d1320fc02f47c59a0296226aa3e25a14dd3cf59aa6227def93d6778d4fba8eaf

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Size

712KB
MD5

028cea839db7f7d8c04ebf984741ac2d
SHA1

0775cbee7198d8db7fba48c847897b1ce2f66ec4
SHA256

d1320fc02f47c59a0296226aa3e25a14dd3cf59aa6227def93d6778d4fba8eaf
SHA512

cae59ac53f0dce0045fd5651debdd19a108a48c79af6251739b35c2e7037e0ce2de44861e4748c4955d3dde1d482d55ee1256eb67fb5698c662b0c3fb73a5a29
SSDEEP

12288:etOw6Baz3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:w6BWV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4848	alg.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
4128	fxssvc.exe
1336	elevation_service.exe
752	elevation_service.exe
3544	maintenanceservice.exe
3684	msdtc.exe
2192	OSE.EXE
864	PerceptionSimulationService.exe
2108	perfhost.exe
1628	locator.exe
3532	SensorDataService.exe
1732	snmptrap.exe
4780	spectrum.exe
728	ssh-agent.exe
1912	TieringEngineService.exe
4624	AgentService.exe
4964	vds.exe
3544	vssvc.exe
4588	wbengine.exe
3640	WmiApSrv.exe
1384	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3f1bb6921ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3aaf0bd85b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a9e07bf85b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007444bbe85b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfe148be85b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1d25be85b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0a696b785b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024ba41be85b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000948170b785b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc0c5bd85b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeAuditPrivilege	4128	fxssvc.exe
Token: SeRestorePrivilege	1912	TieringEngineService.exe
Token: SeManageVolumePrivilege	1912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4624	AgentService.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe
Token: SeBackupPrivilege	4588	wbengine.exe
Token: SeRestorePrivilege	4588	wbengine.exe
Token: SeSecurityPrivilege	4588	wbengine.exe
Token: 33	1384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeDebugPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeDebugPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeDebugPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeDebugPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeDebugPrivilege	4224	2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
Token: SeDebugPrivilege	4848	alg.exe
Token: SeDebugPrivilege	4848	alg.exe
Token: SeDebugPrivilege	4848	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4680	1384	SearchIndexer.exe	111
PID 1384 wrote to memory of 4680	1384	SearchIndexer.exe	111
PID 1384 wrote to memory of 4396	1384	SearchIndexer.exe	112
PID 1384 wrote to memory of 4396	1384	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_028cea839db7f7d8c04ebf984741ac2d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:824

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3684

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4424

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f65b51fbb20fdf61a59dad393cfc2d6d

SHA1
f5518c94547dd64de4e3218b3eb31fd3686b3aee

SHA256
7ec15a85bec9a90030e3d2b027e4ad2d4d409b55660af11a8c70f2b3d50c587e

SHA512
328cb9a85222ef62cc4440aa37487ca024a36ec9e2f1d1b650505c95c3102ef2d692b08cb16c83d869ee50d477b15efa775d57f8371fa6635ff2db903d208cd7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cfd8a4c4892d02b1bb2c7e40f7555b01

SHA1
cb67df5a2a10ffc5a346c8732253481391a8560b

SHA256
2e5e7b90e0b1072f9a790537fe323a74ac7062841a384292e91a4844a00a57f8

SHA512
a8361ebdff63a9af19dde1f16bf4722b6f22c01a04f7ac4cdda9cf40da8b61cdc1e3385182e12df4b3f02df09161855d363f1ef217dd27a8d66b36d92feaa514

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8343883c38f63739a3de706e658e0e3a

SHA1
0a8c4f7551602ced00bf124857e93a2b811be178

SHA256
426636c0bc7749a3a639885e51fbd09f691fd29f993b48b15c6142aedfbc7003

SHA512
9222456de49d7f1282e4f6526f2a0936310a85e4a6383e91797f2dd7a2e7ea0a3ffb565bd51995aa475aba2bb8fafbf13f1e39d016e724aa8114df26cba079a9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2c9c0622f204c1faca9df46befdc4c4c

