dcd26232071ef65c117d6b07bbc2e1c225a6d75978ed1b9f96327fb73686ceb0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Size

712KB
MD5

f7b3b13f12e7d9c61a0be731afee14d9
SHA1

c1d16361cb724e30e1b4eecbcb7b21739bfb15ee
SHA256

dcd26232071ef65c117d6b07bbc2e1c225a6d75978ed1b9f96327fb73686ceb0
SHA512

17c770003c41b1f6617cb9e086a604868602673f08634c8518ea9617d46751dcac4bce0ac542aac0629b01fd4de6cd65ff83815f70d89e051750f8a614cdab97
SSDEEP

12288:rtOw6BaL6JvY67VMBNO/aXpXI22+VufvdIOKek1h4TA8bXQJYe:Z6B86J17W8CX32+KJNA80T

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4428	alg.exe
720	DiagnosticsHub.StandardCollector.Service.exe
4828	fxssvc.exe
1280	elevation_service.exe
3124	elevation_service.exe
4816	maintenanceservice.exe
4408	msdtc.exe
3684	OSE.EXE
1620	PerceptionSimulationService.exe
4392	perfhost.exe
1504	locator.exe
2680	SensorDataService.exe
5016	snmptrap.exe
212	spectrum.exe
1824	ssh-agent.exe
3356	TieringEngineService.exe
3528	AgentService.exe
5116	vds.exe
3924	vssvc.exe
3408	wbengine.exe
4132	WmiApSrv.exe
3056	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a2685a2dbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcf3d69f7cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c19579e7cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000318caa9e7cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030d3539f7cabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f86c8f9f7cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004af95a9f7cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e078979e7cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f48d6c9e7cabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeAuditPrivilege	4828	fxssvc.exe
Token: SeRestorePrivilege	3356	TieringEngineService.exe
Token: SeManageVolumePrivilege	3356	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3528	AgentService.exe
Token: SeBackupPrivilege	3924	vssvc.exe
Token: SeRestorePrivilege	3924	vssvc.exe
Token: SeAuditPrivilege	3924	vssvc.exe
Token: SeBackupPrivilege	3408	wbengine.exe
Token: SeRestorePrivilege	3408	wbengine.exe
Token: SeSecurityPrivilege	3408	wbengine.exe
Token: 33	3056	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3056	SearchIndexer.exe
Token: SeDebugPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeDebugPrivilege	3740	2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
Token: SeDebugPrivilege	4428	alg.exe
Token: SeDebugPrivilege	4428	alg.exe
Token: SeDebugPrivilege	4428	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2352	3056	SearchIndexer.exe	113
PID 3056 wrote to memory of 2352	3056	SearchIndexer.exe	113
PID 3056 wrote to memory of 824	3056	SearchIndexer.exe	114
PID 3056 wrote to memory of 824	3056	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_f7b3b13f12e7d9c61a0be731afee14d9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:660

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4816

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2680

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bfd7648fdba67b675e319000b4612754

SHA1
c87f4640d56fcd09e1317828b04c50641786ff9b

SHA256
1674d9c7c45df681e1374bae67198a9ac0bbf0b85d83c71c47c8d97642e32b2a

SHA512
e0d4d9e25ae72d3fcb0ce0b3dcc86ea517f91f9504970f2eb6767fe2ef549000d18d8abc80cc353b55b0ce8899d6be7cea266295136826f134e83b60d5d787fb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d1b082c58e28b75bffa28ad1542b106d

SHA1
6f96d1ba8a3afcfbe79f4ae3468d74b523220cca

SHA256
64374657eceb52f683ca5e4df5b6c79d1da8536414e343985f32773b32327824

SHA512
caae4c846da73c9f56e28a0a50944408fd03fd097ea4c349894370123718b8761fb618be7607a1ef8a45b2045c69d412f784f6ceeea3a2999d5d4cc7fb46f1e7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4ec8766e6e17d1a405260763a6c0b032

