911dedb94945e5622a77b8c578b389d63bfe6ab1e926ad5909e479f10971ef6f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Size

1.8MB
MD5

94823aafa112fe92e06b03233fbb4400
SHA1

778308a91549289c3d113d4b5097d0281e3cdbb5
SHA256

911dedb94945e5622a77b8c578b389d63bfe6ab1e926ad5909e479f10971ef6f
SHA512

fbccf76d6a5242b29f31486a7cf221d45fa0043b9ed7920648d361ae384d6088f627517c286a94a3ad6cd894bd072640d7c6868b2162e1e5b55cb762e6efbea0
SSDEEP

49152:TE19+ApwXk1QE1RzsEQPaxHNJgDUYmvFur31yAipQCtXxc0H:093wXmoKYU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1924	alg.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
1316	fxssvc.exe
4060	elevation_service.exe
1132	elevation_service.exe
4712	maintenanceservice.exe
2792	msdtc.exe
5116	OSE.EXE
4964	PerceptionSimulationService.exe
2316	perfhost.exe
692	locator.exe
4376	SensorDataService.exe
4068	snmptrap.exe
4392	spectrum.exe
2524	ssh-agent.exe
1384	TieringEngineService.exe
2824	AgentService.exe
4616	vds.exe
916	vssvc.exe
2428	wbengine.exe
4860	WmiApSrv.exe
2732	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e16d69ae4a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000447cb4a927aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c11a7a827aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dff0c9a927aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000487bca827aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc3249a927aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018c579a827aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066a1daa927aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe

pid	process
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeAuditPrivilege	1316	fxssvc.exe
Token: SeRestorePrivilege	1384	TieringEngineService.exe
Token: SeManageVolumePrivilege	1384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2824	AgentService.exe
Token: SeBackupPrivilege	916	vssvc.exe
Token: SeRestorePrivilege	916	vssvc.exe
Token: SeAuditPrivilege	916	vssvc.exe
Token: SeBackupPrivilege	2428	wbengine.exe
Token: SeRestorePrivilege	2428	wbengine.exe
Token: SeSecurityPrivilege	2428	wbengine.exe
Token: 33	2732	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2732	SearchIndexer.exe
Token: SeDebugPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeDebugPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeDebugPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeDebugPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeDebugPrivilege	4632	2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2732 wrote to memory of 1996	2732	SearchIndexer.exe	SearchProtocolHost.exe
PID 2732 wrote to memory of 1996	2732	SearchIndexer.exe	SearchProtocolHost.exe
PID 2732 wrote to memory of 4880	2732	SearchIndexer.exe	SearchFilterHost.exe
PID 2732 wrote to memory of 4880	2732	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_94823aafa112fe92e06b03233fbb4400_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1728

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2792

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4376

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4392

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:900

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1996

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f6090b8a4100500c25edf56ae3de848b

SHA1
4a1b3deba23e126b2d0772d4722ecd030258979b

SHA256
f1b1a091464dacb0ca17b626e5b3f3084b72e768fff1a1bce837a30e32fe14a8

SHA512
98bd72f86271de67e0d39eb8dc1cc07cc0812b8d19f8c4975a7e057e13be518c10b67d50b5e9895ac307c9d7b7900f1ef7f5646c69d57f420047adf59de1fc0a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
261efce22f0a99c9939660dc11d02730

SHA1
6eafda03d1ccf75f50db98ff3e4776032ce5f59d

SHA256
e9bd95aa931edb90faacbbc56ea83b039dbecb6e94849de95e0b36d42b945d1d

SHA512
10e6c52b4b744bf307527fd39d2bdde5f791534290cfd421ff27c9e3c2214e90f2a93fab9482784878a2c8a4628e052604dd4ce407417c76d1f9d1d291bede49

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
375e540aa8f4df0f07bb0328c0104011

