f9f47f043a9822b04b5fd5d40cdd2624946c90228564ccefa3f246dccabb25e4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Size

712KB
MD5

d148d068dc64cda5e104e22ae8dfb02d
SHA1

15247999b3ba9affea86fce2919d6557c172bfc8
SHA256

f9f47f043a9822b04b5fd5d40cdd2624946c90228564ccefa3f246dccabb25e4
SHA512

991e57e3c34c38bd0f2603843548326c53c6e19b78ca17e4aff3f73bb3a1a3b76bd61913b50182428967fdd293e00f1fa510a938d1b9fec5405abdf0166c0e9e
SSDEEP

12288:VtOw6BamGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:f6Bst/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3984	alg.exe
2500	DiagnosticsHub.StandardCollector.Service.exe
3744	fxssvc.exe
712	elevation_service.exe
4388	elevation_service.exe
2592	maintenanceservice.exe
4048	msdtc.exe
1928	OSE.EXE
2708	PerceptionSimulationService.exe
6128	perfhost.exe
5332	locator.exe
5808	SensorDataService.exe
4468	snmptrap.exe
3140	spectrum.exe
5824	ssh-agent.exe
5012	TieringEngineService.exe
2304	AgentService.exe
5600	vds.exe
6064	vssvc.exe
1256	wbengine.exe
4752	WmiApSrv.exe
3848	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\74cde8184a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004504b70c41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bc3370d41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f23fb20c41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f52abe0c41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dfb4c70c41b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1253a0d41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011eb1f0d41b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004612270d41b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeAuditPrivilege	3744	fxssvc.exe
Token: SeRestorePrivilege	5012	TieringEngineService.exe
Token: SeManageVolumePrivilege	5012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2304	AgentService.exe
Token: SeBackupPrivilege	6064	vssvc.exe
Token: SeRestorePrivilege	6064	vssvc.exe
Token: SeAuditPrivilege	6064	vssvc.exe
Token: SeBackupPrivilege	1256	wbengine.exe
Token: SeRestorePrivilege	1256	wbengine.exe
Token: SeSecurityPrivilege	1256	wbengine.exe
Token: 33	3848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3848	SearchIndexer.exe
Token: SeDebugPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeDebugPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeDebugPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeDebugPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeDebugPrivilege	4028	2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
Token: SeDebugPrivilege	3984	alg.exe
Token: SeDebugPrivilege	3984	alg.exe
Token: SeDebugPrivilege	3984	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 2828	3848	SearchIndexer.exe	110
PID 3848 wrote to memory of 2828	3848	SearchIndexer.exe	110
PID 3848 wrote to memory of 576	3848	SearchIndexer.exe	111
PID 3848 wrote to memory of 576	3848	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d148d068dc64cda5e104e22ae8dfb02d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:6128

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5332

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5808

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3140

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2828
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
89854745eb8419680fd0288f840c09ec

SHA1
59cbee0e683d51303e04026ae6616b5d5e8362fd

SHA256
15f97ea0dc662cf97a20ff64f9ef9e19425241322bb22e4befdbe357a1e7ea00

SHA512
4fbcce70ed168c2ccfdf38569d3e9469bc16ae53d94ecf68fff48c7874d448fc3e4f5ee9924dfebf52fb522a19069125f4fbd275523c4804950b599caf140bc5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ca77644d89d06811637295d6a10ff3fe

SHA1
d50c24de6eed1e4c435a55121ee1ce24a97b6512

SHA256
aee10ef95a4ca065fb32b27681b7454a518ce15866afb6610ddd4b5d79f0ca03

SHA512
8e4c6e7e1da6b57449ea1e7cb9c527ab7c85305afddfc8265749e11c8c85b641db13abaede548ddb425921518b953613bf709d0e4f3ecd572011a324bdeddb77

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0d4681ddfe91b87b1f413ae1e5e8c6e1

