e33417588c91ae68c9a632cc2e8480324eafd1a9414a7fc4c68a3760184000c7

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Size

1.8MB
MD5

b2f4bf8731ff62f45e46bd00373dc3f5
SHA1

3436dcf873fdbc8183365c5b30f340cef3e38788
SHA256

e33417588c91ae68c9a632cc2e8480324eafd1a9414a7fc4c68a3760184000c7
SHA512

5ea658eb3156e86f2d51d151759a7f5b375979a3ff1cb26542939f33706088437ea0d61dad3348bcd40c705810f7fe8bf4cb112252d9cbd44220af5b8b6b809b
SSDEEP

49152:cE19+ApwXk1QE1RzsEQPaxHN9A9n/TDbXNKd:h93wXmoKmfb9s

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4524	alg.exe
3268	DiagnosticsHub.StandardCollector.Service.exe
4404	fxssvc.exe
544	elevation_service.exe
2588	elevation_service.exe
224	maintenanceservice.exe
4664	msdtc.exe
888	OSE.EXE
636	PerceptionSimulationService.exe
368	perfhost.exe
696	locator.exe
4092	SensorDataService.exe
2204	snmptrap.exe
1576	spectrum.exe
2452	ssh-agent.exe
3744	TieringEngineService.exe
1204	AgentService.exe
2808	vds.exe
4316	vssvc.exe
1588	wbengine.exe
5048	WmiApSrv.exe
4512	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\da1f1dd9c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050a6639251ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078a3fb9051ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b7bb99251ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b971279051ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b33a759151ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d421389051ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e20579051ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc031d9151ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeAuditPrivilege	4404	fxssvc.exe
Token: SeRestorePrivilege	3744	TieringEngineService.exe
Token: SeManageVolumePrivilege	3744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1204	AgentService.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: SeBackupPrivilege	1588	wbengine.exe
Token: SeRestorePrivilege	1588	wbengine.exe
Token: SeSecurityPrivilege	1588	wbengine.exe
Token: 33	4512	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4512	SearchIndexer.exe
Token: SeDebugPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeDebugPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeDebugPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeDebugPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeDebugPrivilege	4436	2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
Token: SeDebugPrivilege	4524	alg.exe
Token: SeDebugPrivilege	4524	alg.exe
Token: SeDebugPrivilege	4524	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 3212	4512	SearchIndexer.exe	107
PID 4512 wrote to memory of 3212	4512	SearchIndexer.exe	107
PID 4512 wrote to memory of 1476	4512	SearchIndexer.exe	108
PID 4512 wrote to memory of 1476	4512	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_b2f4bf8731ff62f45e46bd00373dc3f5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3212
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa9eeb56b84b2dcd10ec5211cb5ee40b

SHA1
acd0a8d588ebaecab76d771fc277baed1a061141

SHA256
8c3d8c727d6e3a36d99861e8b8e05316f166091fa8a53c09cfc8e23a2ea21427

SHA512
be703503fd11a3f59dccebceee056134899dcb37f80a767da5f22daaeb5e1440330570360cd7a47f4540b65f10f9f90ff4cbb16f9c334275c32d260640953f01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f72be03bbb007952c2babf9a53587da7

SHA1
6b3feae915961e26c8d8197d4fd3b8ce77fe0a45

SHA256
2bd444bd38019d578c345f70550131246e6a6a2bb4619bc49a8a0079a8a1400e

SHA512
177bd12d324062844d94bba2fcdc4199f8c9204125a4dcce6ed970a572d2be01c5a20eda271a36ecf5e19af431220670b2b445e95b9e0782495c4aaa705914bd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
94af7fcb79f2552c94b1fd483c03d885

SHA1
fbe0fd388bd6e11f07e6d6e3226e38aa69885fb7

SHA256
f7d67e4857b8de5caf7d6d1bb5ad31b841389e0b1a19a4deb1695bf33238cebf

SHA512
47cd6df66513c0de8ddf63fe29b21753371935eea4728c53605977236b2af20e99888c0103127cc1aadd44cf4ca3999db8250d6f88cc95dd0da2a7d88451a270