SHA1
a86f610b9a535da6cf4a756af6ea4c0885b05802

SHA256
6c6d765faa37179378b73085de737d32bbc06a04f2b0771064995f2eb7c663dc

SHA512
874f789469d0b9205987f370a78478d292bd05a4df4c9425cce370de60b6e1ef864779f8f489236f96b1f5344e1dbcc79d4f44863a222081052f7911316dd681

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
e308c8a0f799a4e7e049f21cafa55b10

SHA1
3ee9fa30737ff96db60ef5d3a120d136de63e9c5

SHA256
0061f334284546e5407643a4a7d51073d724dddc203b81a26936c38f0bef08d3

SHA512
7629aceb998d521c7b0978e3bf6ecf111f145bafd7697f58a722b051ecfc36d72d68f0f41ffb36c07f086f34c4714e853dd0fa6d4d7a44b07a7a58891ad1b3d1

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
b5a170684c1df7908ffa4a1465fc5159

SHA1
237e51379838e93b7469278e2180303db8ed1d9d

SHA256
028decb40c7bc3af284e246c2b9b99c24d227420ebec0e422c9b565a34f3460c

SHA512
20aa16a24cefaa8192aaf9926a91635a9a79bcb987dd324a56362faf7ce72c27dedc73d448d47fe1ada80a433b514217fc59764c5a77b4a5bb1380afc7296a3a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
2730499fe77e5ca9b992e13ebd343783

SHA1
dff43b2e8b42fb088460a1c2701e4b0fc7120ff8

SHA256
3fe0abdd26b3e6c7b63f39f71f2633ac5e5ad3907f1213d15952d9e1acd3cc42

SHA512
c1ffe7733ba90e6195f944fef06d05a0d9e60f60faa41115968e96f6f8f4a63877dbf5fc1abe979ae6ce841dcd09b08e320c23d58246b28e13d68c7679b7d4d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
999b7ad940324fd50a3f15b426b6c5f9

SHA1
4b66f8c4a69a8577083d64e9f66805303adb0f16

SHA256
2ce891a987d7d5fb13864cce9920a627320a982361e205d7c9e6f2e4510fdd2f

SHA512
e699467d73fa8a0b0057762b04a2fc4cdbc7ed28207f35c260e767fd2e6a5cac8bb0dc384aa4e5b2085f1c3cddae15e13600371a64147fefb2a4e3b943a2c21a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
10e291fe67b7cbf12dfc4b71c5af2aeb

SHA1
0c9c82881f70f7a76521e3020d180cbe3beed4ae

SHA256
769f9c1940d481aa3c496d390afbdb39d4b767cc8733ace6c1626fdb45423551

SHA512
51954e858d8897805c4ee8b7cee71b27e448fde0746a452b6d17a3fe55ff33e6024fc9a9a87e6dbc0c2699684dd7f6a0468f956a22b749af1ad20a87f50931cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
2d5a29f3a72612772e4ba875c0eb96e9

SHA1
a6cbf1af4b8180857d18d1652ab33ea34cd24942

SHA256
b8a3873ffc4d8371001dd5e790ea4617091b8475db097ae593ef50659f1ec40a

SHA512
c6adebe3663c9cbf9f4e0b4260ddcd18eb4371b0e2fd3c308de1c1c8e5c2ebf4cb7a31a546b54df6cab1ae30738212ba62107229612655f4382f9974dcb6cbe9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
1c068df6a0ba0ff53d6360bb357adb13

SHA1
8e9d3a7bc3727d84918f9b26f4ab4d5c63b06a52

SHA256
847d38eedf77543da5b6c843ad04a8eb1d82fc5b938a0f4ad68db20bd97f5527

SHA512
a94e7e73cddb7f5edcf848704ee87549350f4b811a03e7ec70c12775fd3c72e59595550f441149d5a23fa82d75d0b7da355807c04a0f98a7c110776c4919b3d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
d88d8d87ffbcf9e0a271a4fbe0239dba