SHA1
df0eb1f5ece564c1b07bca140dab4c51b647332f

SHA256
b13cc702b4e4c1a449772b166c6c2f4bbc59064ad60c66f7aa65ca5bf7197a0e

SHA512
7f2a0cbe5c5dcd3e5ff37ebcb4e63d7caca2c12eee935aa0b511ef1fb41b9c56672cc6d81a3bf9839cf31c19b13a764e6516e7957d1e88f1f518480257fff368

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a69483ab04460d2cbb4514d47c87b063

SHA1
7a9e98d13777d7475114f255ddc43e8613631f9d

SHA256
38e96858399110c3f9e147389f248dbb7c4209b82685ac583e1839b231e9d861

SHA512
b19970bdc636c84718ea20be10ec68fc5c78b2563f50bc7a83300f1a2d0b7b1f818aa673426b2d81ebb5cc65787c3dffb5327fc3f29a97386f152940342316ed

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
74a3da72c1811f32ea99f40a8c7c4267

SHA1
502b8fa8470ae4ac3e953b0fc0093ee6cfa11eb3

SHA256
7c7e94ca314f85e7d303ba4da64d15afad90c9e6dbd402be3fbaf2378d52fe86

SHA512
b392f164bef75de4197b1fb547f35b4f1ecd2be41f084052909ec02453e2dee91e86c2f1669e041ff434f2c231aec07ea2deae851d86e6d5ac1c967fa94756f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8c561d8fbfe4670ca3839962b03f589f

SHA1
7ea9569964c377565db2bb71830b1c296ce6975a

SHA256
0ad5ab733c2d17e62b257b01e26319a59f83d4ab3124a4c200444b1d4871e4c4

SHA512
1ba7e5fb2a5e4c3b502dc9fd5bb43818d9bfb52becb71af62e1e49d8f8391e57a57cfeb84ebc14e8e6eb5904d6662aca8556ebcf70f666ee6904e7937355138b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
723e72e87ca193ad8bba19160d2c295f

SHA1
1a000efc2d62eda4ac617dfe42b5f09f343e4b33

SHA256
b7d8f46cd7d5be04f37a780980e08829e72d71b080594342bf0d6eb214dd271a

SHA512
df32a7b90aa5500cdc5f96f70ea481007f3af0a3d83a1c1d3f86c88e60b6918d1fba4388c76e1088b8be909c0cd7620efa8c58571e913de0d7692f380582b6f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
71de7eddbcd7a8fb74b8c6633a81d2c9

SHA1
6983c3f7eb22af161c281c7de6ec58faba005280

SHA256
9611240d4b198b44527fa2da4c9b4ee88618864aab48005968711db504b184da

SHA512
2ff72abcb056c4d749bd7ece12d22341b5fe78ed7ef585f7b23a512080e6098cd03147b0986c8415e3618d60cc4a97cf28f4d856adceb4d76844942021b7d38b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7a5927249908f0ae7c64c8c6efd56ff1

SHA1
8914cf3e143174b3890ff216801ab9a442132957

SHA256
196114da918aa8df61cdf11e86d89a3f5f28d2f8569eaaeba45a6dbd6610138e

SHA512
cd3c2f612d297dd6244df195b7b764b2ebff42d629f0b5618c6fb6f34cd3bbdbf995d989ceb04155c1ec39755e845aaaf5b53f9d7558ac5b55ea8153854b37d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7eee1892c15bbf23c5854db74868df9f

SHA1
4da6507fc3b3ed93509ace64c43176df972e7a23

SHA256
56e2b5e293d96495f7362cbe8900b21802a82378537835c764a08e6ed3ec8148

SHA512
7cd4bf7d37eb5f079b291771b389c90ddef77bd90b9d46a859b2e014f2ca44115e9f829c08c09914d7ad3c6228a0b54b5581d75dd5cfc19a82c6a8df717c7767

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1ad372ff9fc1e07fad77836fb896777e