SHA1
23640f087b617929fd00d9ea9aace2987e4a96c7

SHA256
727bbea37ebe7d76ffd4f46f5d4b97b415555adf683986ecfe080dc6e2aec98e

SHA512
5a501bb4480e760397c70a33219754208bd68c3fbbb459b13bd6c2bd8bcb52c9bc2823389f747c7c7c2ae83a247d2ec0f10d0f9ba86ef77fc3506265fbe1c1a2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
204edbbda98fa87cca5af4b87f161bb5

SHA1
06d0cbba18e370f0b2da966f1de559c2394d8f3e

SHA256
540a37fc3cf71f4e8b227d28fe9a6c8cda6df3807bbab9a146e28504c0c5cd38

SHA512
2b380ee91871c8f897cabf43545719446819839eab6df76ffa6bb6d651b79bbceb383c39a7e89b4a71bffad5bdeb70a8185b9639fbceaf2b81dddd3ac47f0319

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4fc36fee3727df6a4d499045ba0b84fc

SHA1
5f789d61d9eba4f50dce7be3a25166a7c22bba2a

SHA256
d11a0e70ee49a8fa17b123a22375369690f4a7fece6003706b31b1dd3ae84df0

SHA512
af3ce98e3c7225fbfa036dca89cb96d336b9f2488707b5d98307b69cd9a40afa50057fbc99aadd05dd335ca58e5329a705850a660a8bd57429bdb892c5294788

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d355afca82ec7df27b9a85ccf7abd392

SHA1
9a57ec288b83d13ceb8079be19aa62e667f12608

SHA256
a8482f7ae721265efd6d8c05dbda8095bbecf8064b41842f5bc0ce67a82a6cbe

SHA512
ab9c9890f4086c6dd48663255cc3827ae8edf7618acd93ea0b2325cd582ea17ecd8803fec89d9ee1d9bde45083a558d4f191e10713b1c6ccc5d5be1a2157cf9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4a32df4105d11eaaca8249e0662a784b

SHA1
6c517605c92273fbd3a5e0d3e3cb758bcb1c87a0

SHA256
aaba99bb133231b360fb257b952265b579cb10399f3812001ae4c10827ba14a4

SHA512
2f71be8ab322ff5a051a63d93efb8f4f138a356473dd7436806938b036199434814995ff8be711dd46a734bf6be8e2f33ba507d0765bfb07ca2faef2143097d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cfa8f78f89674ddcc43b9450e93bd497

SHA1
a01cbd638feefd82dddae047006190d4537603c8

SHA256
b3f9b5d1ea4d858608fa0e324587a098a712ecb87523bab1f378e7668dce3d3f

SHA512
e7724c3d1a236644f631dd2e94c0f22d5352830b03a9eaca54fb58c9ce2f6fe93bcb2eb215ba7a22f75b912e0c9dd88a81b3cba1ba2f78e23a044be8e3c44f73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e0118a596399f85a946b26e1391d0b9f

SHA1
9675af29e607765378cb09d3fad4d3eacc6dc9d5

SHA256
a4638eceaf5f551c103ce6776e7b60979711ca66be2d7e07d228ca2a4880c5ef

SHA512
99e4b5dca14702bbb4ba2f4c5704d4bbca32077ba0eddd25990dec1995dd7cb8b9b384a7179b5bcea68d2baa7daa8946fdb054a5b6508b65a2fd6c87752edc18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0f21e6df6e6516f9093a5d3e9db1da0f

SHA1
7b94ae272e7eee97c368b7a34f5f8620d030abc4

SHA256
a38cef3dbd9bb5edbb215589a63f63e8abe357f600e3d5b59472cfa9f3514d7d

SHA512
88c52dbcd648513987ec3f1ff47cb3c9b387d702208a5368908b8860ed4a2f3ebc01cc729557a93c46a12389e63afff1e6718d4735293ec79224d9314e0b7700

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
925078d22db8fba944b47f9238ad3822

SHA1
7dcc5c93ae47f939f11a1183f371224c5702b344

SHA256
51c07d11aaa22a802d6e6480c49261229c9ee4a855fec8c6acb93fc45d1212fd

SHA512
fba4ef5862b481454af6c3fde322036a72f708ce35c22a954b12cc5a4756c3459d2e30cf2aa95c9a13de3190f489cff0d7d127adcfc4f4d8d90fe2de2f912b39