SHA1
6821ec32a96a481d4918970426abd2879a966397

SHA256
b0c6264bb81b97ff5e4e1e3b9b34af329a2db76d1f7ea3f9827b91d50d1f9644

SHA512
0cd37ae83637dce2317d4c6f650fc2d6f840944e522452f420e79f14c1d0b7314ed343b726963b87bc3b6f124b4007c7e476a95c5aac45a3ee015198c56977be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2a376e355618aab1407dcfdf93b7a57f

SHA1
e6f6b51fe5573d9be2625441aaf790e7b05a6788

SHA256
1c1bb098bcf4d7461344968871986897bcf8d81128bfa12b1943881ccbcb1634

SHA512
a2ac6b77868f8c78fa23519480e10e978187195aa2fcf8436a14fb186b6ea3b97b95b62d1a1505b2ab324fc1920c7ee542699dca233bd3f3e27256765425d87d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c2f97ac6235a0e00154fb43dfaf73933

SHA1
9ef87511ff63fe94897e75ecc2b47febef3367cd

SHA256
fc14a040483cb67412470e35ce94f75dcc6bd276546dec44282e9f098752423d

SHA512
7e6da32503c30adf64e69390f7dc973fd0c793347670c0f2dd6b8eb1dbd66a7c45afbb24de44166fa6c98e7ba1521404dd5b5ed1068bac7e7b70f5ce802e5bb2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
40708fb078fa4413ebf1cb3f377468bd

SHA1
cb0d6e38afdf374bbd83bd61862fd19338ad764f

SHA256
87f2a1fe5083b278920cec98e75e75dc705f63afec9b643c2b5fb635b9dcf929

SHA512
4ff86a1f384b41e124650498d4b60959a189fd10b43472fe95889adbd46bce2d09f88e06c670d2a132ced60e500988af0d15f7001f75ba5929c53c0cd86f8c75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7da28d32a85e53062fafcef05bca7733

SHA1
ceccfd6f1510b0fa727b588fc314caf6dcfd7a55

SHA256
4ad88d8d8392e3c7581ea50ab228d5e5e1c15dc4f69ed5d8dd99ed8d0c439a52

SHA512
7af99bbf23a20ea9d7224bbacf40dfed6c14877ba79ed8a2684696593fc4147a559db413d01c95738b9b40113d8483b169619dbe32c4f4abfa1574a042479e51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2f5b4db7cb8268c74b6c7034c65cb230

SHA1
58af9a0413552f9be260c479b840f35ca0b34cf7

SHA256
5e98e056e797cc9fed1a2b8e8c24cc1656a9c14f7effc8d5f6eb3427304a47a1

SHA512
cce7b2236e611bb409f69ebb797322cf82f1e77e383e1789a2f9a97d6c691a5a9c469e990425665dc4ca2aaeece2161bbd8d65bbfba7f1d09554e5d4c3b39859

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d2fd8d32fb240f3983038b785953980b

SHA1
5ab9ee3b0aeeaa5f4e113fc130ad14937f48546e

SHA256
345b073a232723559de89e1658f492ae5bc80daf7e97a4d264128f54a49d2139

SHA512
7dc2cca340ff6c20221ee6f23fd0a4e695b425596d66bd86152e13df765377c059ebf0c21a9149cdd58157fa5882a66983185e13f3c2f53f1844265f858a7e5c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e0e39daaf728f6e304d22edf657cb35

SHA1
079a5b116249f715885b821f6f7e41d7aff9f11c

SHA256
ff2c159c792a7940b6dbf8347b0a1664fd0d50e8e0d86fc2ef195127fcf1f880

SHA512
aa46c228c8f51130dd0ba78752faad28b19682bff75c50d58220ee050222ed25705b6bd8d231c60500865009470214f259a1a93fa64af13e8d56ac56ea9aa569

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f0f5cb2c2e0f9b054b228e9eba74315d

SHA1
d4780ffcbdc03d41f2b119087809f645a333e2bc

SHA256
9165131797addeb656518072481566cbb9c9ea9693073cc4fa3ab3606d6c0907

SHA512
92f869c479c8c7dbb186e943d161dac055a4c118e5f3441f9c7eaa42adef9bd8eb6beec09bc2dd6b97affabff2e7eb318c67d0f9922d9485efa1a133dac8a19e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
33da635025526403f5cd5985e8950a6e