SHA1
b9688cadf1dca65a586012888168344ab191a352

SHA256
ac40dc6223127bd8a6904625fe708ee5ff743f9322f13c2aa64f52c91f18eeeb

SHA512
76ddb92a66335ca66ded7d4ccb895812447219d935f7020f3137ff2abf1431232481e7cbe0867784afbf1603198ddbc1876a96ca4665b236e9206441139b185b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f6d3211d51131559262ca28526e679b0

SHA1
d9498efb12dce9a11822a3c85cfd4756d5812111

SHA256
d08bb2d318d98ada844be1b9b471f0395aec38240f8b1629dd6c0cd97c980fc7

SHA512
0560512934fbd3e6e5e84ff528e7b06f028bd509d32570254c07ddec849a9a2662fbbcf93c2b0c6a31cb0e35ef7e13ab8fdc961e380b6b1c863864e4d337ccdc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
079c43c9cf02e1557244d69177acbb99

SHA1
c20c466b25063acabdf5900d2865e925954bbc19

SHA256
8a1eab5734668f7ee6f287f6c8ca969ef8b21b94e5e30b7048c79fc6ca89149a

SHA512
79f75dad59e357e6352285a0dc5b81a7eb3dd568532a5f360fc1647f70f75250712fb4dbc59f0746ab5efb51608ebb6dbcedfda41ffdd13b59c86d9bcb5bece7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
56ee52617cfe3f824ea337be43ab0b13

SHA1
1ac0963d96b0cb64b8ca9471cabbb1c95fdc3a45

SHA256
0a6de4d4e48e0b28209f6414ddfca243b7bef43adc7438e5050f19e907399dfc

SHA512
0f0cb100ce1bc4be92f9983d5e676ee6f957086b65d2a499ac6e7dc0962535d39e2758b3fbf40bdaded6353d58d7d2d82dba9305faa4e0d0125bf6ffe82c03a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f276c36878be6fdf9aaf384b8d52da84

SHA1
6e8fdc7402a89153d3c0daf3cc884d6887c2c5a5

SHA256
6b877b2ba9a68d7031ee2728e9ad68fbe92d50ea84b9e1007a6d43d38c9e4eb6

SHA512
bdaa090ae6c5e4a585fbd30ce5cde3c4abba2ea8f24fb15cc12678c7d35fcd24ae9cad7c0ed21a7a74279b7c1ac64f63eba3172a5321ef9ca2f5feb0bbae6243

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1179add6ab6aa7e80d487e6cb881f736

SHA1
ef490d81c82d657b9188c782a5fbe3e857993186

SHA256
44938db1033830c443b79a95ae114cb7b53c1f21c1b735920551cff24624a366

SHA512
e0e52d2fb69c5ce6a64311ce1f59d1de46d6c496f2e2ce6af4539fc75a897317072a1a1fc99a0792faf464db7c4def1fa9babe9f94e669251507f36d6a441e35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0a6a6a9e0f24b0edd25f8213a153765c

SHA1
b1552b48b91601595822e6f86437a10465f08318

SHA256
f743c9a3275222933d517db7be353cebfa276cfc6215301ad90389a3ab20865f

SHA512
f2f3a3127ee6540e000c71652379e175df8ffbf23d599109bae488c46c8ab22437baf478f59eef7e487a5ccaf627e5722406e38dd443bd267ce5b905eed229b5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
761b9ec36d87a8568df3c30003533f52

SHA1
fcfe80d7f06053baabe65887c5bb3a49a4b57f41

SHA256
4b23c608fbe5ad9ce1b2a1165b69e7f7bb544372f3410c3be895d1be488075d6

SHA512
bf6ffcd869fe25e629996fd6615c32d765169a03d58486c5c55bd69bcb8dfbbcf1893c26fa7b92f9fddb04593a579d2173cb354763a52bbb8256a1a24889c19a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
01ea1d4db3d0f305f9246beb631e5dc4