SHA1
e9a0251937e35fa46e672198a35d18af2c19e4cd

SHA256
4a8d0b928da65971d3825b30fdf22c6ccc95af5caff041c10bf2f5048ff8ce69

SHA512
8ed64cf55319c2d4182784f755fdec0b8d3c44bc1581c4969fd02ffa02e2bf92855986402face432ad457b87009885e9f41dceff3d0d158a06a83f434ea4e26c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
efb2308b62a69985f7f10e93d57e38e7

SHA1
30758d5e29f6adb1c5281a99501d49a8478f2d75

SHA256
a6e342eff16ea4d3f47d00c7411214df45610710e78fcf258e20e43d78ac3b54

SHA512
e3ff3127ebac3c43babb27b8c2bb8ad6f69fd0af26a4ede2ac1c4951abff887c394be176b1c30fa54177f141ebab164013c43f700854da2022fedb18855f1996

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
f5962a562a9e4802524d78a3ca0238aa

SHA1
4c432f6caa9bed2969d500e0e3647a93879b2a14

SHA256
751483cac01752b5e2b9aecfd6ec2d5c35d32d10da90a4e285abc6d783e24ac9

SHA512
00437b961bfe4bebb3edf8eb76f9420ca60566994c7d8efbab139cf8e25dbaf533356733478586bf7728ad599d1100945245f21c90741c9bfc87a323426f1d4a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
064ce98d2b998855368867942c97207f

SHA1
0518170fcd7c1526a5ba7e1cf39744fb62990b47

SHA256
2e89c1eb0ddd82ac45a15c5586ea8cfe2adfe44c6dad1e1b6881ecc7ce3aa271

SHA512
8165137a8f578c4e7d6735e7ba682acf67f0d4b8310adc2d101d862e82d657d1118c7e82425c3fccdcf0691dd294ed0adb632ddc6151b63886caa09ff97cd6aa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
ccbf2c338935f6344fe2ed1d98080cb1

SHA1
e4e5cedb2bc236c449e258c673940a65de957936

SHA256
de68ef73b5970b2f184d441e9d25a216b3c699f4ad3181c64f4b8a047402a6e9

SHA512
8d96e5107f91bdf67585469110229cc5465fe138c408d8d7bb02d0995c9cfc84c346bf8f3a4faf92bca552123e53fb7d7cd87e7381e589aac91a00e361e643e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
2cc646c0f3bff6e2a4325598d809f7c9

SHA1
50ddf7411e71d3366373df9052193bfdc81f1229

SHA256
9e6b5fa31970faa4b95ec3d808e97576b76d0eca9891d08ac72218ec0b47b535

SHA512
1e7613a88c4a1793c70de3b97f1aea0149524f668b8f9b708ccf29e6e9b237d6780f21617a31f39dc4d366f25d7c301d7f07eff169d045fdac940279fab30d0a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1c717d8455774cec4d8c98677c5c4f3a

SHA1
9f6a7052d8996b9d4096b832afe9fbd57034d9ef

SHA256
2dc9d66f524dfff3f03081890519fff57d086114aeadcfd177e4628f785c48df

SHA512
597805f521d213d82a3301a648267a0a3f104377b75b218b182adf76879c1abbc6b4866301a42e57e242c933e42eb36f6eff237617fed55fe960cd17048ec1fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4c6ae79b49e276ae7c05c4864d3380b8

SHA1
295da7b2dbc725d60dd63ae8db1cb2e89c88caeb

SHA256
8687f0d30836fafb6d56a9e5e3191d8ab5649fe41f70fcedd010f15a375cef55

SHA512
2028d8912bc3240345d9586b4e2aca550487bdab73f949ca08e447d8704fe1d0686a3b99b7bee537d765c2f2e7119cf0feb34d3daf0e8a24f5495f8156088531

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
7fd480c93b10e601f8ec7ad71e4c47ad

SHA1
0ae00b54b4f8c10eea086c0e6d1defb52f7dc660

SHA256
aa65690670780dff496fa767c82cbf617609791e6750504febd5c3f88cc29c60

SHA512
0fdf7fa50a61bda2d9e93438647b7d0894c7e77859ad884476a349e5bf03f9a11f74139c04592bf84d3256bc5f41e59e93b7188f50daf543fc69cc160a6bb7d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
cf8e8769f9fff420a5ccc6cdd1e2f654

