2b63c78e925e71959fbfa7bba6f495230c9f6115439dc7a372ec5f88955db432

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Size

712KB
MD5

89b2a6ed7ea30f6dbfa52066014909c9
SHA1

1540534bba35b0cf525111f9d8a08c75f5f32e86
SHA256

2b63c78e925e71959fbfa7bba6f495230c9f6115439dc7a372ec5f88955db432
SHA512

397d2cee890f1113657f237acc325cafe5d59b4419be6e1ebdd45e01bd433cdfa838472f9d6638bcaff9f1c458ced7da74caf885a6f079c0a6ea7fb2489c4433
SSDEEP

12288:ftOw6BaXFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+Z:V6BBSRQ5UOOU62FBnO+E222YJbNEUQKl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4888	alg.exe
1724	DiagnosticsHub.StandardCollector.Service.exe
4488	fxssvc.exe
4496	elevation_service.exe
1028	elevation_service.exe
2512	maintenanceservice.exe
960	msdtc.exe
988	OSE.EXE
4860	PerceptionSimulationService.exe
2684	perfhost.exe
2868	locator.exe
4868	SensorDataService.exe
2676	snmptrap.exe
3688	spectrum.exe
1248	ssh-agent.exe
1296	TieringEngineService.exe
448	AgentService.exe
1840	vds.exe
2920	vssvc.exe
3668	wbengine.exe
3652	WmiApSrv.exe
4792	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f38fb5e61ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018c762297ac0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c265a307ac0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b871a6307ac0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adcf4e2a7ac0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d19bb8297ac0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000814b80307ac0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4a31d297ac0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005682402a7ac0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f4b9f307ac0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeAuditPrivilege	4488	fxssvc.exe
Token: SeRestorePrivilege	1296	TieringEngineService.exe
Token: SeManageVolumePrivilege	1296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	448	AgentService.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	3668	wbengine.exe
Token: SeRestorePrivilege	3668	wbengine.exe
Token: SeSecurityPrivilege	3668	wbengine.exe
Token: 33	4792	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4792	SearchIndexer.exe
Token: SeDebugPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeDebugPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeDebugPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeDebugPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeDebugPrivilege	3448	2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
Token: SeDebugPrivilege	4888	alg.exe
Token: SeDebugPrivilege	4888	alg.exe
Token: SeDebugPrivilege	4888	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3968	4792	SearchIndexer.exe	110
PID 4792 wrote to memory of 3968	4792	SearchIndexer.exe	110
PID 4792 wrote to memory of 4004	4792	SearchIndexer.exe	111
PID 4792 wrote to memory of 4004	4792	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-17_89b2a6ed7ea30f6dbfa52066014909c9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2252

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:988

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3968
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d758429e82a3f7d26218ba44748dff8a

SHA1
4847ba76282e1a7ad66fd4236a6da21a593d63ff

SHA256
7fc5f350822e632359c22cb6cbd82167ab749d7af20503eff7520b8615f340c1

SHA512
3ec1281bca521ed06977bd24ea1f9ae3ac9920eb4d9b8eee9de1505d7e5d9314c93ffa52e9f95a6861ac9a0d7067ca9d9013ddab375b644b7717e49108da3609

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
56907f1bb366d06154df9c150a553583

SHA1
c5ecb9eddaf2cc6ccc43d7532f104c09b23a1acd

SHA256
e2271767a8dd052d19d5333a7c5c3ccbd79081e883a167aedc1c0f29383220fc

SHA512
9d011fb754d00c932f4d620df29d34a51b1012b26ad950636dfb13c43c8dc9e26a8ac5702d1923f56434d6c389fe3e4c29f30188bb5243f0b927b2a77351ab0f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
11f7f176c2cb6983c45b4984c64ce703

SHA1
94db97ad5f3cf3de4629689c0885186f4e1fe7ff

SHA256
de3ac7ae249a591d9d094eda3328bd089097309687d61b951d539425aa210330

SHA512
ec5055f0769dbfce3aa42945e7580e6e60b0f29fcf51c648c33d2ecf47f782cc774ef51e7340271bd78cbd9d8550963ae8c10ff06330c7483162d657b3b92f2a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
33348af65cc12541ff2053bf717a6b85