SHA1
f1798257ee25bb64982081e9d18af75b46fe34b8

SHA256
663a09a3406bc0e53f3a9a9d167e5a4c3ca2f79cf1388b70bf5b8440fca146d8

SHA512
d6691e37666e1a6280ffd731aa72bbcb2ba197fcbb9f66a8d83c21d9bb286ea128e7c6e32200cea1ff444eea1d57d8e5ebe73f12c134eed9d30b91d4911508e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ef9928a7aef867649c03e269278f5e6a

SHA1
35841dbf522477eeef192b0fc7dc652a78754c0c

SHA256
d88cbd7444940d6384f8145da4c8890037bc074e9c8ce4f36b89424fc8985287

SHA512
e054ed04b9ce56b0167f0f03bcb2f92daeb8729579c92f4b8bdbfaf155c3147185a55712dfa7ed074f63307e52c93f8d79334599754e9a9257e0c7c0a3c2ec48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
c9f0098eb06f8172643aaab1d9f04143

SHA1
4c303bc1e28efc8c484481887d12a717500b1bb7

SHA256
93dee368416c5b2ed750da1b239263799f1fecbb0acd4e5ceaae59c85479550f

SHA512
748e5f7daab45b70f74fbe0d950fd3e97a7e77db5b3268c713a7fd51351824bd18a7576ec4e7587697103cccac6574d9402790965f3d2bb9d077f44e1d1a6222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1326208591cbf5fe870549e98be19cc1

SHA1
c3d9db46e3b3cd37a9c55ea78a5e934fad37ae6f

SHA256
12ad37fba4827d5f4a0554491f9a104d1ce58ea6fad4814ab0636d9ea240cdf7

SHA512
80262e4163b39554582ee7b60f53aec89c20b7182833a8161035f68f039151f5bcb572afb3c90e48f3ee75a2308e5d2180ca630d8ec54deb17acc2e65b22675b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
61301cc4dc8446a26e3c525eee354e9d

SHA1
87bca2b20aee345d0a6970f81e22ae93871dccbb

SHA256
e87e0bf5a3c080ec813814423d3aeb03e5e77e76a3d2b4afe27e29a659685ff9

SHA512
97aedecf514cb0d35ea7e047055bc4ecdcdfa4f935793870dc67deeb9c0f4f86d3a4be5840769840c7f0082e990f9c55258703e02781a8128eafb2c6d0ddabe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d2995f8dc2f49e3506ab4c0ecbe216e2

SHA1
f91e07ab2e39c823f0eafa418ee911b6d0309191

SHA256
fcbd323a062b55795774b5113516d03f468c82b03dc04289816578ceb19fb6f5

SHA512
c6bd10fd718d138366d277d52167a089792921d0a06b64c2e4384c13c6e47848735c6d8f053318f2d1df53c8387446093f4c896d8679456db7d71429c6cd0330

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
867bf2e08bb4c9ca24f9c7072149bd53

SHA1
27f75ced7195d12c1ed3ed3645243914d7e73c5b

SHA256
a1dff39f94f26ff21c0f6d01c63745046ba20d4101d7dd786f56d12ef306bd71

SHA512
31826d7f8a6c507db2d31ca8c21119014b5620cd44b29d49817b7737ee1930b42a525bec70bed343d802ec8a279f2f583fb91635a1d1e44eb53daf1a1fd69f0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a54b60caabb978f30ee0c9618901bfe6

SHA1
7e139de0001116206e2f3af4ecc38979cfbbd179

SHA256
1e07f11a429831649aabf77f93842698c6eca9bdcd1d18f01e16d392060d22ce

SHA512
b766959451ae6be08800e339392f03dc0b8ea538fa7b03df6c6e559084ef281a1b8938107fcf7f952b733e89e68f8e42a0483c7b824169e2b2d3b1c4b1b17e9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b83dbd15a330e8023967749e0892b185

