ea77047b2ed586db593

SHA1
bf78984ae5008ba02bb91a88d657787bd6f7238b

SHA256
fe511f7794c8d820c3524631eeb5dc6dc0cccc1be2440caa5dbab3f21bf0a3ae

SHA512
0458d850ff889f202ead1ebc2be2fa53e0d76feb4d33ca4af07a5686a874333b7498362ffa6b12fde7c1852807991630dd3021dabaeb04eae3b2fe9dab6544e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
651e26eb3a33876bb2a33220a99940cc

SHA1
c098d556d90833340370463a84f418bbfd0f3c27

SHA256
ccbaaf15f9d0b5b0de865672548e5fefd23f690455f7976be27b3316cdb5ba41

SHA512
b1f354388b206da7e46e3bede103a942e1866387b9b9c0df1e441f01c0e6b2b20671dd425034b0987b4ee0546138971bc2579a2b960d1affc8da51eff9f64d12

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f517c1118a92d794b5ce9a0ff0f5c0a2

SHA1
ed2f1c44db33348b9dbf24f958ad151242a4df78

SHA256
81776227bc66eb1e71b4728dc699662263edb1dbd6d1a1ac19a05aa39671d730

SHA512
c3d88ae227d98db1ab2c7366dbfa873121ef6d3d6473f00d7b73759579a24aeea9c5d369a0302ba2d09a13828a09bde577e4cb679d07ff5b541567184613b875

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dc548a15a9c5b91fc677a7a4c319b925

SHA1
1e53450da14891173edd0e466b662f1225f3846a

SHA256
530fb98d3ef4bfe80438874d762278d739c8c32a5a55740408b26e786eb1a13e

SHA512
d7554a021125a0b1150388cf1b9387d52d27905e28f93bc47821b88eb92c904cebaff82d3fe14fc7709234eb2eb81d90163804014e1611fa26aba1f022bc4818

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
93660d768a2ebac2050479f9bcea2d21

SHA1
845ef4a8b0b386183980d27716b7b326ebbd0db6

SHA256
addd049a103548812bef574df14327ed78749a9354606fada4e25dd6d3a18ba0

SHA512
7ca2f707d0a63db1473eea62dec84a20a85985efaca7ee22ce8bc10882565ec3ef216bb3cdf1c756302462ffaaddd0172cfb168393370ae33415ad8a5b80f40f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a243932685d1d010e4f1c071b19b2d49

SHA1
ee10cfb83fcc17d22252c3a6fbd9a58d04456450

SHA256
3f4f7b96cbf119887b3cc538e0ad4aaf531a0c1bdbd797f417cc4721329b1e52

SHA512
eb76edfeaca62523cbfd94e4302719e59b6e37aa040b589a600a0a5d6e6eef3426ce88bb6678356a95de8ce51987775bf84bac2e15bb1e0d928001899dab88ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9f75096b65fa5677eead46f8bab316ec

SHA1
8397eae830f8fda9b419436cf41490ff0478c6af

SHA256
e0a9a01e3ba80ac6e54054ca0801542c2c915e320fbef8658ecefaec82d9cb8d

SHA512
de3d2a67f44675ffcf8cb83be7dcb13deed9229d3486da0ced645e1c54dd292fa474462516c0af91a028b8fb38799a91ddb36aff1c97e7b6f5418cafee483d8e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a68ee43a09275c775b66b148ecf4694c

SHA1
c4a9cfb50d82f9822d727dad8d9d9c1ab6f34ee8

SHA256
4c72b158fa4f72e0878598bce0e0c6ea30c21678e2607935e22a0edf82b2dd58

SHA512
74b4dced6bd34e2524212f6e369921a57c67b292b15d30b3dae652b8429321405bdd7893bf09876fece4fd778474196e2fcf051f097d87b715ddf0f58b3eb805

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
905e4ddc2bec2f6c2b031d27e37225e2

SHA1
cfd7bbc6815ff388db048f75b93e1a56668995cd

SHA256
9c7eb064b9fb47b967433c9805c15ecad9cd785c1fa1fc2e7cfb601f6b44d615

SHA512
29af48795aad50e23a0254664d1ff9a621c76df7e41c4113cef7aca3e9e5e10ea371134b0538be1a5042c44f5b3b546f44344d79e455b0e65dd1e19c5e97f7ce

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0c724aa9c0454bdbf00d890b5a4fb343

SHA1
50be5df63b346293551224801b9920d2f289cb6d

SHA256
7594ba5b46035b4e5b6485e29a7a2877373f68fc7351a6c1b590bbafa0e5eaa0

SHA512
925108fd49c35c3e4c38a4c80789c45c6005292b0ec2be989e3b3ca1a5bd56f5412ed994188cb32bb6a2d8cafb40cd130c946927c19f6a2997f4b9bf92f1459a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f5765652d0e7f7593d92bc3663c852fd

SHA1
ee2f945fa33c7e8c31833d1b48af955f234e07f4

SHA256
d10355279683f00d32f37838b6eaa66ceb66d2a177de4326bf43f2afd85602f6

SHA512
536f1baaa7f719e24e72a640cdd2f37b5ab15c87ace04ec58fa600e53aedc20df3f3a3f3bfd0cfc6a2fc9bad74d3998def94363913461a652f6b6c2674c5b04b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d183bdc8cfa6fa16449166dd5924e1f0

SHA1
0f270de55dfb40bc93cb827620f9362d335f854a

SHA256
dab8dfb755efb762fe5c7649681408d87019a88f411795c83c2afe5ec75efbf9

SHA512
e80e000e6aeb0f993c30f98ffd81a007e75bf234e9abaf9921801932a6a23bf57cb3929f65ce537eb46af160d76e2ed22133ffc1307a5c3f56c1cbf6e3641413