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7f2b0bbd1473c32377eb8d0e2f09edbd

SHA1
75c13f0568a5145fbc5cd141bfe117c3e7fd90d1

SHA256
4aad033d8fc119bdaf365bf4bf02d55eac65adc54ddbd698c835d8bf7b0ea2a0

SHA512
ee21133278d2934b3d8dbedd4aa55c870533994138210e07bcf90a9a3f87c187142e69fc2eef95649bf8fcd966e5e80d290afbbdfab0ffdb648ee5cb08996081

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
536788acf51dc5366c2ecf75b8861312

SHA1
531bce8a8d9a10fa70d6b5df1bce5d2e3e30df6c

SHA256
e9dfc8fc29d81bd9b200575cdf30ad0902fbf1b4541ed6c6f5e174da70493984

SHA512
924bbcb69998d2f29397688e7327313c2bd96c58f8643ae230ccc7376f2b39dc426088caff4b01c53700edc5abc79f985deeb8a04d8d61aea2ad7bb93226ae41

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
454abc4ff9faa533b82838951da04f0d

SHA1
3075a18e13c61fc3dbc5c954a6f5a17c4e987d39

SHA256
bf5619d84db38aa5d649e88724afd6252e5db5b239ae00a8327c288caa02f401

SHA512
b784a869916dc614efcc7cb32592fc5fb7f0fb333fcbf856c0e6aaa4dbabc59287fb97c300213c5b4cf0d9869c764f2e42fb4d533ba5688c0be9eab85f06f70e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b5ce7d06965c188551da1a84cfc41e68

SHA1
99c50d6a5b9653ec1a5c1a108966e85940e2aac6

SHA256
c00c20b75a5d25bd659433ae7f151184e1a83ec8094b333cb4813176f6fafd53

SHA512
2968ef23b59166df8d33899bd5a26e31f2cbec4bdfc84829a902e01ee13ef834855524459b28dae42c9316d9614d2ae1b4f99c102e43dbc6166e71778c8a9d50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e2aa176861f7a8665e23c67dd20ce4e6

SHA1
3ec85b48de69cb57a675c481cbd826102ae1dd08

SHA256
d29d72f3f2aa6c723e15afe755c66c7d84de2df3c477c0e0b8d85a6b18ea654e

SHA512
7ff094b20b201b5a40a3872e0ace85b0d9bd54c00ddfe993b21ed69635e63daede0cd9544213ca11bad3fbff7f84932ac96b2acd85d534822fd88f49461eb8cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
de645b58dd0f1c9fef530c0390a2f5a7

SHA1
34df3c41d7a06165a28122c452500e905ea616f6

SHA256
70b3c1ba14b34d107c8f1fec567597fa77211cd28f7f485807bfd1e32e2d8b30

SHA512
51ab345083d9c952cc697fb1ef1e9ef1d3a234b38bece663134080871364199d725e545c3cec00c8a9d7fcb35c32e374ae52343486777ec8052c3c36f524bc4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
414fafabe36b598f7c4352e1c7ef8021

SHA1
d821184e84d1b981feaf2d99f2ba33c13cfe846e

SHA256
9a20fc641bba723c2df4cb1568fb7bcbbdbcc7d0d4d2aa20cf534675dab71beb

SHA512
5a4b1e6410243a5c7556503f1b8efc0906c97d01b7d863d659188c72921eb4eaf85d2e5becf5867a87b903463a1fdc3b04ef3495f72303bfa44c0a8c71b1fa3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
28badf050de6e85c1e10ff3587c8b263

SHA1
84222e46ca466110aa0c502c0f564deb06fb33be

SHA256
a81adef3efc5be2cbab2b4392195b22cbf44587af1fbe5422f53289ed9123e26

SHA512
a2ab12c7155537180857a9a58f11f2b9cf195a745407eb2f57b8cd55fd5ff3cc7d028233cc7ced0fd6d8b13888cc056e46040b9b900f1ce182dc96ce8d8ddc66

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ff64f46b74747d46f129ea927416d996