SHA1
4205edc168d5024c9b628c58d86bd8cdd3da13e1

SHA256
5026af9e0a60b704f89e7311924e48d18cb51c064c9fd9834981da996b696323

SHA512
0279e36ac44b763c309a4c349dce752e0d00f1c770929890bdda1bbc7ef01aa73a26017f3d5b845a0950e8badbd58609eaef609433c42bd2d52a9d71a6a2302d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
09fff6bc9f8a0fac411ca905cbb9a09f

SHA1
af07c50d4c6b1d6f8dc1fdb805f22f0813669096

SHA256
0eea745294ed87210101dc8262d36a3c97ffea5819a388681e04cd9f6aa9f3c1

SHA512
58630a78cbcccab6c8d8926c4b9f4b259b09f4fc2570ae79f129da53469cf6c4c0c8a85f30fc90e5f0d4e9c745d69b07fa3d0563548d7c8253a207a706895ce9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
422fc8ad4adf645bfb8a25cb69ff6194

SHA1
fdc4b0a40de1e0275e20cde65f07d18783dc6554

SHA256
a6856ff9ca4beda8c2526e77d808f5c2e1a9fe2a62c0cd2afdf29982682c2b86

SHA512
7338619902c22dca5256f6c7c834e5c60f55872427c55f4995fc1eeafada705418e05862782a2ed9fee0c7a9f08ff37602a47f92a267803f378b029bc4e63176

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b1f1a970f53bcec735e15612f13f788d

SHA1
db613c8fe372552596fc3389ceffe09e48a4ef30

SHA256
862ac66026c36b8fe378f55c327fbc16581d2b0c7582e98c3796a279b6a23d21

SHA512
22778e87e07ab98e0c4d7ed2d05b3e7dc015f3227fd4ea5dfd83f1144ab67854ac1fa67dcd818969e46beb9a61a81e6dba7491bda1bb9f68ecbb64d5f7f59b19

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e9a419b971ba3fecd34bd5ebfe014b95

SHA1
b3689c46288876c339a451f39a44155e03cb56a0

SHA256
a2117d0a036813e5874c8df62b94feba7bad0e3d98dea1c68423f1fbd99a9a24

SHA512
36370b50d28108d930c54b78be416657f4d7e3e46a63dd4d6b75a19af6b887ae9c2447303b24c378ed8020c81827dabf1b631a7a34fa39e29476f6477e079961

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
88387aaf683ece85ea99c609fdec3443

SHA1
9210090d712a95bea85eafac296b8794b77024c2

SHA256
27706cb6ce7459ea3a66f520811bb059fb0b218c36a2bed22566f9743fc68a0f

SHA512
1c2152204df115efdc9b3d159783d521f86bf15d7e8558ab192f68820c5045d97295f841228735f3acbffc082af090af1d90b241091b3c721bb798e427a64ea9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2c6c69a00f76b26a6e57707ef9236b99

SHA1
ccf93369c6e6e263d1dfd21298333641a0d151d6

SHA256
6b5169f5af0e6a16d5fcd4b68bd73a16667f3a8b92eb68788990ec394b891c10

SHA512
b61a03d08efa3e2f092e6e21e06650681c8577e760551b771f5f5c2d4a97f9d05d6b60e2add14222970410ac4db0680a8f5f441ff90fc898d0d454f1563462f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
015ae58ba71a07f25a289f9df4696f28

SHA1
75cb1133dd67f87b7855ea809cd7a52643d99fbe

SHA256
247276eb4d8626c7c37c1c1d0d91c9f1e148d48eca01dbb23ddb2a53630f8d35

SHA512
c4f8cb6972a66fa338ff691b1c11c6d10b1c5f10a51d9764211d6ab91a7c71874c4d821b6968043508da1e11cbac1e64e691ff1614c691ef3cd3e88391bcf38a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0fa82cd5b2a3b328ec031d5f3293da1c