SHA1
15ba7f605c4514abeca4c53375f4c076c8fcfdfb

SHA256
770c1783398702753d802ed3ee4a739e766266a2c6fc7ac6d9d72803fc377b49

SHA512
fe54d64075f94ae41677f3b1f1a6732b497fdbcfa949f2e7adaec4efe05438a22bec1b79af91566a4776ddb0e49885e684bbcf45f569f2a8522305b4db4a56ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
c6badeb752a1e61dd864c888768a2ddb

SHA1
97f1944d0422353acae8c9826df1211bf03cfc95

SHA256
6dc12ae9cc77dcc05d7be1c254faf63f9782640bf14eb75aede536c603e7391b

SHA512
00d6b2ac64ea8dd34a95c1109558df687dd9f84dc0337b0b61b61470642485d7ae0cf70f600eac8cdf6ceb3729209ef5ff6d0849c087dd169ded478fcace5662

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
261e710bd52758394e25dd8802a2846e

SHA1
23db472c38c13ea2b13af687b476193c0f89b732

SHA256
dce668fad6f917619cc01a9c8ec818440909e713e321898554280ea85d26c13b

SHA512
7656a57148f4d0989dc93ec44a407fe7946e419015ad696b8f71461429d393531cd6968b8696ff019b50907a4ebfe21697713a7f4222255728720ec1aa115a65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
c3a6402d65a5b560869cc042f5806ff6

SHA1
d15fd3e69c4044ac9675f61aa51a9c300f1c1050

SHA256
5a40c3eaa16d4bb784cb3cea74f8f294666700642625105c436adfdae843591e

SHA512
d57b3e81b4790379d8c627a5fb063a200a7724fb8ecf002fd191b84084909dc5b20b0c67a3625431175b7ada8cb7798af13a4964f31f6d5a6b87f4a0780b1d30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
b79d120b470a8fdf10b4147cdeedfc09

SHA1
7c5a78cf2d19948006f756eb8dff6aa53173eb9a

SHA256
96eddd3162d5abbe4b3bc700b64bebb5380313b8f3f4f03597d8e07e096ab960

SHA512
f4fce29a28fb128450d92586412b5777057741e145e0025fe06240e25c5c66257e7baa3baa7e6f8db563a2b443aca16aff1fca8bc3b2a843ddee73e2350ffdda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
2f855fc21f75eaf8dd1cb5cd311e57d7

SHA1
92e12ec5de39b248ae70322dabd94704acd00367

SHA256
bfcf4c398f2575ecc3abed055af6bf25075e89ac0bbc05111e2eb9052d804f74

SHA512
f69e3da0c937f30638ec8b1d20f0d26788611726bcce78d5c004bf0e75aac5746de3a4493bee926e4d66d75ee6867d4e2259dcef272f9194b60c8e48e698156e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
e04580863d4e972c3a5727470481d746

SHA1
2e8a08f98ad3bcb573327766df691b955403742d

SHA256
0db6a30427504ef49d2ad7e57a3e0d2c888b811c37fae855a3949a409188ccc3

SHA512
908cfb0864c80b935b79374a1530ad89181687c8834c32b3865a0a311ed1e0bb81753c14021fa56cbfa3f598e9a45041385e5e204721ef6392b1c620362ac7e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
16b76abc3797272bf5c78f502ffc96f7

SHA1
5f12227ca4189b899e2cebf02e400586a85c968c

SHA256
5753ca37b8f69c51f53c9692fd770f16f448622ddc1fb820e1897105c3e9e496

SHA512
400bfe9245f99d69c0557b97e3c18d6fb8c612d83640d2030bb24013ee0a1ed3cd9169cafe0db5f89b1c9a2b5b1b419e7ca1b84b667f47fd50cb67bc195c8f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
50b02b20846d854783073fc2deacc90c