SHA1
60e332ebc1ec786a278593d70cf3d7461b39add0

SHA256
c82736d1117e14dfa8f3d56c56f2cf654b960c43f002808773f6a2b04ce755c1

SHA512
7c19b7357a02ab3a3c9000716ea7e32b8d731e4b6cea688fc9324d261bda143eeff908dddcd7eeaacf152b44d591509baf1679a16eebc11133d4081ec63a6e11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
fa000d0668164e94659a5cea7ab016a2

SHA1
20d142767984732a53c3e7813775a9b1e8304fc1

SHA256
2f6f6be35e7be9163d2cbd6ae77494e924abcd4440ba954d53f5abacdcf2cc97

SHA512
d59230a71de6061e43578aae1ee6df871436ef0bec63d9fdf37ca7b32f627d9b4ea7d4190e435077fd7b4f3862b163a81e866c0c1d0da4a06069a1430b813cd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
be69df102e7b26785dece4fd1bb6d6c9

SHA1
837de5a5cf410cdc0508de5e22633ea5fe49921f

SHA256
aee724ba100577fa4483e857f32c5ae01ff58be75774aa7cbd12b4bf4f8da01f

SHA512
830c0e659e7ba2a93ad7fddcc8ad9c4ab9c7d938f1cfd8976b579f0e37af74947c79905475853ffcc1df74eb68acc8d14bfca98fbecd7efdcab6a15d51ca1f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ac9a840ae9303126c1f0b838b1ddf228

SHA1
dbc8464149ecde562070ed74546b3de4499cde0f

SHA256
fb7fd60859b06f33deb220ba73766a55445b72385209b48bbf16abf5169491f0

SHA512
f27474527b2009cd6f0d3543aa39215ec3507272b4b110bd119e8d1e09026868e242278e22f9f7fe5ffdb2b1e33381744336d945e7f37eced71e5c28cd2a10d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
38189f6a934b0363d4f58a2361c36e60

SHA1
fe5f9c31570fbba435f19dd57dd68f0221bb3ca9

SHA256
3eb0d242ceeabf9c20b464cc085d352ad4e691e36028ed2103b0fc0ad0e28446

SHA512
87a3cb20b2bc9103b684d4957ed105f47c50d41f8f33a702eb5c11e2031f8a23dba463056d7e7dd574c99f6d45ec6b016773ae177ef82e1b90da01706104efe1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
094f71c2d81c5c68b0277dcd1142e13e

SHA1
501959f83e3074450b7aab1b74f4311dadb7347c

SHA256
a0333e5b02ace526b61451c9e1c6e11f97b246f5f82e846741b012bcaa1a4a79

SHA512
db8e6c091da0fe6155a5a7f0c26f348fb3ad9d7919cc235f6be02f8a53d15ee9e6fb635125a156cedc5346dab4b1e20b5f2ac55a7e5f288bb9ef812c649f308f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
99141c0232c7ba6efc82367da39499fd

SHA1
5de69daafc9698f60c21214319efa4dafbf363a9

SHA256
a55807802b052990ee3c256234329ac438cb124bf627804ecaebe8c66c530eae

SHA512
5908cf2f27a5818a7b51ba4685b70aaf9ad680b66b9d61ae4cbb257262e2d0a245fa30a916360716a427cae4d9ff2810a8f8d788f67443be373727b4689a4492

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b62bfefe584afdcf619479da1ac3dd89

SHA1
7ae2a0eea0dd43a45cce832c7595b94b4dbcc664

SHA256
2edb2599171e2b4f9ac96c710cca98b374741256391d5d5a09e21bf1328f5c03

SHA512
885e6454709999aa734ef08420edef9c456addcd79dfbbcdcd7a115bc521a914c000c6eeb6606cc951f61d2d51de4d937f48915154d339b22b8c8c22ce9a751b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
1942cf9b5a55c19d5dca89fb594eedda

SHA1
3a3cce84fe833728b0dda65e42c8fca4ef76771a

SHA256
5feec29c71d6680f9967ee4414ca653d0176611f09643ba7bcbe5b4a684c13fd

SHA512
aaf1e66dec50e27ed5a3855058382a3d769a5a51b0755329d0b47c17bfc44c3614d720d11ac9553bdf15c288be5cb86a3de70ac3a072e548410012847ec0c346