SHA1
fcb15ad716c591bee24696e4f8795558f81e2e28

SHA256
b081e03d55d95ad066559c42338e0afa09de149a97b8badee0ead2282d6f80b3

SHA512
6a4ba4b3a37c1e51510aebe972cceba913a4727a4fcee414bf56e8ca67675d71ff66c9ef38a754a35c66497acba8fec9d9d9e3168f87b716c5ab6ee8941c2a83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b9adbd00a0d230147d2c61a4bde2d1bd

SHA1
cbc346f741c28c596b766e213bca65f62df9345e

SHA256
00b7c1aa53885e85d80ab3906c1d1dc47c70f700190896a1a3f4798f58b1a902

SHA512
40e1bdeacfd6ab6de29722405222473cad2b2e8bf3433624cf219cacee64bc72ba491f1253157bcfdff90e0371fa617a5442cecd9c7f9b2aa3e3adb16690d18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c203967e5ee34f2e95ae39ab15c313d4

SHA1
e1716eff2b8c94ad4a98e270072120a489c89ce1

SHA256
a61fb3f5de6df4bb11200e0b6ebd422271b52bdcebdcf559111c8e216bcde881

SHA512
7b2cbdcf6a65056afd9f6e51bda199063a25de99d1d036984d21d456e99f4c57be45188aee798e5a10e578686c25298fe07faaee4b8959bd957ce4503f5f94f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f96b15325564090166b57bdaccb5dd8e

SHA1
d149e2f96f53ce81ddbd9387e5c2c66cbde6dbca

SHA256
248a1b62a0bfaaefed7e82e0f40f49a216b182b53203dd195225c7193cbb6c8e

SHA512
eea46213892740bc0201be072f1e08ddb110741de63c5b8f5ae87e0b87c86aeb281bc587a741351681f17f729a0cf47149d60d18c03f599918b4e3c671a06e69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ed0df20c6782bcee9c1c2d9457e2fc72

SHA1
5cc1655f0f4526aa5468c9fa850d26e36b9d3c77

SHA256
90bea5caa4a8d800f9ef34e54b05b177eff04576ba1d47f9b059ac1ac2a69c9b

SHA512
1a1325b3eda393da9ce572463f9ad5f7e32687d57ddd873991d2fb5dca4153b8cc3cd82ef58e376591d711956322c8ca38c7e121e59d6148419bd2121f79d525

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4ff23fb2a24b25a19963adf3d828ad90

SHA1
f564f83a46106577bad3e80ac2ee047bd284f013

SHA256
1901a38461f4ff4f3d2c61f0edb354d53cd5c72d7b5dc7aa48d15ca17f101862

SHA512
b726b4472bd47beaf34c2e6a904366775d715ed696a773cf9b749bdae2aed702190bac8b310409c750a3d900de583c6c631302f8cb35366ed8c66aba8a0de543

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c254983d4f6461ef2471c1050a9b8014

SHA1
638dc2ea082c7a58311014b485b38c92f54327c6

SHA256
cd80155cc38694e9fbc98061951558b411acb59536c334ae38767754a827b399

SHA512
7faf14b933bfc53057264e244ed01a503f088783cd0a4e440744a9a35c2a1b4e8c73bd6971912b174e200531cf9434e19feb74324b794e84df351390a76aaa2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
190446a95b0d3ea763e8b9adf42cdaa9

SHA1
d3ad5bdff983bda22cde76d5c7095d0077a167b3

SHA256
71a5832c775885d545b65ba668f2703dc9423010c180a2ca9c8f3e2e4bb19136

SHA512
0aaf0854dd5d21a0a73bd2e787309ca0063cc104120a4dc7a34a2bee106f7541c5eb8179010ceb74b7c094a2ccac3ec58b1228e4eceedea6faad9b91141974d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f17df1674ac1ff2a5b689db7d27cf89b