SHA1
b8104d6234465afcf2f61a02a75da146f0a5fb3b

SHA256
0cd6e5fce2c400be9391a362b9ece1808090bc7d4650cf85e5aa3eb39aff3bd2

SHA512
0dc3f8b1fcac3fe9e1ede57b2fc08453999c9faf758244e4655773001861072f23277842417d5733cf39135cccd0e9643973d54d4308398b80b987220bd3f3f9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b1de5366e459a292ae84068dd7a98d35

SHA1
77eb29bbf43ed8d0224f3ecabd12991124a97e96

SHA256
9e4c5950b255750d3ba2ded7612751c8da829461f4d371eecbba6496ef9e4cf2

SHA512
0bdec1a9b05829db36f2af2936b103590dc8cc4d6523fe7d74fbdd40e281c50a9342b538f1ea053924002f682590dd082bd68682b4a57946ed83181b8832b9b9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8f588d2868820e6bc588341ba74594e5

SHA1
2d228b4d2228f43c85d1d0eb26d51d7692e4aef5

SHA256
b83c2c2cc48f7a155df506c29c7077a8ec59fdee350502c6271e84f7e2a9b746

SHA512
08d4f428c158f9ef3ff3e839ea5c1afcccb5db1b4f57ce8ffe72dd62b308cea508cd3614481a5a0fe6391784dc048946c248ab71cd7b0675e532b6179a0f49e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
4819859e0c5d20c8f5b1451f430400f1

SHA1
123dda335feb343bf3f6cd9e884e9f4b4810bac8

SHA256
908a7cb51201e73913bad248593cd740ee51de1aaec425426dc2da998daffca1

SHA512
3e3f8f6f2d3b619fe51259704ec9f7a3a7f9f1ad3e423b89264927025aed7fb19dd6778d3070ef360573b129e5c5c25f041a6385ba6ed03e982250cd1c220001

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
df17783a88245fb0dadd13b7f7556221

SHA1
8afc5c0593ed7bd239ea2e1fd792d4922ae16e41

SHA256
c6eca52e8205b2b93994c0a4b9cf06915c758fd637e6d846b01cec47894c61e9

SHA512
ae543d4978afbc462294129772960b7b688a34aed7ab46ef8d010354677afa7f73008c8b7035d22a9e96ebb4923015e54b13b8f91e6bb09288c31c76737708e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e7eaec405b899eea5fbac53cc25909e5

SHA1
fad8ddd20dcaa9f9a8adc756bf4d1c890d33e8cc

SHA256
c1233320c0cc0772008278cd93546ff4cb8423a7c43f865fbff1f5d44cf7f053

SHA512
67034aa8d7edbeeb05f8359741839b12c487a0e343ee48bfeda08c6ddf6cb9cadcd9f6d671cb6560fb368f582553057e972c737d59466b92e33471d95fc3acdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
08e4e1140774ba9fd0f3c0ae7d9828ad

SHA1
f1e19ddf8271850acbead374cb1740c08935b87b

SHA256
be3cfd93d03e218577d4aebd2f2c0ef8c4f4275fe8db50b19c59ef244b3fa1ee

SHA512
91219003b1217370f8a087355b7520677beeb26dbf3bdb400ddafe93df291b900708e124cc2a741347f671b984b170a15ccc23c79a8e1cbebb64905a24ac80c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
de5a6bdc82459d0d97a78047c12c0b97

SHA1
b94a16f5bb9cddd066ec0f5b9d57c8781a271a92

SHA256
a76d06763a1463c0312dc1dfe7d0c079b989e347edbad1d8e1768ce8d97712b6

SHA512
d9930d49f7033167112a03f92ab640f7fa36afcb6f12c0640459f99fd50a5170d3b5b6f5ceb8d228c1b47f8b53d4e1ee8c587a502f51630797d345565f188e45

