2bc04b1030d2d481aa504b50e4a6c50ab84d649d07892b39af90bc2e8a33e2fc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 08:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Size

712KB
MD5

c83338d91077160775cde006efe910e2
SHA1

078d0f7caf9ad62974a6ce15e2cc802d5d44c1c8
SHA256

2bc04b1030d2d481aa504b50e4a6c50ab84d649d07892b39af90bc2e8a33e2fc
SHA512

3b5c9012ed620803e7d2d10536513193d3b4ca1283bec13bbd553ad9a674fccd1e8420a151305e590a145dda9ae036227292f699ef1c9b2e90a9536d3bc1b9bc
SSDEEP

12288:ftOw6BayravfgGchah+H/cXy5YFSRNEaNZ2ONbQo2bzTWSaVVQtGLfHtVclBq+0W:V6BHaHsK+fM2jEaNZBqoeW7V6tGLfHt4

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4720	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
1888	fxssvc.exe
4828	elevation_service.exe
4580	elevation_service.exe
4880	maintenanceservice.exe
4328	msdtc.exe
3096	OSE.EXE
1384	PerceptionSimulationService.exe
3328	perfhost.exe
1512	locator.exe
2872	SensorDataService.exe
3584	snmptrap.exe
1280	spectrum.exe
4072	ssh-agent.exe
2940	TieringEngineService.exe
2612	AgentService.exe
3704	vds.exe
2044	vssvc.exe
1388	wbengine.exe
2460	WmiApSrv.exe
4164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a24e7f9689a4da0b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\RenameMount.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101453\java.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101453\javaws.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac006a02dad1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098ee5b02dad1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000867b7c00dad1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d0f3401dad1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070c2ea02dad1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b126ea00dad1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da24af02dad1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004028cb00dad1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000453d6502dad1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeAuditPrivilege	1888	fxssvc.exe
Token: SeRestorePrivilege	2940	TieringEngineService.exe
Token: SeManageVolumePrivilege	2940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2612	AgentService.exe
Token: SeBackupPrivilege	2044	vssvc.exe
Token: SeRestorePrivilege	2044	vssvc.exe
Token: SeAuditPrivilege	2044	vssvc.exe
Token: SeBackupPrivilege	1388	wbengine.exe
Token: SeRestorePrivilege	1388	wbengine.exe
Token: SeSecurityPrivilege	1388	wbengine.exe
Token: 33	4164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeDebugPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeDebugPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeDebugPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeDebugPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeDebugPrivilege	920	2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 5092	4164	SearchIndexer.exe	111
PID 4164 wrote to memory of 5092	4164	SearchIndexer.exe	111
PID 4164 wrote to memory of 696	4164	SearchIndexer.exe	112
PID 4164 wrote to memory of 696	4164	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_c83338d91077160775cde006efe910e2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4580

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4328

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1512

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2872

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1280

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5092
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e29c59bfc6bd81738031b6e6b3c727d5

SHA1
b97ee36d696fad122a6e7816d4132987998e6792

SHA256
517ac18924dc36dc12702f502104f64eebd4bbfddcea0405a0874b92b6e3d7f4

SHA512
c9238965b918f891672f0721afc5ebc28b784fd5f81eb706f3417fff7f3dab9c36bd1e3af87b8cb5047d91d1a0f72dc22f53eb96ea75eb657d2d34e334846763

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7b9925105cee10abca43a93915c1df6e

SHA1
101e16f6d30d69f043510502b9106df85bdac865

SHA256
73e1585bc3a347b81b48819ba6b6201e2bd0396ad056f3070670405d974eb63f

SHA512
96839711a9b5938b718890b81417f2c43f1fdba60e32f3dc746ff7b72ed66b4c623072faabeba857fd3e5c6c8fe19cdbaa9820ff5a98912ab380e28a4012377b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
801776791f3b86428e32ba8329b0f994

SHA1
b9611421c07bb93a6d85ff343b126bd59ad8f2a5

SHA256
eac3ca68a3023ac74d36e514e4f40e1d1b36e8b0335ddb312d2ed8ee56d5b8fa

SHA512
cb25e658c9dda94f11ecbe3271b28a5e725b12b1a38ab432fc8536829fbf77ae9472670b84d1fa6979acb2861b46bf2564bfc4603bf97fb706ba567a223c9d0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
05e9afdc554ab122cc627e241f373841