SHA1
2cd0e9acf9afb12023f5604af582f55fe91c2689

SHA256
a257ad15f0ca82cc51b06c85ad59fd839668d1c6e6fba74fc5a603c4b17cbd6b

SHA512
c1a143085dcdf4f75297b096fb05acad3312104e53488439b3851eb2d6cd15e6bac77d2ba9b8ff15e1f76ee5625bda8fc49aec8cf721b3c58e48d6d6b0362ebe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
27dc077c547a84be002cee801fbe598e

SHA1
e03da47a84cdf8252009831da80ca5e802c2b64a

SHA256
4f91d74a130c26100c278780909f2a1434e2357711aae8d7437a871adb02a7e7

SHA512
64a4489208f39f6a2f4ac0474165a3aacb433a72aede14d3c8cc93ddd32dd280526c8f40aa7ccf9575162d4d647463f7440ce771273d49756dbc310bf7362c47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
31b2d0acc066c4155c7f77a3af5a14a2

SHA1
e57c11dac912b250817e239a1d95f7ef5c1c9e93

SHA256
caaa6a86d64107ebca2ff586462b7d6476ec6019edde975b7c21a9cc0e3975f7

SHA512
60a7edff15a81c8698bf3769556c7f9cf00c5391fccef113316bfb2cb24cadb3ed7d9792332a72968909a62eaa6f67594b93c066ae01d3e2a2ed9975742eecbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0e0a2af3a2011133b4b54600719ef1bc

SHA1
c25b855740250703fc9ae186a0a30afbc1ff1877

SHA256
f9f70097dba75eaf31eb231b210617d93b793786b8226d27f7d954ac7d2cbd7c

SHA512
788427d4d947b7ff90c42d87fd30c84df3a5b9eb35e43d2a443ecf43902ac4a9c4c8528e4e1bb979ee5098094c2743b1d3f0d32882ed7dbd91f34d2699c064a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b2fc828b02720f76a516166f086a87e6

SHA1
eca2349944b41feb985fcc04e2043932151c2e00

SHA256
a58e57cb4a9f37b2ea03f78936a558ebba50f56e5469e902a33a850cf02ae271

SHA512
1791758f34c63c8210b56d5bad623f3f27aa6ab28241ad2cd6b2dff55b5a7b3d24c4fd139e168e7b4166ff02f8e71ce05df55adebd99f04e80fc780b038e93d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7c038ad65cd6a61cc26e3aa6ca6a6b4d

SHA1
43e7f05dfa7cd45088238d093c9ac1ce00a4e0db

SHA256
101c0389551a7ec6f217244e7bf1ba2a4973f1ed69ac72d340fdb5b0a29935ed

SHA512
ca0c0f9f2ae7e05d1dd0f0c0fa4e3f04a71bcf9cac6aa84aec327c8564c177538288a9a06d3f3f6ebb0999168ec0ac864b556a6111fc2b4d8b525e0c77965374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
251fc3c04b98e0d1c287d22261746a4c

SHA1
8bb87b2d9f491c90d41cbb54a900d8d32669e21c

SHA256
afaef53fd0e591507f3cd8f4c83703f07a7d922929466bb52fb1516b2945af52

SHA512
0a26ed36d661eb5b208d678e26466fe1910ab62702f9dcf3f88f88199148b9c15e441114da9df01c5129ac7b5ec30098555f6c3fa7e0ea7104721f7cafcb8be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
29c247e267e23544f3b42f3312e1b24e

SHA1
8efc625614088efd785b0695e583efbacd8762b0

SHA256
ad7ba16c52c4066d9cc3c717839f4118c6c5240c8457e0f76eebe0d7e5e7176a

SHA512
e1f14dc5c9c69a35847e9a88682b1d4f0e6aa3ad1903ab2fd54411245b96041f47822a4503047755c62a03073f12b84791b8e822c1d9386363e184c1add2873c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f9ad75c2f34544ac967f68c4b4a373ff

SHA1
7772dbf3edcfe2e820d04079b83a3fbdfa727da3

SHA256
1e7465aab936ee85810a6cca51eff1e78749e1c5b18226f35a4a268953ccfe09

SHA512
9c56f325c8cd7c81a537020bd2da7b8041818e3b765bfdb370624a1df26dcf29d15cc331fc8246799afd793775c76e8e601be84551e6a2d4d251ee1a47b12280