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e31e178f3d192c655e74ad2e7db2d8a1

SHA1
26ff6905b9e2effddc7884c9415e85c5886b1e3d

SHA256
1a39aa92a653d4ce58292fe0bea793ad3df5405498ec0f7c6df57d727ef24521

SHA512
167b41eb2db24e3f56ffb6a492a21c9ed6daa3e5747dede0268f0e9795d2aa103feed8b2148afa280cb17f5fb2cb577343ad524b597885580e4db4177ed737c5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a821ad69dc3361fcda8b1f24de64e21b

SHA1
134d46e1ca42e585a31cb6acf7f2810c581a4937

SHA256
583ed21c381f45561e0f4fbc33905e8a69f7a6cb5fefc28bde94abdbef1c0512

SHA512
7130e733a92c34dca85fb66e1e896d8c5e52388c7d73d9b5b7b824caa70437d06e3b1e7689431720d704b0af08ae804ac865471bf4d88a8a9970c677e3fd546e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
2e9452de3ef5e5106d6310be7d468096

SHA1
18f33bde34782d33e059769ffc898b5b8bf18b33

SHA256
8e77aaa169a8c9f5a5b6463017ace9f5d3749b46dff0208151ec96fd3c7890fd

SHA512
2b0eee088321557152758207c154438a7f20cef5be3c4714f0a2d116a4a6096b587515274cf72223ba3bc8974fe19c4e671b1a4de840842c92e7fe4135d843dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
2e81270ed2ae898dd2c3f1d516011a8a

SHA1
e23073d8b21af7212a48337b00ccff8b1d721fbf

SHA256
c3eabc504300b0f1cb5148edaa389c7f5c4d164fd6fc9e55a14f842c88d31daf

SHA512
5b99b4c0051393891099bbd8faf10a83f25b9bc24bfc6b292572f0107eb0ccefad9901fd27554a7ea9afa8e072b06fa7effb2ba360d91927948ea5adb6762dbd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f7d13a78df5608a5ee983c9614ddd692

SHA1
c48986daa9beb8949a592617bc8c811133d3167c

SHA256
3fc1d3c5b5011728eced99c3ce99d610cfca4aca4921c6f72a12108fdfd32d57

SHA512
ed90a14a8842af7a076b84902771f1af6123bb7367e78cb4ea9dc1ab3dd3a7ca1f4e6289ba6d09c62a92e32552b95796fe3b5a4a6ae22f4ee0b4fcc942ebe0fc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
bd2d33ad4612eb586b19ba75b3539c41

SHA1
e5b6a838b02bc00b12d4000ebaf6acd303b599ed

SHA256
ef394643adb3768f17ea4f27cbbfc54afafdf960b942ebe07b3d4426aa28b7ee

SHA512
f752aa6665b52f6c2886d2106bbaf02fd14f2fc88144d62afa0b1eb1b03c7692f8c146020d623ecd8861178f2a7fede516dcc1c80ff84fd19dbebd0fe8254ae3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9dbf495a48e3a4530f8897b6576a3a49

SHA1
98a1b1f0f73815d06250d5a1b53d06b584418c4c

SHA256
9e5c979b4216567f08bcdf2ecadae6717ffdb32f346c0dc3f8c1716f1a764dc0

SHA512
6a01b756a1a25af8a2218f00874efddefaa54fef6c7d14699aef622e3349fda391cd9de61c577ffc3b1ea9a0fbae637376713cde135fc8327791220c2e7a1ae9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d2e26880b4edfae369169d6dd66be54b

SHA1
d1858a5dbf5a1aade059dc9b7b9fc70c4caa8b5c

SHA256
8d84177f0a09cff9b94efb0e1307a80e7b37d5cce3aa33bf240213ae2377bfff

SHA512
fd21e5e70552f33d2368a70f5120664013d4bb785fb368d73bc4a475811103541fab49c5c51775558517ba58f3d290970d1ea644155ad608cd2a1d647158ef1a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6a6e1f24b8c3d4a4cf0f78447c21455b