SHA1
e2b860671919ba93e49b330c7ff33998bb3d7445

SHA256
8659ce2c429479b11b68ea7428c28d59288eab01c3a690c58af937c8d35b452c

SHA512
d7ce290fc584fba9b1a6fddcdae00f908faeda6948af1c0ba82e14bc2ec169bc147ceb1d1b5079f029977f10814be205b27cba84eba4f783fa82280808fe6a86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
09bb546267207c9a0c5735dcd6fca42e

SHA1
c74e579853a18e6260f4d2c4b577d00cb2c65a81

SHA256
2790e2142c27c8eda936566b6205d69ce572ba2a6f7f1f357a6d08fa0fa7c7de

SHA512
b76aef8c8c065e68a17f657efc3bfa5d302773001c333bac00adbfe6126ce057681477c1ebe5260d62b937380d0d85d98f4b80e808bcc39231fca76af6f3a886

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5d0e19bf6d73d077ecf9084c7a282c99

SHA1
b3945cd3bd0b1bb31709e0be22d4720b2bb01aa3

SHA256
43ff4965f5a4be6bb4670909c3889aa18aef4c33c59e14b8494e34d0ad21d25e

SHA512
023cc2317db2883b9d0311a0568dd3afd2aebfbd90eab39748649d488c75f211bb7d2318b74b55f50f446cc3f6eac2c8ea9d0e302277fd0369271db666d3d0c0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f56d853d4aa8407e5031af9d33897924

SHA1
9d5cd8c03ab5f28bfc28958376930e9d9bc66649

SHA256
08d40345174d530c523e8f155ebcd3417e84f7db19f12370b7cecf0397947d16

SHA512
6ffd05101be533f2422e2a6a4279d73a254d2675d57921b6abe0893120163adb3ad8adcb815426c56af6035f864214574e066f3156fd4def18ad819910f203c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9518b5bdbaf6dc030a1a55cf005f0e40

SHA1
ce14c71636f544a479f3fd061754277d84fdfa1e

SHA256
d4d2f6ed6b8fde2b9f007c7fb88a6791679428920f5a75abd6879a301d89c93c

SHA512
643f78f755cc348470c827f14b6199b0ca722768ae37363f925fa47d874f8e772af902b1ce518be0469881e4a358a723ddfc18adf59506e43188fea8864253a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
5374caee4b26b0032f4037422b90f284

SHA1
e503bf9840ec4eb699197e2ef66f961d7c68f146

SHA256
4a431ab216bb892784704b5e456d23fa61d3ec69b32b76e1e51a827511e982fb

SHA512
8e399b22c2525e47d86f481363977966dc82b6f243bc66bb44213ad5b58e36be8d09f2bffbc63fce17877943cdded31bdbc23e522b84d08a58cce96c978768e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
18ba6395565c4832db9e45487607d6ee

SHA1
d04926a885290be14cf734681be1b4f48fbd4c4c

SHA256
b8d4cc4d4e4f0efc68d48a7748c90cea30aa94594ad138d79d7cfe3e09daa7db

SHA512
d6f6fc7299ab42dfc12859889829ad3575e14062c5445869f2a2661c62bb24fd0a15beb103173cf5555f5dc9334ba94b602c31603f644b9383ceeac1d69214cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
dd99d1fd2f89e335a2d1a194b489507d

SHA1
d2e8969baea2fb23c0f7ef3b0e6c1ce8cea773b9

SHA256
0ece0a14b22b079b665c8143c174ec717f34bf7fed08987c47a55a37fe29839e

SHA512
5c3137dc538e31893d1e05103c01d29414e888c572afdd05b38efd3a154ad40584699ef43a7e44d08f0ebdc943ab1a669650314bf64b02995191553786fde250

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
40eda2747d328169ff9075b145e36911

SHA1
436119febe849acdf31205702d70bcc02010985d

SHA256
2841e822994a9e8bee4bf5f766663c73c3d43ae3520fa77fd5dba6cb584aa2d1

SHA512
312fde70c7a4009a39a78ada1ff1e7ae359d2eca217a37eba7ea34cef9a7c4bdeb4399e821df878ab969bd928adc06b0c3ddff4f5c58ec55966042121819d8c4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
03058573c2be5a6e4fb379cd408ad053

SHA1
d533780f826616e520b2f8d50c4df7dd867cee7e

SHA256
f95856994206d51f043d42d20da8266784f04b8170f7ef99d3e272939465675a

SHA512
1f1be86e01598e5a307e30902fe21996033593c12f8bb30092d93ce6fa879da8b76383dcdfc9518c930786df4d88634fb584ad5a35f54dac0d8844b9bb79a2d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6cd44fa762630b627a4bb04d6deebe5c