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
01c0998ad40314463615711ee0a221a6

SHA1
a4306f319f98b71e8e48aa5a8de707c8cb3d87f6

SHA256
e196c9f6d562bf9b306973382f3f6f66ae47763373fef0d108d1f8a63b818757

SHA512
6f3f955a52c7be72f05e3895662c9074f434186b778edfaa7d5f4fb216179a7c1e0f7d2cd356afc2d248090f49e4d13388d7334a7f9c1bef46e5deb34997faa4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cbf5478dc1a6986ce5a45ca5b00c4789

SHA1
2ddf6179ee5e4a6d5dbbcb3f9de49158a9225968

SHA256
dc71c9f76eecdc8c58a6f851866be47cbb9650d1dd11dc7af483e46c8f70d38e

SHA512
ac9c4651141ca0fec46b91c569f4bdcb2c7193928b1ea4a29e9cf9261d725701e78dd1b61303b02dd4e4d36501c30e9646ea4739cf0c9ab34afe1b499c43c5e3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
17818ca574ad8b0b9eb476d442918de2

SHA1
9e5a08ef7c7d664446b6a61fa45608df7568bf49

SHA256
a75e1baf9237ebf6fc0dfe35234f587c56dcdb141c9c2e54b0e1491b9460cd9e

SHA512
63a7573910c7b683ef826f3e73ba136190ca91b0bb272db75b81e838a450fd27b4ca0121ea7b51fdd7f53d1ba291a1fc399463c268a6de0df96c88989f40ce43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2f6678cdab0b6317b8fd9ff1a8faf2b1

SHA1
a4d2419153adf62c001f404e961b3b3a8e8c0f2e

SHA256
d722870388c94e12677f76ffd8811e36307748ffee34a7cf1ca32b4a37017c73

SHA512
76fa307c9fb07ee4b1c1ced99f17c4a994a7768b287a748836160ceac3b06bdb0b59382376517146a9c76df92884bf4953cf976899ff4413211c24963ef0d161

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
aa7cbecd3261a3023b934172a8e7bb4b

SHA1
f970ba11f3b9d40f369b119457cb860471b48b0f

SHA256
883151097973616d2d4ca4a59e0e2e4278ebd255cd32baca0e8dda48dc5671d3

SHA512
0436f91928925818811447cef448343483f5a985bb3df67e061daa18c938c3ee01a6fdeb0449a8638fe41b104ac12dd7d09eca1d9d99bc80649f63ff82b0fc88

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
07c26faddf1adf5f5a37622198f02c8d

SHA1
bf33ea41a9ce3a4bfcd46ff26ff8dc9ed396bd1f

SHA256
bee163a1fda41a5dc719c2e823007f87d8fc7a7e54aac7157c636ed307b52159

SHA512
f0c06e1e34c4692a8828f315b1ac0403fbe625e9802c242f33c38b55a5255eee4e1940481b286c0c95f69d16a9a3e9d6cc11ec4779e57c6ee072a7f44c83c2fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ed7deaf1a8f1838d3e466039fe60eec1

SHA1
d2827b1bbed257dde0dce9168f42d84b87e8a073

SHA256
f76cf5637233bc4aa0c3db3b9be81126b946f3ea22f3131e3d3f77ec9dda2de0

SHA512
9f316f50d8181a94dd7a60f5f432d72661a29cfb2855434e3c898118a35ed394c8cae89155ab72a3d80ce2b08d4dfd6cf02dd68fdaf3a33fba2d10c6480964de

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
87f577c4c223ba20d1cc16927b0fdf69

SHA1
cf15375b758db7ad13e615b6de33cb53044c7bae

SHA256
9b54cd329e7ffa4e14664479002cefb37a3712560598cda4b2dabe6a18f9e673

SHA512
533bf110cdb93e5df59fa6d962f4181e4cf7284710b18ca7ccb55f5f6b34c91539dd8e715987e188651c0064291204534802c633a4d0a76305e74c8f018c721d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
69508776c08401c6cff3b4c6a47ac0fd