SHA1
8371d62262ac1da8f0e887806f34c8c6287b4164

SHA256
e6e87eda322f620463465b9d8bf1756f138dd42b44e77e95eea448c4ebe149d2

SHA512
3f0dc4e82c4e83b5e2f5747375d5719c42b3cbbaf833734cdef73cb5b34517cce8777eb68fcdd2cd3916f0719d5729dd6f9754d953517e2d213ba2ca3966709a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7aa430090b087abc864cda809feb069d

SHA1
b75b4cf87ccd7e5378489370da179712850e693d

SHA256
142532a075cc763119f0787de4916dd23afe48d9cf1d1506457e4c779d7bf1b0

SHA512
7cd0514835af43f74aeda23c126088d4bb255ce8ebf78d2715763c94989bcdf3803f9dc99685b2a43d45807fcf2e122dea23799424cce27d2df20a75fe465f1c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
58f4ba66304857accfa381976a8f2430

SHA1
00ebb9498ef6ae765544f457d7df452fe2baf28d

SHA256
0ab099768923e3e624ae1d95feb84e45fbdf3a243580628c2899d8ac0575b30b

SHA512
ecd74cc7fa0b22b2bae074d45a19dea4a4af703f053253d65629ea4cfe3f46c594679a0c42bc2d8792d8a7c2ffdbc4739dd0f2c7dd0fc556c21e52e530982192

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0669de527d6d1522ef31cbd786af3895

SHA1
ea599b235145e713dc8e3fc09ed41678c2725bb8

SHA256
5c48edb8a4509ad5de06558a4e6ff2e29693817642fe1dbfcedb96c5be9bd861

SHA512
ec9d25c35e4f100b85af7855e83130b168441fe109e66a23da0edbb8298cb3317552833feff0cb5d02b3da54708f74a9d9589037865a21b20b4871be1993d5e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0a4a930dec439225fece1ef1b57c7809

SHA1
02ae5f85c938b630aa9b75ba0e77097e2807038e

SHA256
778030d3a35a7dd774c254c63ef9b212e85f313f6278c97da64eafdcc2d1d875

SHA512
b743b49253e6bcc8b038cc4b4862741f966ead027dec6880299e3881b303e901553c51825f513bd5a71d4c35a52182548f4c85feb8df1c34cf8be12578f06dbc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bf6a374ab4bfdb2fff3a6610725bf06c

SHA1
61948654626124b33a97cbde3f40cce7297f4777

SHA256
eb1beaa7de129465f7bbbede5cc4c6bc55d3752889990c4a35ce87a753a83a7e

SHA512
5cc999bceeb4fb32c69c5342fead55f7df59fc4291f36e22ef530a389d6b0f23d18b0f182f95749001dddfbe3736abbd62257a77be7d29d93d73159206912542

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7ad5beb23adc001b7a8762e21e7521cb

SHA1
0b687e124176ae82801cb8e2bf2bc58f129de758

SHA256
434a48c33e4e9b34fa34cb2c0d6aec1a68d6359248db980ce7f0453677a3f26b

SHA512
69b50e362909a9bae0bb590c3c67ca31ae5ae9458c9bd367ecde5d8b26e07b84ba3d96439ecfd697c8104a072ea3a69f814eb80374f565440766fdd218e4bef5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6e5d2f31e4e1a79939dba83e6ea39c4c

SHA1
db864d6badf1a7c23b5c7124bf48fdd3f8ee0e0d

SHA256
c69ceb0b4ebb6a4c08aa5a7119f6b94102d665cb009688f7669535db8b0c881c

SHA512
3e216b25500a6718313511a376903ab4c52edb00dabd518f100463d80a83dda6e3545a90842adabb17bcd02757371c1096a48ae868b0a703a794db3ee1561367

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ed50827ad79daf79e997b0264c758f55