SHA1
167dcaed835a6348c3c9ed2fbe90b182a860e9dd

SHA256
919d93f77f67bca0da7b81dffbca5b2ee600d839ef83043289803be85cdf2b62

SHA512
b0797a0add62e0fd58db9458b33a8aa45cf018fef13a0b01b55ee29b61c3b4ad2a32aed23b6542053759cabc3de42cf429596f96f83916c679c52b4fc26c6132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
7fec4e08d0f93e7228fe5fa61c76472a

SHA1
9630c532ff06e7c966657263709f8955bfa19e65

SHA256
a96ae5ecb26b17ed00add79a5314eaf382946fbcbdb38d8d06ac71e83592407b

SHA512
0da4e35bc6252585157647f3222343ef994837416f7ed4e13a5d758b545410228f7c6df226c6bcd0463e2cd2b93b67625b832c1422e7b69e79987bb8cf20213a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
cb6facd32e299e79d0c2abbbe4920fe1

SHA1
487d018c07c977d2b257b267d60e30d4130adfe9

SHA256
b5ce07ab134255343a9b6e534001c732f4218031a204aea323afb97fa4916c1e

SHA512
91168494083d0b090010c1776ab3875b5ab4c1ea9d0d418e3d31b80bc6280d2a64752f53f74eaebf65b6d4604a30fbb3b01932774417d29a20380b287ca4c19d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
86ab3c56b516429687f09b3c59f6f4a7

SHA1
b4aecce454d8d0bc5c6610103439d8022548340e

SHA256
2ebed32d749b04189e458d5ad73118cf34b9520f2ddf06d720f506e83822e3d0

SHA512
497a670d54bc25890b039a2026418ce94688701d32bb009278d1a37744c9d5b7349fde7a2433efc0d9183e02afe699710f0fc0067090db581181989432100624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9dc2354a91d42b39ade1d23fb177a72a

SHA1
01300a85930899189081a18c4cca8fe003cdaf5c

SHA256
f62468eb6e5a872ebfc7483c8d98e54775816491c1c00d8ea5e01d860f669037

SHA512
2180e8c216323ca38f798f3f66ab72d842c80338a449afb63c2e3f95801805fc7133e733dff9232045e6341cb4724b45be67f27e9e0a4920474a98df11e2739b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
8e3771b188476ca9f4a8fbed33b8db60

SHA1
ef8070bd98baa4222a9a6239831e5774b7095663

SHA256
9419760b2f139c848a013acb30490a27d199e304fd9fcd3e657214ce53dbb00e

SHA512
400a0bc06396565653b7fe341691c82110ecb6c316b0d6fd1bd9cee5e8f906e36f1385ca4cd8d40042ef842175ca560b5fe3e758bb87a1697cd9ed567d85ea60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
c5c7eaa0952733f60ac5cc769ce9c4d2

SHA1
a9f153f1998f78ecb772cb11e56f72aaa7efaea3

SHA256
4c6b82691e8099df3185550537d612651208f711ac3208bd8855be5efbb31c90

SHA512
b3688f2b85e280bbbb1a21f22d85dace702c8411cab67c4923b8c19779339901fb8c96fed86bef31f1cb1749d3ca7c31022870c1edd05382c0c305d079c8d050

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
ff410d68b329732afcb82ec031d5193c

SHA1
b788447933e4addd5bc18f7c8c59ed07b889ef22

SHA256
9d106092c3f7231166f92a6d933eb0c3f7c54019e03cc1be6e044cc4b145500d

SHA512
82676a40293fc29f233d5aaacbe9941863e56355587160f5f21354702417ffa9d66559e8ef39006e949c1312dd1ef1d5e3996af6c342e22d9faaea17edee5790

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
01fa51db6cdd5fbe8e6f4328318f27dd

SHA1
a4736de6c95b056b6355dec30f7e59542042b8c1

SHA256
220b2ba27ea9f664e9f29e7ec9757153c27af1963742bdabe2861f78ce832f5b

SHA512
deafb96bf2b30eea4b5ccf610c399fb66329e95352fec77c9374a122a7dee6f31eabe70f2e9670393b01e8f00b1e89868474fbfeb0d028d60d5438bacba3f2b1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f9c839195b68f1e1ad1af3c41702c1f7