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
303069edc0bf3a5682799ac903bda250

SHA1
56bcecb014436e86d2419c1d177a09ec429ec3ca

SHA256
f854123f0d373daf73ad2c6d3241f5452f0e366d7d513aace7f7dae88291ff39

SHA512
3a48490912f8970955ab4ae5019fb49198c9540eef9bfad4020f94ef0874039126e19707c90f1f8d2d82ebdf579b3c91ab01ef8d7aedcdece6083a238d251687

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f689c5041c5f1ed76e1d3be73a52fc12

SHA1
4667237fcdc325591bc9d242f0613cef722287de

SHA256
f8efe7f40acc3be05bb281cec7057e48db2b6e90737a0ce84b314af05cf4da9a

SHA512
5ed7d9933367e59d46cfef37e071dfd8572d32131f19353045d0022fb550a8e8111cdef414d33d06519ece85ab2ee173ee7c09c9731e0a5fc31beeb95691ae85

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8b2c7a0d736cc3eb06e43ef892168b7d

SHA1
84f65b6697576d4f820c9632df556d3827ebea48

SHA256
db41486be1fb6ead50c68b36d54fbd41997fbc181e7b81dfa75acd2c22a72830

SHA512
171d1be37950f7eee9801bc0d786772ab1f66b07e5edfb21608de13f097887802229098d33801e35b15c11f50455155ad30dc94cb84c9ee87c1d3a7b9e35b29a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
51d8f302a0c8719faa1238b1cf0ad860

SHA1
b63f242ef779c07e35ea4f9d4a3e94c0f9a27412

SHA256
81ccbe884b76d06b1daa5694f9913010e552e54eb052ace81baa05e49770678c

SHA512
c3242ee2b04e89ce0d850488ddf8257959aa901043904428458cf42c743d8b31b81baf1404dbcd15cd8e71d57a075de22d6bba74af92dc74009be2c5aa90da72

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c323e0930840ab948f6211cfca4a19ff

SHA1
0e301e7279a1e8568e0a8e57084e1386677cd42c

SHA256
248c690fa4992eb8fa9291b9b504852cf564d960699731d6585e1ab68375828c

SHA512
53829bb6519635b18d3bc8acdbc27bb11c2401d0b5eee54e1c2e5c78ee6a00e40a561d5d3c2f42ec27c37fbf86518e37371bc5712337c161ab3f3e4f9370f3b4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b09132614b602b58e77a88bfed74dfd8

SHA1
37ecb69e1276b52151a4dfab411b7b1a7eee3e1b

SHA256
6e2e6fb98703d40792b38b82e77cc6a739d78a6da3600e28223726f9ba0afda5

SHA512
ded97ec91b0513233fd33b14b13057df8a9f98b3ed324a76d66edefd0efba1099df6ec02b35244d14c165d3b661fcf8b4798c35d051453f51471d98440599d8f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
80403d8b3cb4a3db129b1752a7445d54

SHA1
9663f3672f7afec05d6822e463461edb72f290e5

SHA256
74088b066e8198c75faee2eaa3397ad09ba1bd1d955637f58417b817e066fee4

SHA512
35fb8cd570d16b0396e91b35dc65afaba4b8cce69d1978f07262543d58e43b09cda15e3c256d5a3f53a32a759ea54d8ccf3b23c7e85d96bba33972c35a4e7efb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f03c42a62e5a92dc5ab2fc1f35992b7c

SHA1
15da476c4871bbd261c1bda3e8549687361477ab

SHA256
21527a6813ace196e526320f725cf2e2d2d3c3bad7a52fb7d6af71e46f9fbd91

SHA512
655fc499766d531cd50c5f4eeed39616ecc437437d7698b57e5a1d675bbd0b0d9096e65f84eae9f5bc419a2e67a215d50fec0ca1ade40c061ef83b1bbad7a8cf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b9b0edbdd4d7bc4fd2b4f7c907dda2fc