SHA1
000dff28fc464d5bdea09d2b23a2d3850eabf245

SHA256
caff0cfc033245bda9f5a57db89b4b8473055b3072edba111ea47751df3f0bde

SHA512
42474c77ffaa9b2fcd5d9a3a71659581a50da656bcadb5ab79185b691959a440ec178bb38a6487b5680d67535abf62ecc9f52da4ea719a5be316fc55d01b12b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
8c4f263f8d6433e5c340ce4dc02249e9

SHA1
09d999b0a39dd44a2bcf3d619d96abfd27867eab

SHA256
90d09da784c02371439bc5a03811df35e767bb68446f6f986eb5e57f59dbb06d

SHA512
9599735a823fc91d62227196493165a042816e43a5bc6ecbefc831e54c26e445c3b57bf09aaa9be06e3ff479782fcdb1c454cedb1d1b3b7d5dfa3f4aaa9ea739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c586b8c6c2da2f94c26b8150c05158f5

SHA1
450b92bfa7553ff3c09e8cfa3c99df0fadb13fd8

SHA256
10a18eff5adda1ac5941551eec5db1106a9908155dac7690dc5cbd743362a0ee

SHA512
2ceffff2bf1a54bff1218ff3396c37b87496761defa49b5b0b3453b454a314e8cd12b1de44c9b12e9448f8f670112a8b30f6d0d13e4ae94db40f393439a3bc00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
1cd79cb86c2b88d403734d2849056911

SHA1
5add5e244c4d0b8016c1dba6cda13564acf82dee

SHA256
ba69aa6c6da69e88b1962fee623b4293bbc5122efbcc813977d28c0145835bcf

SHA512
892debb918e8aa924fca6a0272f661f4b6bc63fab0936212adaf5b1efae6964361a24f7c8199d58e13ad0a2a6104c3531a93ba8055572b9cb4158a33a014c1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
85fa95ea6085d4707d65b28df69e154e

SHA1
e58d4256cf8c30889ff4c23f54788ca5e7839f0e

SHA256
18061c69a86eeb231d023b6896ebbd766478ff1323e048b8c948517261d4c2ac

SHA512
cbe0dcce13740e0a441aa3c227d51aee0418b8065b6c240d3f9f357045ac04e7db393dfc365ff6114f8cae603dc63edebaba9273a34ce33835e76f9cb80bffd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
0cf0c7a43407d44b4a20f259fa2dcadb

SHA1
d9a432277af84b4ae2d642dacbc14bd74d9bb3ab

SHA256
cf7a837ac3691eab2817af074280fe0f21c3a88a550b10df5c2ebe30234fcdfb

SHA512
ef8741f1190cfd475606a9d4665f2743dfbdc82d949c38bb6be743cf5e7d48ea62177d3f847b94266fea3566b487d173d19b7c02541ac7f3a29a488848d72457

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
66d01fd368a658d12d2ba998d60f3e52

SHA1
f21ffa5a65883a6f4f7d3bc0a21ce0360c8226e9

SHA256
8d9504bf5e0b9e04e919b70a4fd29247657854d85d01d968614d09f1c800ab45

SHA512
df8c1ee3871c91f8427cc66da7b5c758a5d8cdce2d5cdbc8755c995c4a265c064319b4f3cb5fb9c05fd076f40b25fe1a373eeb00edfd8361094ec002056a6697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a63846d6f8aa912847641dc62db3206a

SHA1
403f25e2a3eac314e3db3c948c0471328318de6e

SHA256
201063dac3bb5d3cee53ea320ce3b4236b6537855d76b18d5496710d32558eac

SHA512
8ea310a98591cf2be61ee8bb7760242c6ecbc1607d55b3e4309bf483bcee6b72316fc3a52221256271f3da02a32d62a8e8152e23200d385811c2117037120e5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
8692830f3fc0de0ccaefbf244ee544b5