SHA1
a4719581f612c3d5e08223b9c908843ea2f757e7

SHA256
a41b2d9d206c06acb8c1a927943293d73d4a9886f2aaadec408823c7bbaeb371

SHA512
5bfcffcbd43341844e0ade703b656845bfafc2c945a2c19c8eb608325df1d9b421ebf479c1c87ba6561eae091577b754106a88d26e947ba37c9f5cfda4b30963

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
d50c56cd785b89b84f930a7f0f83b86c

SHA1
d15db4b45d01931cf9c37f09b6387aa5d4aaa46b

SHA256
913a244b72db405048dac9da9d6547d453358945582c6b0de778ad2be66ee6da

SHA512
774ca57b0b7162b26b9a6412d6bc54af5b6722cd6f5b01532483f65ab1623d423eda3a99a6fee9b61ce2fb373c20ca2a92120ea283a7316dffc803a40eec8319

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
65f2839a5e0d36668cacaf5a1beeddc2

SHA1
dfc49d1c53886557bcde66f23106dbdfcd860714

SHA256
e11de74c1f046cfac5fd3c7a1bb608fdfc0edfc72e113f382b78ac4dc3320617

SHA512
08a24cc26c597d75bd60aade7805eff0a7fc067049fc872eb3f6182a5ecdc3403504d1fff4fa0fb390c28f3c5578af54dd1bbcd624eedbed8db80faada3960a6

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
5553b8e17058cb292e9d257acd0eebb8

SHA1
30bed9962ce4c2b0876ee6908d8b87fec75eaf40

SHA256
20e5f61624faff4e3b77ca47bbbc187bf0e7723c9f499255867f5461f6ce0c5c

SHA512
93ca6c7622676b196e2b6dd8d62c8f95adef2282b8e1085ca1698e256897c56803d71b2fdbb3e5539d711c6055583bc73d8edf8b9fec047e0e5bea0ae45d882d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c1b8976d103a3bbcac4894000e900ebe

SHA1
e0d7a915f853f9fe32f581c80d0a058b3c3a98fe

SHA256
6a8636983a729097c357813542667432b9b42d8d1e24e97f6fb64d815193b4f5

SHA512
62ee11740b6725eb0d9d9528dd042127c7313e73586c067cca543f7eb36421b55a309d7635856a63217d1635fa4f21a06a95801eee6ee6071ea215ea2fa3a212

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
55a5f90291e1332c5b0c4bf91c38f016

SHA1
8784bf426f65338477c48c94c6a465e8675a5795

SHA256
d01475b58a037096fc5eac0368791a102e48ff026a784f2ca6e87e84caa954bd

SHA512
785720d98675a03b4830248368355232dd5049f8702ae96fb0447682ccb689b410b779f864a0d8cfc329f8a63d7bf2923a359f6ff44bedb90b35a0b03dbcc583

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
c70579d6cf0b26d6e17994d97443854e

SHA1
a77cd6722150de52882a8f7c18c685251a8c82de

SHA256
02d015360ce560b46a3f2fb7fbb5abaf9b6f9937eb016210b0e6b4bbce20b33d

SHA512
4a17511e2e110ca98e0a67510a806f69d6ca535711b37415f0d47e628a6d6a1aea0ddc5adc8366de8f2489a077076016b963b0798142b77c36b8fa95ecb58d8d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
551b94acf9998b0b2d6d95dcd2d8ecb2

SHA1
15cc66523992935822b3bc8cc623f4b18a8bf511

SHA256
9a2f6862f29b7d39d8780d25aba8d4cb895c5c5ee21fe8ccd1883d8191998795

SHA512
61753692a97b8529ac7e514833f7bd8cf0ae2b7675081383a33aa99925a06f12082924830d280756d774ac2467496f11d544059664634d206b1facd2bcd5a62c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
b9b00a7a5cb08f9f5e6d92c70999e384