SHA1
f8bcb0bf6686f5329da69f92b2e30047aa42108f

SHA256
e1f1cc8ade1f7373efec9cdd1ce7ba85d023e482c91640ee98514be4ff07d4f7

SHA512
dd7b2e8f5f0d0ae25512535a9b96df5c201d52d1ff4aecd289b23572e13baa7a8fac51293f0008b4f906f99b92ded7dc230609dc431955c57dba500559163e85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bf2e41b9fe8b148d92027644b1247d27

SHA1
8e7509f469f555065ca46cb172f8ff8baa296a8e

SHA256
87d1046678505969565aa525ad7ede3a5d638dd5e806de6f08eec83b16670cb3

SHA512
b3a2959ad7a2bb72aa4c0a8e3f5863aff61c16c6c5cabca68d9a2291927125b4432d9a2037a7ecdbd5bf6e0891893ab22990f3045a282a785851749bb4d53296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
13dc3b256a85f201e83ddb9e285fec1f

SHA1
60043e7c7d9f06d382c5efef064905f95474a494

SHA256
dca8c291c49c353955bbc9ba3bdffb8a484098c739ee113d9985d49dbe6fbaa9

SHA512
febdfeeb1df6f091bfe1489e07addc029d188e53610b5870adf3011b8f0f16342deb08a27432a84076c70af353eb4c0c565ac3c0615ec64af72199e39c164558

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f66b59680ed78a0aea17d34e4310854b

SHA1
6f3a4e856f0ca72d0da7a4fbf79983eb6ccf3bc7

SHA256
fc390fa972f4cde67ef9f0f357699cd389844c715faaf3d051e7217188e44508

SHA512
3fb119b32cee3375f70cfb961495bd4a7d59b74665194eefbf0ae637dfa3a9b1d81551e286323ce5374474e1ecf66fa934eb877a0c96d0a24bc360e02ff1efec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
552671448a2aca546b99c769e85ba7f8

SHA1
0734e49dc1ae48e9a306b936e1a4f767fcc9dda1

SHA256
7bb2725cbbe72599edbe859bfdf4f36b537aaa477ce73f3a339c53cce632dc6c

SHA512
0c63c61d972eb964ea8a9fbeb1f2404ae3c5cffbd9f8b64633ba60719a5c9ae33407038de8942c47bd76acfa5a7a8db55bec19b8764467b2b0651afa3fdbe584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4fe84b4a33cfc14139abc8546a0b254b

SHA1
c58b306c3c3faeddd2cd49705732a76a993205af

SHA256
9481e7da5ad482cf813887c1ef06413f0a82fe3d6aa5fef65bf84ed169e336aa

SHA512
9c1dfb5f4cf3763d81cae546e64c5b553480c592037372afa0a61c3bde65c04f4f37f81ebb4737d5660b9d1ba7118587d4abcc235704dc782337cce1be00409f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
be7527e47a0a187a2dfef334a465322e

SHA1
1294e54d0510959f24b1afa54e0f85b46e5a6a55

SHA256
ab19076211fb475d204f966de1a3be7296511acd95d2ac76823f197ef79307b0

SHA512
fcd0cde7d0a42039a484aa76005052c25f63542c95962d040ec9783beaf8e31288329d0dd6ae89e5e25f5aa531c4a125d8c4e32d06eedebbdab5ba264ca3302a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cec49a96cd586f1a4af7d438810a7428

SHA1
6aeca5acaf958eefc775c4ec070db20b8122764e

SHA256
63dc178faab91d88a3920c36b9ce23bd82d67e6bfa073329af0f9e39f2d75053

SHA512
b38831f4011d8f8fdf2d71f923ce4273f1227772ac411b21c9c9c997e754fe4f4bcd8374b8bf6e0f2b75b8d21c83626c8c643ab2918ce75213785eaf0c5a6725

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bb6e6b2e6c26a5f904d41c25db9c3beb