SHA1
95a4d9c1b17c41e52ab985152dc653019caf7395

SHA256
13a2a7a305f269dbbca8fd2fe6511f57c06cf65f4de1a81f6a4cce77351c8cdf

SHA512
ee9ea18acc566fb6c3b17d29e8948a5a0c513907b6a9e8d1202ff2abf81066a5818ee982ddcd1a9237c70e65aa7268694618d068b8d45e742f9fed1b3ddddfbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
0d89cd8f6d1c6700a232e6adc8f0ce24

SHA1
aa78443756afb5a8050fc33e6e8b097b829c6e4b

SHA256
bad28107fbabae8fefe36377b080f71aa4c93365efa51b0dce23c7860149a287

SHA512
a1cfe660c6f135595f6167bf61769f1b296972c591fcf3418f135d2ba953253c09c07630f1fcfbf5e7ba119adff96d04865774eb2f455621668363611585596a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
2bf1cb450474498c1cf4c11e45a8b257

SHA1
14e726d5da7d9d2794fd14705883d2962c071eb6

SHA256
b8162abe013f0a3135beb56c0a7229f4fb5ae825560b7e9b2b50ffdbd0ade890

SHA512
be3fccfcd00223aa569dd22efc03d0618026eb3f05d91c62f726cc12acb0803d3da22d409b701fb349ddec1a6cfad7ac14e3fe75074fd07533fe072018f5a9d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
bbc7f2690d6e54605d03c5cc5a1c74d4

SHA1
0af6a8fe339a6b7a303e342215a2c6c3ab1fc96b

SHA256
d557cf201b43260d98fddb1b46c7b899b4ec422ae35cf122f035b0376486065d

SHA512
96985a1999956e641f221bbe268eef235b355d72440eb68675d257e1fad27e4e76a92ca1095c07e6cbbc3416c641691f6349900bad1438eb05e1f7d3f60797ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f48f3da65d43f0cb7684927b83c85bee

SHA1
ac76532739090a5f4b1ea1e4c894dabfdf171478

SHA256
9bc3000dca583b76d779126a8e2af0638e9fc1ceeb42784672a34204c0311a29

SHA512
53d7d4571fbf72795919eebcca490b2f106ab8d6e2fb77043787848c851e7e448ecb4e123f69f20909c0f61c8cb3640c6ae946e098ca3e1334fe1908c720824a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
cf2058010bb3679df2e593c53d42335e

SHA1
0dbfc8650fbcafa637277b637013adbf5a14b7bf

SHA256
a0b735c288919e649cb3f8b46f082584f34f01d0d886761a119dd0d3d4118105

SHA512
54dc410c27efa87f9908154e5585263f7f0e3a69a78d4fc64d356618964702523cbb89df461d8af704b7e81c0acf975884755f79f0f704a00e8e150afb0e979c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
bc2f609d7e0038d3b68e45cd0f71d69b

SHA1
70ecc000e3c691fb8709b19968205d9cacf3463c

SHA256
bdca9ccd52a30f1c6b15b6263813477848da6b77b40c6bbf22d1f668bccf7c7a

SHA512
343696cfe5228d175d81e2ef864e8540b120549ae97496b8c8b60dfb18da66f93534762207f1b2d2dacf9ee3cf7633bd32a620cea60fc776d538763e8266dcbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5529c291096599945f33443431b847e4

SHA1
ec6ad2a24ac815bdaaa5f5760c3553974d7fdf4a

SHA256
e8bf399f854bcd0f875ac84b4e9a677bad74280de4fcb45e8357b89596019074

SHA512
b32ef95b07097b0329ad822f9a8d2fbe0f5272ccaa3be65f6d40d73a0ba2a94a9cd880c122c327889e0c94b0b02495f5bca5dce88f9e632b25b26123a16eb19f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
de12c1d68aaddce80883a4a4c8757e7d

SHA1
ad4df4e02f28fc2d3a3f53c3fa14b4bb473d571f

SHA256
62d551512128987d01e98ee1f0688f473c6e65d11505063e7a048824571b9848

SHA512
24e9f3065fde2c814fddfb074c3b14d73bef470aafbde6d07d67a452dd51aa2ab508f283054b2b85a6b527e2f2948d0e92c5147223aee1beb5a2681bf2736d71