SHA1
676e21344931c25833f34208946ee3ce34339f38

SHA256
01ab3a26058e2aaeb2eaeed0ebac20dc9f55c636b36ee4fb5ea461bc6a6cea15

SHA512
19e08f7ea5c2589360106a156ef1c8f9f3047828c1f6f116908ef5511bbf1263a9aeea8ab49bd9cc580b23ab4b296f0b327ff8f40fe6b0c96be5f45a65e454eb

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
debaf1de772eb0cdf9fbbd2bce64d6e0

SHA1
8e1f19908b5cb932598d3e5013bc1cd41e8ce3f1

SHA256
4a7cc3a27f7664543d6f52c54647c5f3bf88bd259b8df1f8a029e06c3f1604cb

SHA512
f9bf3608a2f316446ce60fdcae584a37211dba2db636f565918db58a2baad814f6d9082bb7402abe885df10239ae40d1e1797440828b5a57b8d530cb9d09920b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
c122a56753d3d6c85ebc20126fb7c868

SHA1
c683429429a3e49eb38122b453c29b4b856e5b06

SHA256
ef92be8e5461c9c9d8434ec0ff27a493fafa0c0f750784e93732b5509ee7d83b

SHA512
e6f2e62d6829cc244e6b8d36eaf3faff927d8dc6b9b728b8fab0b42de1627ae3320260fca50ad5e6a96ed4c5162b7665dffc804ea492ffd9425ab9980a5acb46

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
de305f1adc973c2536eed0069a679da6

SHA1
1cb54084d42a8d48aa1bccfc300b4a06517f66f7

SHA256
e4d85c4573c68cc2f6f695d858d76441d61c67248c99ab1a3ea4c0c06952cc8c

SHA512
546ea0befa2663ae0c3beff8235d9de14288561e6649706fc37f0eeaf557cf4d9054312d6e607c3153173c4358cbce81dee299cdbd72e7a0f0775ce7836cc759

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
9b0d305767c9f68eaa9abaa337eb9890

SHA1
7f80b7261e34dbdf02adab827a8ff3c3d3033931

SHA256
21c40e47317667e176a3074c465d8f7279d8151f0f7dd3a5df47e4440edafbae

SHA512
596d4aa7fdc00227b6718b291813855486010e42c67c691795ee4563314b21433caa1e814086125f46cf57f50af1dee71edee0ca97ad247c933cbc681e3fdf29

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
75862bf6722372d65e77bfecd6243c6a

SHA1
d643a3af14528baacf9f0ad490c433f5bdffac76

SHA256
ec3aa0887fd587b712057c695357d9ae1d5fb525b0143584157746105c561f63

SHA512
20c51c8d642bf30eadd142daa6f943b9307de5bfb8c3c6aa98a01b711e5ffc1497f1d1af46776931c4a0329af7f0a3a81b5ed77b1c94305ff457317eb00ce2cb

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
918535580c02a7b693f8461c1cdd851f

SHA1
1ebc6dfc253dffbe59eec8b8c97db14884368a1c

SHA256
8d0cb2817ff892dc4be4b96caa860fd1dcbda464ef8509b44a42988345682b10

SHA512
b02f91584137b6d1c126ad096cf804b29daee18af9f0d95ee681c97e9ef4e936e17c0dfd6928b3a1864698aa1c1ac80cb2d22ca941497fb7bcfd5acb854099ea

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
e74c527304e44151032943b77072895d

SHA1
0c8ab2405339e0ade45c6f532c9495838c2a0cf2

SHA256
4536ab29bf9c05cd1cb3304374fe905fc78b73184c87c64cb6032b6fc8bd10ca

SHA512
315da0411946a711003a18e93f288a1d3f43052dd37b751aae6836ab9f988bb65ff94e273a791a60266b2bc3d27e32bc41e2d3ea78d45709ff1e37b391b5ad7c

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
20f7c207772ecdf622eabda952f69ae7