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bb83bcc7028c102e2e61c5d414514cad

SHA1
08dc3c81b2aff9e90b791303f7e0dc66c4777be5

SHA256
b43e8d5a7c14b27c1c1584d852bbd49be54adb1900c5a4c44a1fbcce07147f0e

SHA512
4dab81d4d6e92bb98456c22d2faa9cb343b0d9ce4571b449f0148c7994b233c24524409a52b82e070981f0a7059a1e2a31cf8dacf8ed4ffb6d786a75d3a6ad9f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7f633aa06ba1745c04f3da8ab05da506

SHA1
b8be52a31f87eae3e5ccfce56bb4b53eb488b8d4

SHA256
f28a52da19c69b901342eb3d249df54ae01eadd03fac217e2f2ca2055ce710b8

SHA512
d0a8540c28f745cdf320327677a8ab93a42e41354f3a3812ac8ff9288f37f95c837975cbf961131671cf6bfaa03e539d67c3eb50b0bbe2e3d57ef550f9183240

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
94194a863ba63b4da0b292f68586f07c

SHA1
5c76568bcd3be54d62779e7aeb50261d4d05129e

SHA256
00e56856244607f0d9956fb349733e3c670a156b4b73546ad3f78e51a328f948

SHA512
d1907983cf9ed9797fc4dc9253cbe577288e2a071588aa466e8431c7e8671859d4cada4101d7e02c39c034fae782103169f7c533083945f5a271dbe1fa3d6d4e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fb3dac857c7e6dd0be932277b0da4769

SHA1
6bb33323ec358a9329b622c9ab2c7317bcea5744

SHA256
e87e411546dc047a278c0aec709e20c3651640497ffca59831e18be786abf0bb

SHA512
04cb331453ea6f2cb0ff8143819faec05468e5ad47a4b399d6c5724f5ecc2fe26bb97dfe17a55207efade546427bfca98c3f84274d9f40ff78061554423a47c3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9c3598b8acec8527265bda68bb73cdf3

SHA1
f6d3a2cf740c65465457873643fcf99c38a452ba

SHA256
422ba0efb495e13871b9e70f35b4933ea907812d7aec3628d82deeb2857bc1cc

SHA512
d427d112b48f4c1d8c4e5134905381ed730e955e3a168c22b9be8e9f8d7aca91440040aba57b490ddbc282c4a3e94d913e0f5236bd581e2ca1a95f2aacdd4b9e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
618bb5ab65494ebcf5dc0931250e868a

SHA1
fe7cbc3f6f473eb495d098d1d9edeb205a72d3ed

SHA256
1a8728a71e5bdb791828d9d243c8a9b4b884b090ec9b0b941161e3401519327a

SHA512
642ccde2ef284ad5d5cee7c62d24d05500e67a84b1e5202edc59ec0750c75a387bae6b9c0576150e77b77bee41fbc95c9a84b7ed6f0e0a838f89fcf8ad77b5c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
399415fe2ed20493819120d23f75363e

SHA1
5f33dc9d3e89b11f38ecdba535e244891d1543e6

SHA256
fcf6bb2343fcd14343c9479e7fc59b7368a4f946417633708ec57cb298954e02

SHA512
fb4c4f01fb0fc8c9a09cca99a6e0f2d862275a6c595136a34a9a1a8171615e623698ab912b402d2129ab799ba6645084f3f46f2e25be58ef547a3c490737d812

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2ff382c6d911650c5d9d0a31d06c7bcc

SHA1
6239f8d1b255282888e914151e5b7ac4d8f66ca7

SHA256
84a9d190563c15b6634f2622798239be3b28534746e2c92d1ca828cbe34c5c4a

SHA512
cb3341f42715a8b1b2cf6baaedaf63ecf933f70dc53767b5cf4d6609008b5b6703ba44f02fdb7630054ed007d3fa7ea3d0ffba03facfb10e2bd594778b282ea3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fac9d18795807589aa26719f6d08ed7f

SHA1
23ee9a4040c6872488781565abe0460c737df8e9

SHA256
1c251082fe352d1e353d153d4e4dd190551768834caf57927ecb07d047dbd42e

SHA512
e88d93e46f5a3cb11395bd9ce2353583e36e581c312bb743fbec113fb39a250efe84ffb864937961a4e1bb9e4d8a7c2202d870d870325b521110c8a6212ffc39

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
958fb8754f72d60048f4e97c7ad5dd29

SHA1
d7fb1f0227301427f9b6e81b66c84ff943d933ed

SHA256
b3d6a17f85ed6173c35a4f0e220aa30e41604e194c0875a02b4010882f8804d2

SHA512
e08ee9e32e409e20e98a2ec88bba75f5f1789660f95727b8b79c5429cb824ccabde3b9e3869d6626438864d9d5c5b72350b381cd62c2e768df88f5947a8c0aa1

Download Submit
memory/664-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/664-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/808-48-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/808-39-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/808-45-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/808-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/808-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/964-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/964-575-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1588-435-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1588-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1660-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1660-510-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2000-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2000-114-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2000-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2000-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2036-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2036-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2036-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2072-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2072-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2196-226-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2440-74-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2440-2-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/2440-8-0x0000000002450000-0x00000000024B7000-memory.dmp

Filesize
412KB

Download
memory/2440-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2460-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2460-461-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2500-171-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2500-58-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2500-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2500-52-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2568-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2568-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2744-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2744-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3024-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3024-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3024-91-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3524-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3524-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3524-21-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3524-111-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3964-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3964-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3964-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3968-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3968-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3968-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3968-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3968-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4280-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4280-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4436-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4436-318-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4480-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4480-395-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5040-576-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5040-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5116-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-470-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download