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a560f99c38b7d01506a866051e84f988

SHA1
8a40646574a60df7537bf72f6575c597221be460

SHA256
91c6507e015082b66d0b48291e51ec4aa569cb8b2dfa111d9062a93f371a8cb7

SHA512
4cab24c6bc022508e4f79f4fcff5bc90b2f8ff60593dbf79b4f94921f034d56810bfd6caf523ce3f5eb3787722987679e3763c888d66cff2cd1b400b58fc9614

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f7013bcee22d51cdef07adb8f9868ccb

SHA1
908c9b2ef93de969a4d2cd2e4f18183078e80efb

SHA256
4df430b7c1df31dc22e577bd34ed5b8b70ec2c9eb67d0aef6a01b8610aba1eb4

SHA512
89980fc2f45d4d3d91be4f0485144d85fe6534a56afc56e7b16ad1eb2ac2f19d8a94b03a2dd084f1efd172cf64f24ab10cff2bbe7ace02350e5dfc32438dea72

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
965c3b131c931361052204357d55dd46

SHA1
78707e30802c6e8fc6f96e16d53215272cecfa6b

SHA256
ccd89033c5777c2b20e88888b3572f7cc8772c70aabac242924e050655c46793

SHA512
a4b8013b507dd6b530a05f6889370f09c87d5efe2ef783b99d421e655424b84d59a442b6e21087ef61e526542343500da9e2c2b0fb42b5d87ef09cea1be64b02

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
12bac0ffcefa7d3d2a46d33279e46dde

SHA1
48bffd7f9036240d1703db16450cf495660529d1

SHA256
8029a4558a5eca0a0bc865aa0cd894a1af5e616d61038b706d99bbb6f400d987

SHA512
86458139d239079b89c9391a2e71da004b458382a770c4f7b16e92eeb3bd8b75659c328381c9b76339ac7d41f2d6866388febfe7722655a577bc120ca3307179

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e6cc9d5044761608ec7a57582475f62d

SHA1
894ac93cdcab52684c144506beaf1efcb71ff7fb

SHA256
aae99a3566a9d7838bc301964a679ef1487c9537ab3e3ecfae08684d1492a355

SHA512
d2fba970cc0b80faee07313f68f2ae77a8083166c74dff53134a285fc4b0ea2188a3d1e11e08cc3f7a69cefb655fc7c9d27e267fb77ad9af20f493311d3eac76

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7cd64aa81bb4ec4a293c5403fec15ee0

SHA1
a3a5ceb41e301a15f12bfa60b719ef3111d74d1f

SHA256
bb3e8734d06fdd7d815628088ac032f7724ff1cbd2d3f9b2371ca63a97750c5e

SHA512
8f77ee5284ce863aade00dbab67a03be3df948f4ac2a25af616492f763dcae26d0773fdcd6895d283912fd57a15455ce83e06012a38e6680d8eefcf31cccd942

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ddea526c2be973005e469216bf61a773

SHA1
726b6fc5afc93fe2033e6f6dcd9d831fdc9d540b

SHA256
ce1c8fec8521b7852c0c601fdcd66f6c093a3605dbee787ff7b778667c5dac19

SHA512
bab39559767bbf7f34fc741697e7a2ac64fdd993c959680f7cf4d288b6ee6ef53e7f6eead999dcf790b88bcec091d403a4b716ca7aeadb6941eec3dbedd33a7f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2de942c92f1d9efb8016e138487ee432

SHA1
743588de5ed3eed15c7bf3afbf88e928a7f21b01

SHA256
4b2d4d43174380da7cb55d61696a2fc48592a9a34dfd773a660af0c3afcae47e

SHA512
2280ddd5d5a191120fdccd671e30cec125ecfb3b632006441b4d88222d8a9dbccef9c323574df47c3d5afa45909c380f8ee85fe6fc196712364356e841215ca8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
76a36be7e59aab612a64b441508b4533