SHA1
8bf2b8f245440c8281876984de7065bf98185b2b

SHA256
b42c3b7083f36dd2ddeb5dd678ac203656a489091e85cf2360baac8d9b2652c1

SHA512
3a11de8a2b2136da8c62d156043e548c780387e1c9fe9a9aa72da36742dcd7a2092e2fd3e10990ba311591c91541bae32e50be1b298791abea9a492a65d1787a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
75b91634ee0f0c911ba1ba7b6f5b78dc

SHA1
38d646ae9b876e1f92a2204a1dffcad4445cb6c5

SHA256
9d2457b2c2b8b4df3aa2cc22aaa210eedef48a976b6e274cd0247ce566118ec3

SHA512
4bd2660683a3a09aa1496e2237c2bf872b0169be3adb4bbc93cbf613f84ea512f82b8b5050ca7907aa9152e5bc0e2aca535987fde52bd76a0cb5fe1c3c943a50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0d5dd7788fe9ceeedf947d2244ef9454

SHA1
d6cb32249b96343de7a36a3711fae360f308bedb

SHA256
bdca34c01b68ff90a0193001f226c556822c743062b57e63743e0bc9c244753f

SHA512
7882a710d640a500f4560e6370319821b9bfc780ef4e161dba4d4eae7da9cb67bf68e3aee933af614192d05475ad267625a0a91651dc821b3885bd2277de97c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1a8243262c3eb63e149b042d1cb40cac

SHA1
8d53f1ed923daea2f8b1e2b6e12cbd8c1aa0bd08

SHA256
945cf5fe41fab5091d8c1e1cae346af9f31ef10d34ae64a63958cd9dee949a21

SHA512
6d2de45ec19abbe854517bd54cd68ba202a084bd3125489167144dcd434d45fbb2de06c6d1c680c4fafd4db3d437de41f026369c2800d02ed23c0931972f8663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
28c6e8da847fd151eabb734c57217a36

SHA1
9af44e22595d8cfe9e8927e7146764da34b8ec0d

SHA256
492b067e18c8929811fe6928b6df6b1c3d633f57d9cdf37b5da3f7e80fd71790

SHA512
bd61a4d47c42b0b269ce0bb096e91a21ba8f34437833a10f413d8fa9af118d112d542c3dc109c81d04032090e97daf0071af8729c18d01fb6b7a3139bb106073

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5c765ef1afa7478cbf4bc7bae8f95781

SHA1
f57e689b71f430d6471609ff0d7e6b638808e3ee

SHA256
3527df3dcac27ca17a041723eb7fff16dcdeed7a8e3961fdb7b1dbc364f03130

SHA512
492821b62f40d019d4b017a344d5f031aadaf7efe6dc717e4a8a7d95d307b3503200b288d9256873b9442d2e2a24faddae0527babc454982fca962958fea1f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a01ff4fca3bde63055b04c559666f0f8

SHA1
001d0537818af9fb3efe68d86b6aa80afcf9b580

SHA256
ec66918417c57fff1fb1016fb4907123395ab7dae8bf162c374f9c7570a0e109

SHA512
cced2ee08151fae3b99f9ebef7545f1cdb2b0352281262f83a10acd74cc53252efd22300dca86aade725d6808fe13c04473762788bd74f50f4e4216ef2eb41e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
cefa5644c068a4b09cfeacb85adea254

SHA1
70dcfea5fa89b8540ceff525045388a85513da1f

SHA256
11885993f31e28de1da754b687c2e8f02d6ac40e0cdd8e5462a0c8c8b8ea5c7f

SHA512
e9f0d76a6e103896fe306d752e48495391e8a633708837cbd0ed4d294062e24acec6f71da339b61a018dca6ae7d5cbb09b9ce2e963a3c1729e6b327cd3a0d5e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7a5a39cad94ec7006d6ff4fa3e9bd44f