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a82408bab439f4eb3ad9fb3bce21d235

SHA1
b6ecf1233a73e23040df9824d0d9d6f93a1d9ad4

SHA256
086a01c69b03241c66e240d4c494504f38a611c77d27420805290f4d3c9145c3

SHA512
f54bd7468b6e2324efc1e6225ed84ff18f30643be70b863abc4158ba85fb5328a51bce36c40c3b269dcd967da689d64eaa0e9ca7e2b6b0934c34dc84c8fb0d99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
dddd96e8bdfa171ca16e2e395ce24e64

SHA1
89bfcf5126ee82901035c2f6f68e4a7cdaf9dcf5

SHA256
da85ffcf97cb63db06906d9585f95ebbc66cea354c71b1332e8045c8a72aead5

SHA512
13de8aa9aef0efb6a974ca43a184cf1b9f6f7c1e8c1b1ae7efce5f45f3c1234a5462c9b8cd4f3eaac7272583c71a8c5c1642ef53b2e823fc82018a8a498a9b90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
75b709a9b2dabd44484c872c810f5ca8

SHA1
e3cfff38dee34e8c2680223389ee73d317a670fb

SHA256
4e597b10c5e25c6c0b323b3bf985c49dfd9241cef4efd8be182fee2587477dca

SHA512
5c8aea4b55a427b81e0ec8d172b549a3bfd6d7c03b353f218b2f250d9aa57ead241fe25e6c026599a3711457bf574c7e7173349853ad8cd61e40f2c4f3959201

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0ea5e416e4787ec22c6980ec1109dc25

SHA1
0c6cbcef8736bf7831545f21a1565128835b5e6f

SHA256
9cfe8ea7e49aa2cf4134b0ca3b9be83895aa73e57da79a65cb245bff6a526fda

SHA512
072a1efbc001b5f97fb04a3aea12b53cb6f888fddea9b1e6ce2615aa395620b0e65f37a19f01abd4a0f9ce516726c2b266fe27cf75a5b767a7fcbeed814d7f35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f0cf6bb146b4a74b728fba20cbf8f1cd

SHA1
561a3452cf24378428a16b2f1c1cfdc012a537a5

SHA256
f49abd7903d1b8092df0f357a5673f615a280e5bf11446bb59c72858870ac301

SHA512
db658c98c09bcafedbf675c0eaa3e29a41ff3bd740b5e4aba889d8bfa81d89329de43e9460f861a3b4733669aaa124ed81fb6e07223a848ddd2f984bb8161530

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e3eafdb4d5d71d5540d3cee33968bdcc

SHA1
1cfb1e7cf873baf88ff9628cc5e6f11ca770a677

SHA256
99a9d8c3d6477b64331737cba5ad48f7107dcbc571992409fc02e932ac2d3ffb

SHA512
eeee1fa53483bbccfe7abb717f7d5d5ae03a509045eaea04ac58fb1da13caf497d1cb221052c6a8aecf0f0acffb0115f3bf0eef3959e046f71d8f1f85b9b1940

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
17023a336e2a9ecba511c2a0226eeec4

SHA1
9d5b2ba37d2cc46e7058b54790f8d57e049eb162

SHA256
cc7ce32b005f52a7c8d37703fd1f684c1756c2338859ee0318ef8de331d00a6c

SHA512
7851dd902538fefed0c0a9b67838ee453110689c9b870edc603fb57466218b414417526641e39d63ea387decff76eac04693bf2f1081dd8197b013301bc12d99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5818a419b117660de0411fa5d1b025e6

SHA1
f3c37ff1a81d4bc91f606946e692c7d157ac71fc

SHA256
c3ea41840ee2a3ccac1f1893bbf146823d2c212665a5c6483b8786315bff0f73

SHA512
a8a5e3fdaa86141daaa93fda01a280e49c887ef37021f1f893736f95d20afb3d69c7ed0655068271c9178310327edf3a6299290128794ac70e806c1c1026b56d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d049483187d411a526ad94500b7ce596