SHA1
645190fd9ad54d7116287934cce50323450cff2a

SHA256
d68671549f1b4614944a3db56f1cd445a957064d33f465fa510450c923fd14a1

SHA512
34ff7fe5ef737dbe60b54e0cae5846e0e72dc072de17784380a4e147f42b9d8b60f3b34bc1bff209524b605aa9e71fa9599a8a5e7b71f5c6f70d34f2ee54573e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
85a6c136934f030d5518ad313b3ece2f

SHA1
56d15a0c4d558bb3a0dadf85f82596f218a95c17

SHA256
612d9ad186ac756827655be2c948b82cb9221830a9f136fc0c2e45303c644552

SHA512
f083e29e6184b1be7d8495aad4d87aed8dcde0ca167dfda1cf9a39a9fe00ef62f63d240de9c91d41e7baf539301f3dc00e3e11680816ae89704494422c77a542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
794043343a26d3a6779cdedd15f191d8

SHA1
a3259a6d7b7a275602e06c2468f0d7f7d62d9123

SHA256
4e4e9a74b07da798459fba8d9f0de4f11f8c7065f4779e088888dcc46c01be3a

SHA512
23c673d73f8090a8b1a22c2059666762bd669e88de48ae8231af9e0e472071bdd21f80f7d2584599d34dafa97322c10622c4a6e608a44ff0446352ae2b200ea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
3aeea30535bb2dc6e1779de357ddc097

SHA1
c3e32983f2e623358378ceea6519b1bde2bb1eca

SHA256
739f261db98c5671eb66f52ddca7ec3dcafcab4e2dd01a5e0c190bcaca1239f1

SHA512
0bb2a788ca6bc62cf3e5e543d75c3e9ba6ade4a5c2cb96b462cbbc3355e7a771845db3404949b42e061ddb787c991cf572cced7e75aa419e09b1d81faba2c6b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
acaa9aeb014726cfadb3cef27186f9dc

SHA1
329a22668202448571d61c7a8d331929301c7ada

SHA256
a5ff66245e17430f32f124640781a04dafa7688127a62158100b84659f0ed7f4

SHA512
20e9e13f94d864f0cb50bef4c1bf0ce2c256d60f61a15978faa58db96205776d4271f62748bf351acdae65842df6cda549105b0de534e294a75d73a255370f88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
111a110d1a54c688e908caddeb51239b

SHA1
e79480c2a6d5b8b241588c65c85a424e57dbcd41

SHA256
423677d95a9ca41b6553ca56535a3032efb0283071b4fa63028e992151e4d25c

SHA512
8d08dc55ef11feca139f297b322eb5baf891c8b24478988183368239c0380ac23b43fb5261ac14165a08c14bb1367b0b648e2766915f90b46fb2b564bfb36683

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
cdeef1e48fc1ab8e4583e8a0bb074213

SHA1
af90fb4d7d1adcdf127fc5e15b557d9315c15dc2

SHA256
489fffea83322deb14ff02047bba7796c630055e0ac6b657e7047b45dddc612c

SHA512
5fe292df9e48bf1225b3bd81859985240b8ca3c68f918a550ecdaf175b819fcfdfafdb689ac510fd62d7a3c26e3f216e516a57ae89d24fa291bb181c92546cbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
dd53d5ac948af4072f6d8199cdd16fe5

SHA1
f7585da465a7ef0026a80a2a9e2f163a121624cf

SHA256
d9b0f3598a049e5c7d273218dfbd1703ee3f03238ce28e9cf55444d7cd6f54e9

SHA512
d2669d511c4d2a63796078b2f6fd76713cbce13710c6de79a893a757c17913f9a61fa7c7cbc5a1cc38614fd837ef460285455e3bf67f445d4aa3a2beada2398f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
66e4bc12e6cddbac5098ebcdf5b3dd32

SHA1
861f40965b006d1992dfc6970b3b4fd81a6e7e93

SHA256
de8d2e77721cf39ea5e25eb86fa5cc6c09968aa330f3a7685e451983e64942e8

SHA512
60b8748f84e660cc69a092a7be7e91e4f10c33a39c9856638b37be846aea4d7446a2831aaa994dafc6522f7b623fb1e061c0ecfd50a0b9ee2485ca56c2fd24ab