SHA1
0803718d46ef2ab6feb49c3e1fd859b51fd73baa

SHA256
339e18744035695a769518e57f946a13b2d872a56bf30dffb8ed851d42108dd4

SHA512
0f38c956cb940a1e306247875d1e9fa593a8c044111653cd21de3089a1db089f8456ac196742237529786733dbc4979dc24dd878c8ce6f4a28303442102ef328

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f9631f1e1c5963692f9dd5ba78635313

SHA1
af54e8e5310abaf40f715acce7c83679bf55cea1

SHA256
d664e9439e6c594c2a3bf248a5b8bb6ab2175060db459f81fe5170c9bfaac5ba

SHA512
9d252494197aa40234204867f4d3e93609cc70e00ba5faed00d06d09844497424aedee1a3eb05484c3cc173fa5e6393514b8d86abd249f36c1c3b12394c60026

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
826c1815f9c217c3554c45c25e909aba

SHA1
d2768e0493e23f583748c0eeedca656bf7c0551a

SHA256
8d547115da3ffbddaf0a3ea4656643943ed616727d7f23a429742ef30f397f4e

SHA512
78031c9bd89c95fa5f57f5562baac8e877ea07b5ee4d5e2b5c4d9ff17d928533c5f2795c4ab12788588f2eedd9676222dec41045aa21a46ac990352ff6407165

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
81d11675ba9b2dcc7a51a8eff796e01b

SHA1
287e69ad98906062216130c09ed0c72571c7c106

SHA256
094151f8ef1eba7420d365cc002390eebfa3bed13f85aaf576403d3442400716

SHA512
de6223f5b77835b7efd9fce0f57fd1ff55fcb3b7f93f716c4a1b0102cdac532f45672872afb63b1614bc4eb19ebd5b12cd5b7fbfff88a5359d7672b3d7d21e6d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b62f941b968f0b2e66714fbb897d15cf

SHA1
fa796d58f293aa796f90a91805a514ae37f441f0

SHA256
f714d394f8b79decd8bdb041a10b7222467b98ff29c45ae811b3de779433501f

SHA512
dfd5a0c27aa7e1dddbaa47d7e83f2975e1a793a195e74aa809bc267282dc85f8b824b7475476635c3fdd5f356a8e257c19745ea999b4b3d557ea39fa86587a80

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
fd4d1d6dc5f54af42bbcbfeb5199baf4

SHA1
96e4c89f069b1e9fe5dc87e556c1f4c051726ca9

SHA256
a2baf4b993900be2eaff1861d72777d1dbe70890077dea59b6771f4449edf03c

SHA512
0b1c3d4b3fbcf840d900aa2794025b5ce8f5890545396427dbbe8c5c8fa8f411d6db51fd3ee02d8eb039c0d1adce74cfc6e8b3669e02da3d62b9a77b53ed92a1

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
960c94b1553632e43bca9b6f64ce7d8c

SHA1
a822b35d1b75d590c9d8e860bc74ce80c737d257

SHA256
f9ff7bfafc184f98d29d6300548ccfd2a3ed794ef9df2686f3d777d4dcd58e7b

SHA512
aa9bea3c11fb1fa283703588136c134ef334f0bd5b95b8f1910194b48cd210fe968ea87f96839a273450e7c341bd654471b602f99a1abbce401216e3c0d5eef4

Download Submit
memory/692-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/916-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/916-530-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1132-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1132-522-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1132-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1316-61-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1316-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1316-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/1316-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1316-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1384-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1384-529-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1924-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1924-202-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1924-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2316-188-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2428-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2524-201-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2732-532-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2732-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2792-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2792-90-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2824-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3536-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3536-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3536-203-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3536-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4060-50-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4060-56-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4060-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4060-523-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4068-190-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4376-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4376-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-525-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4392-200-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4616-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4632-2-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/4632-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4632-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

Filesize
412KB

Download
memory/4632-100-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4712-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4712-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4712-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4712-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4712-81-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4860-276-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4860-531-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4964-134-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5116-133-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download