SHA1
fbbb6272b620cc9f3196fc4a2fc8b7391cb8cee7

SHA256
acec5a3a704520afa7aa0d4fffce256883518659c4d0b1db927ee42cff1ae9a1

SHA512
beaa1fb440b9a38f3cfcfb172e2a959908751be2c429ded3e5cf9eee71a2f4202e6bb28e483c95b96ca1eb1f3fbe19d001c900bd72c02230ec86bedb8dac472f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e1513d036baa75eb7082e5f442bb654b

SHA1
d74e36d601de728ca56a49b8d6b60dc3a025bf8e

SHA256
31404005c2299b43d97d1e25625d3f488e92f9a892e2365bfe34c006f6fc4d9f

SHA512
15ff36a4cccc309ef38a3fd2b98ad945b28c1380a632bef8f54df5177a1f9ea494f3e53d191ab58af43ee09a1fe1707c98c88d584f28180b28dd2cb354d658e5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0200447b582004e54d9d1d84a2ca4348

SHA1
cc6513840d716799c6434c382bcace24b2544e7b

SHA256
e290ddd010cf60c8211d5ae2165f5d131181413c144aeb4f75ee5c52f097e713

SHA512
8aa4184a63f345de6d1f81cf718b8e626503530f5c40b9ab67a71d2637dc03793b71d4ac982a3ea42adfcee150ebd8db34fef67f2eeb9ac603b33a3da63933dd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
88e0ccd73b02de021bc47a9f531731af

SHA1
24480f63ff1b535c51cc34864e68483de92a3bbc

SHA256
933ab431482cc6ba3a493ebc1f1cfa62c2aa3d8bd14bdeb8143e47a75bfc0b07

SHA512
fb1959139ec472f2777ebcec211d113f24fc192e3f2cb4aa6118f03bff8b9178ee8e2230c4aa1a76a4d267ebaf69d6f25d17af2307f35247d02bb5b0bb930edb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
410622089503e8f06c76d0a17287532f

SHA1
cdd566b3ada142f42eccdf79ced8f9a771a3eced

SHA256
dd49d2d6d5bb06b4dc33e05a42c8de8b081105af1a39721ec3e0e0301cac3d41

SHA512
c92a202c8aa6db5015e60248811636d7f0af2146a8a1af43853545c44f7e6e2a905c311b7a67854f11e3ededfb3d55a6bf779d08a01b9bf32ef4deb88e8bdcf3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
329c06afebd7768141dcb1f0d6380727

SHA1
a4a87804364f117f32b218623f18f35480af1c68

SHA256
9abb9ce85be1d2a4698f3c47412ccf5d1455e7b187eb2cc2f0eb3c4fad7671b9

SHA512
c9fee13ef561e9c9c160037e35d2d39a82ad5b54c5dd3d569142ea2d04659e81ecaeb023f45a2f8323dc063cf02a5758ff83210687afce8c645f734711f1159d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bf8823cce948333cdfb10f06bf8e996f

SHA1
01f443b0d7ec387d201dba8632b59c5b38a7e6ce

SHA256
59b6e55e08488e68d95ce391e4c97d51990e523132f2c3c6af83ccba531f3b01

SHA512
bdc38ea76408305dd566249bae40370638329cf6f0edd7b22bc80eef35ee9d0eb284d952a7c3fb563ebcfb59026fb59aeaa6d67296fc30d6280ac7464329ec65

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
964111aef7405ea11c0576aab2647cd5

SHA1
cabc285cf677041a7d0e7e6cbe9c6980772b8d9e

SHA256
b9c2b9ccddfd39caeb25c072a7eadc852f9111fd1a6ecce1d24b2103a84599bd

SHA512
95712a30ee3741bb303da06c360489de2050190291df2db419df0b652fb57888681972153d8b0edca5f05ebf223796c0f30ac6053f604020e3c3773cb9898e58

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
004de50b9f46ee7b5ec935c7e6f19eb1

SHA1
ccdccaf97e6926eee1a996d8296d313f71c4f0d0

SHA256
019ce467045cd427a92afb89ff94efbcda91a7b7da6d4c2f8fc482f4e9386080

SHA512
6b5ba79573b8e4825aad9e125811cf95ff85bd17a34d914fe01771741da514f40cb6ccddd8da7b8f3c02236e986af49a75a3a0dc6791cef2c9ac6d1bcc42a70d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5d5d7a25e3ddf74058c66272d01a6bd9