SHA1
c7fea95d97cffbbea62b574d7b83738bcfd6468d

SHA256
4acafacaf445cf7e7867c1536e57569dad7d23ae10d853aad255d6898d1916e9

SHA512
15df35e336f8b9834ff752c49b01a868183c422f75c5ba0df97244ebfad156a8597bba4ffb23bb4a2bb3fc04d5ea01889f4cc24322d79e8b171153216a548e37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
96519bec4e4e9907b8464088ebff710d

SHA1
8d559cef849dbaee7163d58bae4d58feb1714c0c

SHA256
0c1d55b683bd407c510f508d627d962dcc2203b64b88ccb4dd2e39a26f700612

SHA512
ece39b48cc4005b599c5dc3378e026a1cce1892b593c9da36d2eba0163d38a5f96784d439c87c0a66990da5401197aff77fe2819a0525e192c663fc9c5e249cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
94bca0e8e2b7634596a893e6fb4f5688

SHA1
96635fd759d77ae6bdcf88d5b9be9dc70416c7c5

SHA256
d52fb06bad10f10f858dfdb35c980aa65ac0dde663cfb949f48f849a676aa1ad

SHA512
db4b0c54d8a3376c0be01a827929816428937b48a59dfcaf2ad332d30c10dc98c37e1498015076a61565fa2f6c6b4b5c78477640fd7d504e2c27f6adb03ddeaf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
317f2f87003698c6455a69037034c32c

SHA1
1a165ff9cd5f1b0d27157f88408288e6fb0d9658

SHA256
31da1400b9fea9062d3f76b5d8ce6b7a151faae10c3f29c8de68bec6ae129406

SHA512
3971588a3dea3602ff06edfd65ded968f8cf9a0f908ab1f0c8e208c2b045f5756d19f9fad4551d5a67eb861ceec2ac3778b8068e09e2677eae32aff2456529d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e95d1bd91bd49302225eef66242911db

SHA1
fb5871f462fe0181e96792bdf77a314b892f876d

SHA256
efdadf506d3d6a8a40f79bb97eaf10cd5489e013d66793f18e36960587eb72c4

SHA512
96ff7fda9100a64fa8a38525c143917fd4c3646dfc95564be80695be2988db8452b679788669d56356299c4a0b7e165ee1d63e753714dab88eb613abc49e85e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
68465f0f1a6e742cb81706586371f35a

SHA1
6a2ae6ab947503142006b3deaedcedda1a9a8a70

SHA256
e7cf9681e12de9203382efc4bb85a78e92848f5786ea90ec5421fdfd5c38bfa1

SHA512
7565fae2cd900410f2c2e03090a7a6a60d9fce6950315d94412e8664c496d7cf68ad1e9cd09454beabe966d65f375d84323cef8eca063d6cca1ccd0a767afbe1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2afbdf7a1d9de6ec35fed50cb126d27c

SHA1
ef49c5e2f944b35da5a8db1d9f0e84d7d1287b13

SHA256
6857e7854831f6a378c3750b08cafaa367434e1cf43d8386a39d09d9f4f76c0d

SHA512
52808983eaeb545a8ebd1f31c7eff6c9ced6c00fb2472d026232cd36fdbd29b42dd1fe66ecf6e8b211e0f3f421e2ff2cce4a91e4bdaf87c8ed9d04549b0fb28b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
be39236d88c033964bb916e623e123c1

SHA1
888e0b80d836aaa5a80a4a4d9ce259967ae15541

SHA256
20c51e596f0df809f589dab7cab647ffcc726ac83b7262447cd501aa47851153

SHA512
c68b623fca14de245736ab496e31f9b99cb3ce3a654bf9a26d819e927383e7c946d3411c6f68a432981e34056baeecb4e8b8cc0490ff410d59c01b0d85924235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4920a3d616918b2176ad24b865f3f448

SHA1
af02cd734f7e83efd64de16f001eb47faee02114

SHA256
9c1f769e43df348e23470ff1edde6e995a77f1ae59cb40d2f85721506b7f1279

SHA512
3d675fa4bc244e4bfbc6e2a9070ff8129f5c886a57b3cb3793deda476f06940a5094bc7f1a6183058848ab507d5777dba2db929dc5dbc0f0fc75c227da43862c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5483a9ce1426c2241fe29b06c243233f

SHA1
e763ac5333e6c2edd1fbda6872ab9f7ff86468fd

SHA256
f86ea354b7f96cffae1ec86394e57b0edd1302100c9d7e99a23bcdab0639ffba

SHA512
f08e6ae3951ca4f1d58ca53564f5f192ff8cd045f1bf2901f06cb5b38515e633ed2a2aa228542e4d50ecc9198328fe8ce6a56f256cb0c90e7b75f5930a40900c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9c09db17ecc9aad8d2c5d724e4a3b531