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f505a74ba12157e0ef88e8bd8c7fa499

SHA1
008bb6b54ffbc3b90fdfb583965aee0e02cda234

SHA256
8f7ca059dc2383550f7350d8c8a43b5a2584da14e85ca078978e378784038a67

SHA512
c4c81b1682c1fa816e5c90f99a02aee75d3130d4502ffa1f6eb4d580cfc260269809c95df64e273c70b93088fa7e210a846f65659b61146abfca2ccacd4e351d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
57e5770d01f1d607bb117774c784de4c

SHA1
842ca4d94d4f874594b7e2690979dcbf6977245d

SHA256
52e56302e1f718235c3be2b452f17f076b3a75b49405fac58492576af2a18b68

SHA512
8f082378d71dab94a98bfa94be317356db5a1ce25fbaf91844888c479bf62018899fe57499e34869b4ce215751b0e8614b8ef6268d7ed1e9a5b345af938596ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e0f56d7af7be8e842caf5c7c0183d91b

SHA1
647bb94da14851751fb73f16cf6a34fe4a86fee0

SHA256
ca9425f41819bfb7f4aa549f72dc7d5468ef33672bf61d2cfbe0821e9058d29a

SHA512
0f35967670f86aa85f17c8709c9b2977acacba79375ca8e9e5a873a2431fed1f5f3c426d7693eed393debeca41a347b8a26ba6e6621fd3416f6842b196c954cc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7f2444a3bf1e568a9d7e4c0c4a6a4311

SHA1
b5e08bbbf9f86a87e787c2d7f072adaa014fd64d

SHA256
ad071aba5ce783bf96d88feebf6ab02b47c69da278e6ee265470ee7574145820

SHA512
e64b5e9b13f0a04000b70b08c7f1fdebdc4cb889f6d5c881875cf8fa8dea19dec4328ec5a5482d1610bce987a2cb5675586824135490c58c9b8a2eb201d2b851

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6411dc86b90a9c4e377d758592429389

SHA1
cc8a9c804e8717cec8cf8f722757e0efd98aeef1

SHA256
06532b0557c672f9b1aa1182914b82520749546d81e67647a5b169fcea4db105

SHA512
01314590002cc9b0066c440d7c7ad86e496de7c9a6f35a570f2b29b39dae0d0f3124d3b5d7a723b5d61839a72cc2d21750cac686d2ea37c2fb46db555009dbc9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c7a822fe8a752a260e85c0b44eb00cfb

SHA1
805b17d9decd74939463475a80ea6a12db38fca4

SHA256
26b532ad04b4a9d717ebc00180d2faeff806af819cbb4b8d3ff2a5b88ff5b1a0

SHA512
5134e6beb5f78a6126eca5b7b968bf985f4bc7c2e835313ecf308fb1e45503005dd944c3ca0cb5358248a876547a428966ba34b360415ed962e7dec304fb2648

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6fc82488d86dce52f30f046f7e32b18a

SHA1
d572765b6f38e0c849863e035cb400951f86339f

SHA256
7b5d2d7f473e1991dff68c0a4791f339d614d9948f8c430243bcebe7b6994571

SHA512
7bcc2d2771c8e876b2d5472153a7c29a14eacef284c1031b0161597e643403fc7780a5b6d0f529e05a38c1c4236c6e1ea776cb4bb965018f911659538bb5a5b3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
54f9374c7739887ea9e040528e0fc2b5

SHA1
13355084724d91ca50ca284a617711f86d202b08

SHA256
db58ff9cc0171a84fdea664cbfe7d5ac25b7256c5a950cfccf75e096d7dedb9b

SHA512
f24b040b312db494a39e15adce9fba37b753dcd0703fb4ca9a184cf6116b7fd1a501b2290d99af2bf90226f11d0ae0450e7c6604afaabf6ad6985e0663c63b9a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a4d974ec1a8179ee32b403bab972f1f1