SHA1
fd6fe3711fb17b9133171283b942e5635328306b

SHA256
afd6f8ae24de006037274c6fa2754afe97526bd2cbe8573d2299e72b12f2b730

SHA512
3924b0a9df2636957b0d31484157ca7e1325a10d2fa42ec7bc56bd641b42acccbb7a7d9b983d6a0400bf08b5f16dea053c34b82df29f8655100e6e8482075279

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06cf142ae8f826fc259fe1bc4cd93c5a

SHA1
119e01947d843e2d7650ea0fd3184bc9b5d245ae

SHA256
2db1cdccdc64a180da5686eabf53a56a0331d52a8ccdddb7efe8f409516fca7d

SHA512
e1e0e30ac467cd27c25b6dc91b4126c6e79a157da7449dbae3acdde3d0dd94dedbdbd784e344ff48f430d204ee5b0ab1da22cc6d8c293eca22101f848ef3c726

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d26074aee5eefd6d78ea6c04aafec249

SHA1
e23949968916750f32cfa7aa8502db99206169f5

SHA256
ccb68e5c28513665b12514f6c5aadded816afcac772111702c82f42682c79163

SHA512
b341ded4d7754d5087f622b92154317960a17238fa2a2fc53e90206c1aa9746fc08ae968f753b2358766d91d4567f3ad5a5b71dff21aaac46c173278acb8b4e5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
021ead78b66e5a9c5f8767c79664ae8c

SHA1
186377fb2040f61d77d5284a6dcdfb1c5c580994

SHA256
63f6dc31faa63112455e67eafa54e141465625d48cb35d13610b6d5b826c5108

SHA512
c98e667770282bd5112492761163761a6e365e4e29ccb0fc5931667151821cf9e72ba7deb3642e325ce56f2efa9d4515fc9523818a809ca44e0ed6d1cf786723

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1bb48568e4a891f958cf165a0b5e89ac

SHA1
205a3c9f6e7b96acbd6d8fe16ccd3d3b0206a241

SHA256
d98460fa1b80e9e11319c59fc378353cb7e4ae844f797a9a73af875321d95c6e

SHA512
3b88eb9db6fbd79bd855677565d3b028beedf3ebcc506545d1afeaccbff8ef2c07ce4b69f0537d17aea907cf4357c8a5a85456681fe6e499a327f3577d90c298

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf95c8dc3009290dba10541b63364d56

SHA1
2192dd96726fc023e43412df2a470d4ecc119c47

SHA256
e8a9e51f3e784542fd2d4aadfdcb42354071d5c72f0c5b9d4b68df2cbbb64e74

SHA512
4081329e7ee968bf6f47bde9f4cdee4366455bf069da1a8d75e23eb7e58e8e901d608144270f1f3314a0ef53b64f7b34af5174bc35f9a4c32e062dce8e00e2e1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
6e963a8887fa217b99d4836dc133fdf1

SHA1
98d8248246814c3dcb2348b7037a27312beb8178

SHA256
23155e39eb2383542b9455b7a18b21484ef03b1108fa79853cb2f3e8ce13b965

SHA512
18c2e0946a287949a2df59f22b179954701c464b79d83e29f74b3742dc6ad09faa1a669daaa381a6a87f85301da88430fe2caaf1010e8ff8726c3de103396706

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a4c04835ed6ffa65247d6eed41fe9a85

SHA1
dae2264fe4204b2d55a1c9897f5ad44cdf62e17c

SHA256
472dfa836fc3dcbd63fa559534a608aed45d439bf1b75d3d80a1999019139e3b

SHA512
a4329d870bec2efa8cff7d4cfac5eff1bd6326e0584162ccef0ac56f67645f2dfaad177f5575521eefd687fa6f2aee8758ce794cb3a217c5dfb6d947830354e6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
c6f8d06ae71a48d5102c39cbb3e80e31