SHA1
3a904fe8afa80e967099e8756e6ee0c9cd9f683f

SHA256
f39622a47f8c81f11d968acb7f04a8d7f168e4747fca04d7f193f269a9f13be4

SHA512
6798f5d2a7b6e234fed4de61de2cb707790c528db93e9af6d94d69382498fa3421bbec104242bb1f7c3cad7b02ff113f331000a17cce7e838debe1f3af8407f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
07ae4b741acd9bc19cbf1c89d091d346

SHA1
69bdeae38c5a9ee4d01b7152a0e46b1ac492dfd0

SHA256
664ed53150d66055fcbb48936d387c05c14079b72eb22b9239db84cfd044d55d

SHA512
89172120d67ec4d97b85ee2d6ac9094ba3f9ea343d0de25190360f2caf32993371d8d682cbddb02b640ab4808f104c2c299d42310b1e11c7621aafb1ca8d2846

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fc87fcbb43b8ce4f3baa3d310849772b

SHA1
6c9d0ae3cb0e337ca4e81205f7cfbe2a24002e38

SHA256
8a7adaf97d70a3cdec3238e7eb46378d49579d6c66e13ca2f0ae812b7b87e057

SHA512
0f10e2a78589c8cc0d01ddd38020397ad3a7a09b2fd4788fc19b70b8ebfe392199c9a0b22942d437b421c1b9c3fdad3bbce7148e68037f44cbcb2a1989677fe1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c3d434b7ee7e281457eab0e0e021b929

SHA1
7f52f69aa56e643ad63638bcadcb6eaee1e615e8

SHA256
466f2ca8afba6849c44f1dec66da76dd4e6bb60578a76e4bc88ed643f25d98f7

SHA512
1047a941a45fa3eaed7895aadf01132c80668664e300524c4480ab0ecb9dc4e7231acdea88bc2c608ce535b24006acde91f29bb703516d9fde2c45617be62f62

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fa441897f7d6f26122e29e20c65860a2

SHA1
e7daf543b543bc897a4bf947c23c8be64683af00

SHA256
80aad187486ad8c336882101c93d317c9b993d1db8012fa87b8e8f10d3cc17ce

SHA512
4a494c6fd3788a48ffa939bba4cbd407029271d316325ecfb8a70189b0d1c180b8b00632789f3732190507e08ec73ff9ef1f12b4ba7c73d77b39e47f621c66ea

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c09b8ede9ea9425466545949091923e1

SHA1
2d8d38e618bf2611693bcdb5a2ca8388d00cac8d

SHA256
0cc73aaca3b721f92f47b3be51d48718ec7116a20a552634acd46df67fcde696

SHA512
84ba79b1ca0ee20fc21a4cd6f2b44c0e704bc03675098bac8233e9d1d6e29f9528af5401b549ebe62b5417cc1e7b85c96a85391d366439bd564d61c13131b663

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f18761be5ecee4fd2470f4b1256a5ec5

SHA1
c68064f5add3fabbe1183ca7b88bb8ff8f62c5d0

SHA256
2fc668e13f168b52724c39f09bb33318c9a1704ad6c12f64c65f823f40455985

SHA512
310cbbdc65a54c6d74511400f49d1eced3012bb760f3c1dc21c3b46f3b34271582e4bef57bf9c1fe4ca24602088e16276a408e7f898018cb8be16ee75240eda9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8fb5354ae3d611931c94106d2caf828d

SHA1
c1b2e00132ec5fc081c44ca56c0afd190f58dd82

SHA256
d148321d045006ed8f58bf0f992fc62529ebc47e6b5e0734c6797204c953d377

SHA512
5d7e7522fc63be4f33b4eec8af7e5ca3cb15e544ecd8a6c2c22d9e1f513a303c56d2e22413ae3dcb37af1206f4d4f1dff0811353776249da39d814e2d6f209ed

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e53e5a9c94132dcc91d6f4d1f2dda454