SHA1
4be484f7966c8ff5114bdf2050e9e886b9ed2c90

SHA256
b666eb17a5147cf6a04b004946f54bac768a06c6f041318da1944130648e8e7e

SHA512
21b90fd586d39cd2774b9361423c63bb175ab696cc7989df9da80a15dac149bbe778026a8ad0295d79596c8a68c325a85c9c2cbe623d6c3e2f90d957e9861f29

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c327c2769ea9aadc11838a9a84e1b300

SHA1
32035ad4d35d0c35f2c062ca981aa089736240f1

SHA256
2e434e4c7cdb14cb28a289ee594d97995c89058805ed0d2bfdcdff2d855bd312

SHA512
400d7b2acd3278627e7c377fd5e452257ac791c217cc418709ed82ffe11d00f7f6c4e87202817963a93050d5ea14ac803868778bd057c5f95c437d52bf4796ef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
03769ec00d4b0f8aceb259d5f8ac1a9e

SHA1
5059c30229e6621ad58c0458dea7e62b847b67c7

SHA256
114e4de514ccf639413598e183f96825eec68e30e406c4cf47204e3f4aced95f

SHA512
38ca7adc2b2719bedf7cb1597dd88c0d694fbd7464d8ce42229425d4bd091c1010e41f22f27be3969689b78f3e7225c4ac45b549fb3c3630bf26ff9d8382fecf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c941287248f9c67c33f38773dac82dd3

SHA1
c947cddcfc677cf377e4597a52541546bd8f950c

SHA256
848bec264decf044aeae9662048fdff59c74e99e7c1f97827851e147ecc8a9e8

SHA512
2a2608d676d68aeba5c354f4b0ed269066c6ab5b4deee0eab58b82263285717632f62a842390c9c5d08a5df8fb57aa13cabc494f0eedc12a0c697f131e5e6d08

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
101674e2f270715e4d53ff554a3ddc6d

SHA1
9f02220ce25ba7c3a913dd803ce7faf241e193c3

SHA256
4c813bc74e825448a32c2a0fa854d32b08078d503ae7428c0a5ce7ca48bed581

SHA512
7df3437732e58300c8d80413a941f58e39476c1b0b29d15320d4a985b23a30ef75b0b3073b7403af9e8ecdd93811781e9251fab8a4be727e1bb8c3cd2c368466

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
03937af77f52c51ced07b50cf4aadaad

SHA1
e2e30d26bb868f44e9129617f1a7e3b30fa6e92f

SHA256
9632c3f36cb116a3900ef4356abdabdefa0da49b97e3eaa5562fed3a23fe5c1b

SHA512
67373a3d385ba8e98d5c05139fa89e2cdd67636ce59c24b9e87e819814eebc5d35b0b308f3c8fb525204135324d1a8a8ac174b8f9e44cca7d9b2a1ee845d0091

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ea0f1fed38a5bb78e632606b931d04b3

SHA1
ee870a7cf6d121826e6a64f9a0385eac3f909641

SHA256
0425fd6a4bf725fa2cac14c3053e1f57ffc459c2ae8278c966cbaa0f75508bd3

SHA512
aa2946c57482e93155a188a17b1faa695266ae0ba6b3c9507dee21df828b2d5ebf8144dc5ca838efeddded2a91c899b9ae97f336b00ae616d4e3534197624006

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
41ff538c5d5a6a630c466c9b859549e5

SHA1
7b76e0fc4c2aa17a5ca216e3deb20d52b0ed27c7

SHA256
382db65f2a1c714f43bf07637f21e848f71c13f51f80ff50e0706067b25fa1ba

SHA512
3263c5b97aa60de3649cc3593b5d96c2e5d28b2f54f2b625cdee0cd72cc023312888522f3e65312e760970a908c7fbea71883cef477654e0924ddc0a42714def