SHA1
b84f2b2f752a75f5f787a67e572d158ffca233bd

SHA256
a2abb482187be43b7bb2f1529debdd0b815062fe4d9fc9aacbbaa0bc3cf85c66

SHA512
868db2d41cd095e2976c634a02acbf86961b6e59bedd9b810d09b85a6a6388cf90f6361ea2bcb327cc6e325dfda3a87440a8a48892c10d19137b3b8a96bc59a2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f08b12a82a1180526b1b0e18f5783c1d

SHA1
61afb19235387d7fece8c7da0d2c49c875cbcb2c

SHA256
4b3c8bbf1264667ec388bbfac5c61a7877e3f6191b17db92a22e419a51a954cd

SHA512
91f812cd36994d08670c500b704984dfd9c4ac7d4784c2784a99799daa1575fedf16f5b5d40feee9d90011e3fcc1a2fb2319a20f820239274ab4426fba569725

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
eb2b51e7c4f6acf8f5cfc30b0493d266

SHA1
976a76f8d72a2e0ec7da714341dedab0e4458690

SHA256
9d627a3da3d8901837468ec739b341d5fc5159ea55a9d1ef6d4d755f8013b4da

SHA512
3c10648b61e9c27e242c94e8285e334b40d7c05847188f6670dcd273362d1f757ba2b244e638b2ba1feab2b64e7eefa0b848b72678af413377980fc62048a53a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4519b0a2699d3c3f6d39efadc5a242a5

SHA1
ddd826af6cd6628b16e43382ef7d3f46650fece8

SHA256
4187f910391940ccc5714b8b5dc9f811594642ae9ee6fe57aaf34f3dade409a0

SHA512
9efa84c8e0099d14c6b6dd11e58a7a32dccf524b1bf61f983c72b6e092bd021643bbfec0384733f503e7d9186c80bf21c1f4767d060ec88ee7655fb0286af3b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9fbb58cb9d554d71da416905ff8675bb

SHA1
96158554088c68a2c5ae5c4a41b40f3823d90a7a

SHA256
61ddcb722fd5dff93f715bddaf5497f746b0e67fa6575c8a11f3cf7720f8720c

SHA512
557dc29060174063d17f110db3a52c4187d5a9f67db987178ff6e7ba3e9db1f932e6e6475f08feb83ac65efed323ce7b710158d90d8e88e8533a8c956e85342d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e1a3ec5a6ef5cb23f0f54271564dfec3

SHA1
9948a9e382ca9510992a6b6fd643ec6ea27b1c15

SHA256
bed0f846510b2422c31e14b40c8ed18a5873740412be88c53ec21dfd50cc21e2

SHA512
ac2299b6dd85c5e591dd98dac8b6b1745c1c7d18e296f8d51860d2cf835c25b5034a3e771686eacaf99a646056ba2b8c4b85321ec6a3898637fd9389cd5ad54f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3f279d9e486e19647b926e870420d741

SHA1
6d72bb7fdda98c1a08858dc3cdfa0f874cfa9a94

SHA256
1ea2b5224f0b33b93160a22adfb754bc959f92c1b45ecc308d3409eabee6eeb8

SHA512
24a2f75c526b5366895d59fe9d652bdd452c38858e1bfc83bb6483f089e069195b7c6a8cb8f9501d7e3815703eb30d9280a92078a29a9b608e29fd44dc278d0a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
36e9605434de34e31a9a610d8782cfa0

SHA1
3bcfe59bd55b80f26cd85d2e9196d2ac8bc2ef78

SHA256
afbb00a28a283f0c6e7b53a4aa00135323ec48312f8ab316a43701f2743376a4

SHA512
fd0871f5f50539824611722cbf1654c3b047cff58cd613b9a2bb4f85b95ff5e6a0a637adbc218ab7f68ff9172f07e7f577e99ef753cfb08cae5c88b439d3afa3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8f132c6c8ec47378ac16d0498ca0eb4e