SHA1
82b3e5e8b26cd0bd7fbc0c7b9ddfa9fc6f0bedaf

SHA256
94c74e84b3fdbb98eaf5fcff2372fd55e9040c565af780eece5e2cbadb68dbd0

SHA512
cccc3fd0bc7cb8fb390a5161d96a92e909ed0f8a30e294ba58dbd21e2f74ff688076ec588322eb17d52d28012ee1da218a5a707ab5d8af42f9705de21707e7e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a998fdcc3988630bf685d2b4777da41d

SHA1
c49a8366f475337a54305ee08305c65c9ca3bbf2

SHA256
12188a0564cfb484ad8c45c81a5c9951dfa37c9b2db134ee32fbcaef5baad43d

SHA512
e0c5429d944b98751909397944fee29521689d9ea5cce43cb1704917b987b190e4f12dd9c61b60d1b5f1aaa034c7b61902104ba01ed66f516cfca7fe831ceef3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6d23cea5524f3f3ec6a1273983cba3b1

SHA1
5d0a017fdf124387dc83848efeb9064e55219802

SHA256
30ba3a7c71220ec8928b1652ea085bc05c723d7ba64efd314a0778d529b9cb13

SHA512
ec839af06e6518c547d23099fb15fe5bce2a46edf0df40745f6083e12544c1ef1d7830b234ccded223938064253b16d03e7d103d58ff77e796751a50b0f42b38

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a54302ae6982075b89326b19e1e12d93

SHA1
ca682e080954a9844ff63bb20fe2683eb3d30eec

SHA256
24a7e9461f783ee537e2d20387ceaf4ac91f808ec952191a86fd5eeb81adb6a9

SHA512
484695450f40438cb639fab7572ded83eba38033e63573863e404daa3ae4f6ed870fd288178177063940a92d3833db7d2202345949326897b6870a31091bdd4d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c3fffb0aa0bc94f1b56c07fd485ca1b0

SHA1
8e5bb93dea5d59ce7c6f2a08c220120586e2a3dc

SHA256
ae11bd6fba2752c8cb645ab5fa0be26fc9c3844a46cb5c3b4883eb2165dff68a

SHA512
f0dab0fd7604b638b5ec011c1dd2b5733ecc79e63ff27df188fdf720ed6e17592e4517d4e58c01fcb31a4f1c9e90060f2f50a44dd7fbf7d66fbbbde37e6ac3df

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c1a2ffc41318bd6e8b9b6cb488d62d0b

SHA1
427eef01a4573c9fa490643496106eac5d2e26fe

SHA256
a3edab1fc1f1c9c94603084ef773a06290b3634890cd272703b1a7f9aef12144

SHA512
92884ab85da66d1d4deb8ac6edb060c2cead410a1fa6ab3edd1c3875cd1b58b3cb9b18652d18f9ff2611771044bf710b6993aa68a4b4cf295f2579f6b8fcd003

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
e4e397d5a0cd0542e1cd7ee6567c7c9f

SHA1
2a9d5d29a32a4563674472fcaead43277658b3b6

SHA256
d2e566bc806733f5efe57844656f37428caf8fa2687831cf8191897c3d3a208d

SHA512
47fce8a75b553fbd94807b512d2eb264abc712d55dd085703cced4023d023f65048b22adf6167067ffe2dc9826764c039a873c643f0cb4d643a79716836d0b52

Download Submit
memory/224-86-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/224-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/224-76-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/224-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/224-82-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/368-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/368-241-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/544-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/544-52-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/544-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/544-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/636-229-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/636-118-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/696-253-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/696-132-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/888-106-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/888-217-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1204-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1204-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1576-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1576-467-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1588-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1588-628-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2204-155-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2204-376-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2452-618-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2452-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2588-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2588-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2588-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2588-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2808-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2808-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3268-32-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3268-30-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3268-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3268-31-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3268-24-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3744-622-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3744-191-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4092-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4316-627-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4404-46-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4404-37-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4404-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4404-51-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4436-74-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4436-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4436-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/4436-2-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/4512-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4512-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4524-105-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4524-18-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4524-12-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/4524-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4664-202-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4664-91-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4664-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5048-629-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5048-256-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download