SHA1
7e4252ca5487dca1d25182da577eadea8df9091b

SHA256
8784e189871d2baf264c68817a73c06174fd8209f4f22b541623e79af3f82991

SHA512
b38191badef1c2e9cb3409aa2f1e15114090e87e0fbbc9ba6755327e53621a49d6b3aa84bfda52cf17ce630905b4d7297a917da497f9be49ee783c3eed06e810

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
721747e2204bacba3b127477a0c78ba7

SHA1
40dd851ac58463ecadc27ce085e5df47f8f3ec76

SHA256
09720142943a7cf4769508395c0208a47b2fc0d7541b3e4f4c7fdc9ce2ca1c81

SHA512
720ec87c914de9dd1c0869c99f6657ccd4c4e866cce966ce476d7c9a10da3b93f5a18bacf1cc35bc244400557619c75340a53fbec5d8d02eaef465e6b16a57c2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
07304a098bd7231af8e85426d9a4ebfd

SHA1
61a37a6647e757fb34ed81e54793c255f2791bf4

SHA256
604b037ebba60ac45b5b7f7b441b6dcd25d4b04ecc6b5ba266ddd415183c4339

SHA512
65b479c6c1f8209bf3e61d829b8b7560f84b89866cd2695f3e680bb5e9e8b91d6c992fb99c1936f6cb5fb5143ae7417da3f11615481d1c221e99f6c1674c7f53

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
943d2291274ed7912f386c865fe46f66

SHA1
56caf8d7db694da4c15fe568f19acc30292eaad0

SHA256
13913b44ed7ca1b8942266f6f289552aa99cb158f097922dc3dc66d40d7816cd

SHA512
182664fad8c6dbe1e07f2b38f40c6b9ade8d09d19343f81718c1eb8e443381190fac938a55780da81ab9b908942e67b44c1b80008a05f4500a1dc58c567728e6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fcf1353a16430a4d6efc7929752ad1f6

SHA1
9bc9f7e942c5799d0f54fbbac491009f9a38d3ef

SHA256
22aa10db41a7350a58db4f7a8be033c37581352fa3d7a266f896727c757fa7c3

SHA512
506eb4ac35202cd6dea386f6fa519677b7e330d231911b474f815868a7d71f6b8b85c847772cf29f4aa4cfa303f541dd2433ed1ea2c561cf65f4633891c6ab34

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6dd27366ac4cd0303907125bb1593077

SHA1
fc38e1ed61d294786e55f9953bc3d56af5cea13a

SHA256
5fb5da21732d5cd27a73e1964c1db2922ba7bdbd4a349e5776d80af0ca9aa18a

SHA512
44ce29e299dc3171c17d31032e3fdab3e667a5413fe99bbee33d806b9cae7da49cb8a36baebefebda7287af897a82dd91588882afec652105938afff41774db5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0ddf61d45896377859cfaa11c3fcbdc7

SHA1
3c3f9053fe8da9d0a7b56480c39c30c173f0bbec

SHA256
a909a7f8493f5d9257236210374e2d7bac30740d5f78c98d9b2fbce20ea0ed6d

SHA512
e1d2fc685702ce58c412c0cd29e90c51b0e1615f9b4423e4e049075e1396045647706d3cad28a18ef02cf160e49ffb1ba40f56e0f94e4cb718890ad8f20058a0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6840fd488960773ba3d8112d2b2d7e43

SHA1
a14dfa72ad3b02fec2892dfd1ef5b03b31df6dd4

SHA256
d239f602fc68c24d37f715fba603f82eebbfa3f26f2514dad3108a5658eb64ba

SHA512
6cef8703101b2b3263710359490dc2988f6d1ed1c2ec5ec720d3ccd06c9ae00ccd618840c519932ce18b53b696ac28e2459f70c1f65604afd83daae44fe72a1f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ff35cb97e32c4859b9e92abb3842e32a