SHA1
586e012efe7a6f1070df86f5561f7dcfd3edffd9

SHA256
c28bf8b5867bc609ba1210d11f723abf29826ddcabf095c570e760c96398f299

SHA512
bf071ee13c575484b3af8589d410fa4ef64b61722bbd4fdc8499b4e21fcea26153933099323f5893510ae81210569669a0a741c51bfac9cd0fca13612b030220

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9cd929764b5d0ba8af1cff27993b97eb

SHA1
16b8818faa84e0972dbb01fd7bd1d48e409c8b84

SHA256
a0171fdf6cd514433fdd587c4615dfc8921a3ffd636c589d58b47c1c3d3e68bb

SHA512
9d8869849bfbb55684df303c867514f1f7cdfd1ea3f321e53e5891e60a17c4e3ddeecbf170be9af2c7775de71ca639e7b72574e03424c405f6a62f44267694a7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
291045e2d8a6b46c4899b758d6c74c93

SHA1
4a4dd7771b2b3ad1dc4417e796f94276f5aad5ac

SHA256
92d36df3e573410bf2b82222d538a92277cae9a2e0c6e517d13e5372fa37b206

SHA512
477dd026eca705056cb6768b40ce7100ee9ed19efb0e23d9188cd991320ed84e34b1f9881425ad1fe6df0c97814f272a8618756bce8806a9ebd6c6a0b99d6f5d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f1eb24498de1a9305f22bf94df716d94

SHA1
edd29c1fa483e28ad652fb290db023fd62f2f067

SHA256
b4659112091780cc07f945694916ee401a74af4786baf2950595aa4ed60bdb4d

SHA512
3273bc137a7d9053b132a4391aab3dc56aac74947b00130be61964b1369778562a05694050b42326a5b7ee0d254dcb7151bf7edbc1255f91dae6d5690af173d8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
07eb910fc48ba69e2bc2837a36a8dc0e

SHA1
c98d7f179d3d6de1203effb5dd828745d2826752

SHA256
617069a18720311507975ba1df3def6380dad5f4c33cfb0ae2e2058048585a8d

SHA512
7d03b9146dc26b882c084e7cff7565426f6f07328703157a442ea335efaa77964bdb211827eeea863d9da156ea557bda8bb9792cbfd71b39bf65f0e77cfb8f6a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6e0f7e674ddde3b8ffd46380b5722771

SHA1
b5539b1cf43c82f8c0ac8ebf2f3d07c404a810ca

SHA256
a50edfb923940523cd2d2ff5f958b0c9a2261160c22afb834eec3fae1abc9fcc

SHA512
4ae652c6f8e064902dfca707a3efde905604d0f0bc01ed0b7ac1ecd1b896e953f6f9a7794d11361187af05208208d5a83d22c6f92cc4470dc091fc64abba4f48

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
47832288849cb1ec385ba6890b9a6847

SHA1
5457e19a9fbb8ea4dfdab075ce77f4eec090f931

SHA256
5c9af2ada4e1ddf39d1c5b04d8963596fc3787c7fd6377cd7ca6497f294620f6

SHA512
8794c57125c186e6d2943c760d1ae68572e798c2d4daa5dc0019dc7b3f8121b2ae60f658e52b43b069ecd57d8d2f2af85bae9c6b8f5ce2191ecdcac19f871033

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
85dba1d990d5a4f5e36eacaea6927eee

SHA1
42f2536fb1c8a4b7cb03307de51d4e3a837c907b

SHA256
be8c0f23cb9ea8cea6c24b756047b11f2b88c32d54245821dddd5f784555e9ed

SHA512
52a69cd1a3935b3230644a26c505430541f0d3e1c0c11202f6a0a2c742b20dff3038a17115f26238cefd71b6176a03f6dac5025ff6763e2b0af57e2b2ca125a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
02369bee56b0cd4c24269e9547838a24

SHA1
66362f4eafedcf0a2010ff4919b18f751e4cfb42

SHA256
7ec539aee66a5fe3154c60bd7f1b80ed3221af4d07736ed7453b71b1fa0ec5f1

SHA512
84f185f12ae1fdac8f07d4b6022d36d65034ec6a6653cac77e5012a3ce7fa794c2c00c141809abff3408031a6dc7f396e73af708655e395b7b49973225070233