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
71d13d8f52dcf23fd8e26c634e5acc8c

SHA1
f2a59d819083453fa6675e8f0cf512f3687556ce

SHA256
d717c423805ad4d2766dc10ece6665002a127aaad62b8918f4840c48b61d966b

SHA512
56943793f03475d0fead6993459d768d6719dfa3915a114d921243cf01b13905efcf4e706f8c2d82fb2a6f7d665886446e248aa95588babc5aa9900b062529fc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a451b0f495be4dc41c117475f5632fd3

SHA1
7423129d585ef55537e20b0f01bff6e701aef67d

SHA256
905b4f3f06c086b82f2f6d8ab46bcfa73a9e8ad34594ca257e7b9c0582275a7e

SHA512
a3ee8ce90b270dbc470c9d2c0c8ab29c4e7e9ccfc013c3aac68ca21bdfa447cd479f1175c92df625621943d36fc73f8fd58e5903a04a02c50b67adc4f8509dc8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e705399ba0efb48e64826d382f41b9fe

SHA1
c436aa15b980fb66a6af7143c2e131cdc26f63c7

SHA256
9cbc489fa1bad1f6591656654860b6a055e68684ebdc2b1bbc84daccd0d952fa

SHA512
5a43287b33b4ce9502c341ba8a3ec32d617c59ca7e0c8cc142e2fc489deb9811932a38b8f5e486b60c8aacadecc9291be0b2714e932d95693a87f18ba7939561

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3b35fca16bfca5e0dd3d695cdd4da722

SHA1
6b1f059fbf2cbe03f3ffa247a27d974e6a7e8c50

SHA256
96838a588be349ce816f44e3b410e29632a9063ec689b0e7a4b0a08d52e78342

SHA512
d45dc19ef52a9536d938ac7bb3709a8817e2d59ab6c45c643b62fde1c74a19b904707931217a725854b19c77c63949ac4cfb41d175b4eceec36c85922029f6be

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7819748f2ed2c635645adc60544bba5d

SHA1
ba5f8db3aba6ebe4a687b75b18333c8563c20c05

SHA256
c47345e27dec815b6ea290c361b76022099ab3996acd84a87815f68ecc2b3815

SHA512
09ca8774f81e3f154e552c387870b7db7fe7734aee9e1ec5ab4cfda0820e10e7a6f043710b3b7d2eda54a5bb0c5c08c69d0526d39773fd7c10bbdce42ae20866

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
70c60b591753c4b7345e2a759b6beae5

SHA1
c8e61511bd2a092a30ec80f376fddb8c076a85ce

SHA256
e1b52c59761e63d96b53519756a2007d42c8c23251d8427310c951702db6e40f

SHA512
38e2ed18006c27cf52b770481afba77e12a57dbf918e834302f926b70834b57cbeac087bf47e2cb7845b932167c854841245790f8729a7877cc9b193bfda70aa

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2a7b4db4e8c04ed49b429f4e1b624f45

SHA1
e207493affc9f187c2824973c35c199e2473b010

SHA256
4eabc5a72cdee9273a2ecf3dff2433aacbd4b06bccadcc5696b5070dccbbc1c6

SHA512
d7fcd16975ced449f1ea8e53d7ab76529f5218b83e73b23bb0048669966b38a06567fa48b71fb2d73fe9d091284e10247f3b03730e271873ea8a273328473c84

Download Submit
memory/448-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/960-88-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/960-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/988-255-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1028-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1028-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1028-82-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1028-484-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1248-265-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1296-267-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1724-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1724-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1724-478-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1724-28-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1840-268-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2512-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2512-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2512-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2512-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2676-262-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2684-259-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2868-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2920-269-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3448-98-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3448-2-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3448-8-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/3652-271-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3652-556-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3668-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3688-263-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4488-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4488-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4488-38-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4488-46-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4488-48-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4496-483-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4496-58-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4496-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4496-52-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4792-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4792-557-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4860-258-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4868-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4868-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4888-254-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4888-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4888-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4888-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download