SHA1
418567e3bc829536c0bb32f7f2e6be15d6fe7f52

SHA256
82bd10d245dfab590f1e29ba7872cf06cf4f4ae2f496784e3ab2925b413ffee0

SHA512
e4227f98574252317fd3d3147cddcb4753a31cc18d55aec9aea4edf4d78595e6dc115457a17f84d429fc106fc4441858af9c85393c4ec00facdbaa7a3c1fe379

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f54d3e0e8705eb69c6aa2bfce72bb739

SHA1
bf8627fd53357ffc96b2efb2d473154fcb1b0373

SHA256
fbd986702960e228094251776a3945804901d737c541b53e6dbe1e1de4e4ceb1

SHA512
ef3cf28ccb79473ef39bf2b0a3a6503360f19889f66b18f8090906341cbd7c9205fda5aeeefdfaf9860e86dd7313eb64d88ad5ad7c01da13f49801a1247a3371

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
483e7b6e23d1ce9f7c1fde79ed70a330

SHA1
9d2f25295fe2fa4b8f4b0dab5098022e229b403e

SHA256
9152d395335e6a3adaffa33396ba0258fcb3ff6cc8e518f06b0d143bc6e64397

SHA512
04c9b8f0cad83cb091000518131eb43f16226a26136087464ebd34f41ab13a26ec2b635358322ccf93b04688f15b2f10bce43ac69e8e09cf1461ba4d8f4ad367

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
80ad8f0a96a533d5103ae94a429a761c

SHA1
62020dc7c317cdfd95d4719210de45680608abd6

SHA256
dbc39989b58177bdf8cd3bd1ce78f72490bb96fd45c05de7ffea7fcece84b877

SHA512
e1c9e1cc9becc2a859470eb48d01a517533a3bc10ceb1e1039eaae5143ef5e8e6a35e4c864ed2a69d59942a89a0bdbd74dbc4f53793328ab690928a1c81671b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d64855beae3c3d36f4b4aab9f8f9514b

SHA1
948afb745c4920654910169c411f2225b610a0fe

SHA256
9d415c2087cc7614df7081b27298e56327cac362bb1cca453d0f3f5c45809278

SHA512
6fd7679e136fcf75e9c36ceb4573ebb0cdacea0c42ee7b9328db33b81eb1165a93aa572edd711b3fb3a18995f97d88fc32ed674a1183060b5401fd7cb40df0ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7c1951c43a6735c10609679d435d5a8d

SHA1
7dd7cdf27eef6a3fe9a33b5d09699a82e2e9014a

SHA256
1d0c9c06931a1db32ff6bcaf120eb3fdcf46ea8be8894e3eaefeb85a606bd05f

SHA512
f80d9cbc8097ebe2623774c5b126d0f98577e4ca35b4b9111233431371245ce72395aa5b4528079d77b3075697006854cb82da021a3552e6fd5d52c12cfcfd5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
55f14ef1778c6e88a4a1a28fd9867cf6

SHA1
addfe2ebd8728087da06596ef3aef1fbf77fda6f

SHA256
68cc410050d35c01150e5c83a4519d27091bb6abfa2d1ba360fb6bcd07e97e50

SHA512
c699450eb3119f902ff01ba8d45ddb3d68dfd471a03a84d82f77520a6be202dc1030fbed743cb9f2bfdba88f94046c4808aa055fecf0afda6fd58659c344de82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
30bdde5aa255717e90860e937b4b6518

SHA1
7ed738a10193523f564ebf86c06904fa21723c87

SHA256
f9e6b29b0e44f65c7303992db3cd3fc41e4e7fb220578785a112650ec6376d9d

SHA512
81e98d6d14bb19fde7d41f8d2c01b1362111b3fef3895f8aef31211ee1d45f7236036f7044fee1c7cac30499481c823ba3ac5d08006a82d84fd02c8d402e9ba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8349178794e3cdfd722797d95bf73e4a

SHA1
24c981fb4b5a3bfed53bd995ffece91c6e177f9c

SHA256
b6603cb52f398885683385060df00c8f8a21efabccdac0d7d0d11897d1c21f6d

SHA512
5c365366b78430affa92f5fba8b75aea03abac0a9fbcf5a9f45d3ba3c83cb3d0c4bc932b0d042123be3a71151cc0eda8db8698e16998f09d87329046119c6b7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2072192deedf2ec70fd1db949dbafa08