SHA1
ab8cffa9f092c34a4ab0187f4ee74987413d0f50

SHA256
754cd805c86a815d88313abcda071fe61e1d082436cde65fd61d78507efced15

SHA512
3adb395cd9816b06d0f893faac2e8b263919835e9fbfa00f78cb18096a051e305255999928c00564b8f6354f305c3dea9ec8c4768ad57cd2b6fdb8e68d38c0bf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7b63446edd4bf9dbe9b96328bb5395be

SHA1
a9be3661ea052cfca8ce11120f17a85b6ebd18f8

SHA256
09bac9689eb4b6368d18842ea68a50c1796df9a3692234583dc4618a11925f26

SHA512
566eb33f311eb02fd94ede29f6040bc13dc6c41caac22659e4700d66fba70ddfaef4f21697f4b0f634e36cbc69f911951f45637e21019b2c507b9557f54ad089

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fe55802ab8eef9be4b4c63982cf8a3c3

SHA1
ec0a455a070375c8cd191e7ddb257ad0aeeba3b1

SHA256
28135d0a77347748a93d2a794858152d56ce18f6c165931cfeb05bc83c307d91

SHA512
faf4d09ca86009922c1591dfa13dd27fa3d78ba1fe5cdd9d9431b07511fedb98f6ec6f37647610a8e4a67e92360dffab0ea5fe45ea955e7bcc3026c45f0f27cc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2fc2f0cb7b4f50942a6272b13157b653

SHA1
a7b46f9d4d1c1c84bafdcebd3ce18e626c3121b5

SHA256
f5be3e36a9180952356c5fae304786845b0d6678ab9b4e3af7114f4db021cec6

SHA512
2d7e552738bf6d60188280d7c62e37b1549d539ef7ade2f7096c10381af1680fed64a2329dc31b13a7de6f0bcc6257265a3aff66fc8a437529adb0840d8cd2ee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
13c0ee57296a9e045faf69780e67a964

SHA1
cf6d30fa2aa456c10a71535a219aab564ce20faf

SHA256
4dfb9858a6371af766681f2680baea4fd59b1b2e7e3dae88fed8842737b06c45

SHA512
cf72ea25ebcc15ea2b2a1962f422b802715b4a3a6f7f44bb80c27e849fb5b1caeef7223def088ba277e3a7fb255bbe03ecea92b2a0ccbfb358dc03bffd7a35b8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b374387700dff2f7e1e1dc87aa846ed1

SHA1
7cfd992ff1da039065ef8de317b0cad23e3f1c21

SHA256
427526cfc1350126151e8b11299c5daa1aa75dbcd1814ae2b4ea58ebb90e37c2

SHA512
df065251f4563759c2aef45060360a5bb82a99cf7f813c98ff7f7a6c84d89045e7f0e31d0c1514a34e43193426b2667a66c47eee6420db99a72a696b2fcf0609

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
dc2f176838eb9b4d4dc4898b091e0e6b

SHA1
96c0969c078e485196e3dc6c2878d44f7b60a465

SHA256
e1838f0e19391cc9f913d863b4c27e91b16b04de2513a078d36c41912df1e397

SHA512
ecb2e2cdc9cd5c4c574bb093c8cbd648dc77d6436c1ff59521aef86b73d22c5fa081df12aabd3655d8d9dd474e317a5ac17c0dfc1811aef557cb7d92d43b7f67

Download Submit
memory/212-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/212-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/720-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/720-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/720-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1280-53-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1280-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1280-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1280-47-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1504-136-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1504-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1620-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1620-122-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1824-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1824-544-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2680-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-552-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3056-566-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3056-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3124-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3124-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3124-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3356-553-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3356-195-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3408-561-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3408-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3528-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3528-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3684-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3684-108-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3740-6-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/3740-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3740-1-0x0000000000820000-0x0000000000887000-memory.dmp

Filesize
412KB

Download
memory/3740-107-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3924-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3924-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4132-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4132-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4392-133-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4392-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4408-87-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4408-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4408-88-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4428-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4428-18-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4428-12-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4428-125-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4816-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4816-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4816-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4816-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4816-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4828-56-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4828-36-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4828-42-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/4828-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5016-465-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5016-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5116-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5116-557-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download