SHA1
55965e678415ce394cb36600781883909a5bfd31

SHA256
5faae4e9345b3624300be8ee0de948f869c2d2795b7a09748a3fcea852f475d1

SHA512
604f3622cb25e3953abbd7fae61908cfb18ad0c5fbf5228725472cc6def8a67b43df37408f341cf2cf47584d62ed1d4185f6a9055c26b6368561a28e134c59cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c9701adab557020fe04c81d0cd481def

SHA1
c17dbc31a4624645b3b2733971df8d32333522f7

SHA256
d99fbc9cb5394a5b34b58bfdaa5d15ee832291c00e6b3ee736de51e21289a7dd

SHA512
dbd297703e872862c4bedd356614842b08d62bffb952814352cd6496481f3560e9763d72b64f710dd67b9114241f42defa9954dd14df6231af5f997077215b32

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b13be28577fa9326cc43d2ecc2234473

SHA1
266a95aa7c6579ec93cb0ff11c385e22896d1a66

SHA256
b1226d3d98875641d1c94d2af324be2f6cc9f19a228d8f9a0374c0fbf80129b1

SHA512
628737e227d240912214b100d3adf8f4660de92d6241330a9a39f36077e0834e579da23dd8fa4a03f8310fc4ef4c3190134a6f972fe52e8167e53c97bd792384

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d13a5ae91a6f3f9a5e1e2e11af0ca3c4

SHA1
84d7d927b3eaf2f26e562c7d4c6d8e6d96ad16c2

SHA256
f38056847eddf00eb40073224e1fcbcf1025ad14d9788614295414e9ea4dd374

SHA512
a3dfa40549e91a4ee75f05e6c6f24a95651c21c84b5699fd5c052f8e2f4ca397221d72f896047acfda4207d0f70d872f3d1f4df82ec5612640f18e70bf5b9da0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b6042d5a0ce3eccbecd3e8dd30cc2e10

SHA1
b922fcb13168ab4eb6816ac9f531ba5ca51c5309

SHA256
f4136ab281fce2bd3e1b578d6129572d42e1360cdbd0f893d629dc132c0e3f89

SHA512
c22099c08686794ddd3113542dbfe71781ddbb7fce73e2239993d09c459fa957ab9256896bace829714190f595a93a1c3ba434ac108f55f978c8b298e9b88168

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6249228800ad3d36e1552ac9149f774d

SHA1
ba8b0dd20c3f68300650195f0d8911821760cbca

SHA256
10b0c8510febeb80b8b807cf1c4e58404cb5b8b211692f217753efbdaa0a5754

SHA512
a7a1f76fcc3e4505505002125a810147c6e70733e1b94b67a066a53fe989b6da7ec2476908f29672bccb2e0ca1154b4c099165666e14a3ebc01cdb44053fb976

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9b5613563dad7413fd36d3fd51e4e75f

SHA1
24c614d872cdc707e6e3c983c2a187c7d8727929

SHA256
2ec1552f243b26bed12c21b8b0248f8ffbd8db4052577e569a24b799e2294e19

SHA512
6bcb10f6d1fe226f1d9451ac7297075fa2bd71b209501b37c230dc94cfb981e929e4f2acc85be531c4b50073879bb1d0f6d0c4d5d287dfc938f27bcf98930cdc

Download Submit
memory/728-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/728-482-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/752-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/752-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/752-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/752-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/864-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/864-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1336-53-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1336-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1336-60-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1336-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1384-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1384-557-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1628-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1628-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1732-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1732-452-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1912-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1912-483-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2108-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2108-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2192-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2192-110-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3212-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3212-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3212-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3532-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-81-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3544-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3544-75-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3544-86-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3544-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3640-556-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3640-260-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3684-208-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3684-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3684-90-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4128-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4128-39-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/4128-44-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/4128-49-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/4128-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-6-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4224-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4224-115-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4224-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4224-8-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/4588-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4588-555-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4624-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4624-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4780-181-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4780-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4848-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4848-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4848-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4848-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4848-137-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4964-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4964-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download