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f8388c2c02a19f3d407a75e1820118b5

SHA1
870fbf78135308117815aa7654692ea45ff96984

SHA256
c4191bfcae4d7c774769e8737a6e169ed982ffee40c9a4f83706ad744ba34038

SHA512
cc37611979d7acb6614e3c9aa6f7337fa107a068c81d69adf24532710418af9803601a73fc1128ba617f6afa083b8caed078b91eb88955d8d4816e6398fd9f52

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c7b058b87fbfa1d2f3e2f0525709657a

SHA1
d22aeb21bde7b782a8cf4a889867c7a922c063e0

SHA256
2e88a6835718c2096a951be5a333d9de4566d4eace14384aa6ed50b35ba23a21

SHA512
bb73e7d13744c5579992f3e4f72531beb22399b016fd1907d2f9255aef9679447a698f8737b541abdab97ccb2d8e6c806ac03e8d323933db3f555c5aea4f05db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
257ed2837a37dfa6e8588e740f96b908

SHA1
bcba84c1fd2b984044b2d671445709f1b25063c0

SHA256
98cf8120656c2f2593a0c8d6071ea6f226ef3f7748371ac6740c53c11c54edad

SHA512
4f7f3aabc1cfb363089725cc6908c7286855abae82a22ca17bb4612956ae3fc2b84794a2fcda5d9baf13514625b47dde578dcecd7c5c1d4f8f09c7ab6a13aba1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
706abd45b18ffcfa00fed039cee8177b

SHA1
66be30b1db8318438ab49afbf2c04626aa3d958d

SHA256
cca6ca5bff72933d31f75f4b797475e869e447e2e68173b3ae70cae7a8b856f3

SHA512
2ebe0286519d33eae4f194a4831877bc087a64f63dde389a90d4c7c56a78e516647a3b30d6edf402855c0fac73e1eb9728ae082b0d21c7f446a4d0a6f800ebdc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
65765a4e8f7ab280f0a47ef15cc382c9

SHA1
bd474ca8de17a65283e3e6eea63c8398c36e851a

SHA256
559ef64024fbd9699d372fb185b6244ac6b19394d4a06d6b0b50d4da5a9fcf60

SHA512
ff58288019f447a887fb7d023b1fc65aa1be0c4d4367980cfd5c7431a72385c1ea7080ec7902bfa946a9791c09069e17ac693dbc66da73d89ca69bae70dcf3c4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
989e485ba10e87e57b799f0a0552929a

SHA1
57135809846a55a4f1f8833152592cc05566aef8

SHA256
22d770df31072673505e89bd1e6a8fa9d37e7d5c7abe22cf77bfec39715bc475

SHA512
b4e69206bf86815c1ff6be9e2c8c8c242984286a98b6b8a6c478492d68afbebf4909a9dfd5ca79e0f865fdb7ad2cc75ed42e58eebaa7ef58692f31c0b511d4b5

Download Submit
memory/712-184-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/712-56-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/712-50-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/712-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1256-523-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1256-259-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1928-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1928-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2304-225-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2304-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2500-36-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/2500-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2500-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2500-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2500-131-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/2592-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2592-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2592-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2592-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2592-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2708-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3140-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3140-475-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3744-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3744-62-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/3744-38-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3744-44-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3744-47-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/3744-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3744-60-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3848-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3848-525-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3984-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3984-130-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/3984-124-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3984-21-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/3984-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3984-18-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4028-1-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4028-8-0x00007FF8E3930000-0x00007FF8E3B25000-memory.dmp

Filesize
2.0MB

Download
memory/4028-6-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4028-85-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4028-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4048-212-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4048-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4048-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4388-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4388-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4388-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4388-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4468-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4468-441-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4752-524-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4752-270-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5012-484-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5012-209-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5332-151-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5600-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5600-485-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5808-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5808-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5808-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5824-198-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5824-480-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/6064-520-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6064-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/6128-132-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/6128-250-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download