SHA1
bafa7ad476b36c035ac70c54a9405a4426e1cfc2

SHA256
5f70610a6257611dc76ffd214d6cfef12251c64feaa5e87afd321b945a871dd7

SHA512
a8d77c74eee53e2cbff1da987376d5e2ad96e8b6368c5070f0688eca83881b24c77e9fd5c428fa5bad62223295fe29396fbaf4a21d5cebe2649b1b26414256b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5ca95f090c01b676bd5713e9b6048456

SHA1
5d77ae71878586ec764b4abe6b548b0e16adbc2c

SHA256
44b2f031bab29659ee0f64c2dd00b7f6592a72746de113f1574d71cf07c1ba9d

SHA512
6d474d767f621abf479de97b60bb66d526abb530b30e3ca55f25ab9d24a6c7cddc8c6b58b83c5dd4372018f037a77f5a62c29cf1d09bc3482054f379c146620f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5dad0bd8cee8e58614a51bd7003efe22

SHA1
d406a41068eedad0ba8f7f22a5a2474483783da2

SHA256
a3786ef0c8da9e15502ab2c1794a24cf525e24f110ee2e71ea7b7c882c57918a

SHA512
b1e6869d9226f04ad7794ff09af731d114caa4e7aeac255f7b8731d6751a1284d343bd5546ace4b169aabb912ecc51c0daa511821745e409b12dee46dcc50996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bc9ebc412fb618bfceabb604607645e8

SHA1
e4147d75862b94283e406be59f3a2448e8fb485b

SHA256
a12256a3273c13a4330e2b3829dccae59d0c318bc0de54854ae8ba198d0bfd98

SHA512
1a667adb4d8250eab84e24368d59064cbd724678b2e3f3161a8506ed90335b4810ccc3f07347c3b946421cc8109bc37b23d472f499c1002ceb900bdc22bd1714

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e0886b71976598f6cc6f28bcd4989edf

SHA1
189af569261f57e06867fb4440d88d4912f41bb3

SHA256
b84eacc00cc3ffa492af903a12599fa67a157015535627589ca2b00b1841b889

SHA512
52c033bc6b9815ea9ec13b730ca3836ec63fd9a33337d7dc8671a36746ab626c272f75f7b26f0b671b09229860d3cfaa62a85da830cc3a9a4295e57e10ab665c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e21998e7672e5e12917407bdd0709d0f

SHA1
6553be5a486ccce74351757b7292af3011d8f337

SHA256
4e7258b4a71ba94e44efd8f692906b251152b13c071f6cb040d5612f4f223cd4

SHA512
0fcc174f1aa080aaf6fa50cd6c1a41aed35aafdb167a6ae86fa23a46af83186612321bd16854a60dec23a7a3458c014780c7a2a9cafd88d614a803afec3d8cb7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3753cdf2a110f757cc5f625fa2f4c4a6

SHA1
78d9f114ecf0b39ab59a5fd36bb3fc648b2b9e22

SHA256
a834d708a449730dcb4c97150e7615e3670eae3d1899c68dc45e93e6b5af602d

SHA512
297deaa7660431e49c6d7f55227e3d3b1cebe70eab00e37b5b6187bb1a44194565fac89d6e82f418c6c97047720a1018f1a1b5af37e206e09e17f8dd1409e62d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1e5c60958f5259d6a819b24f82d8eff9

SHA1
71a5ea34809b36ff5dc0098deab963c016d97d4a

SHA256
76dbf4e4393cab34a2d7c386f485c34ea7edaccd0cdacabca5c1ae1dae05dc38

SHA512
72fffd7b2b80851918ac7e5306419c87908235487b3ead2ab48fc73ff15f8fda250a62c7aa1ad029b46f2b87e955278890f52c4d01dc112795dbd54e79a0b4b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
bcdae67df02e02224a524323ae516fe5

SHA1
44ab834255709ba4a0439af82ec06dae7efffa6c

SHA256
476d7d229c44b5b2af2827799415c587ef1d8492c455c011e28465941c6f2a67

SHA512
53204b588e756809280bebb09ef9b30841d78a22e4ea0958571efcb7f674adb20486e78256992203af2f75938301f6a350cd023a0b8e4bbd45de2aa178f0f652

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8601b4937bcae8997628d7e65330291f

SHA1
e6cfeb58b33f3f6fa3f56deb3d8d7037a39cc74c

SHA256
ad9a2124a1322d1acb610aa99a40d114d26a10dddd506b0d31289c6bed54926e

SHA512
dc6400bfb4ab1a4fb6eb95f2d18acda6e68316fc414378f88893e497f5f21a9a5d2cc3d99fb96d2acbdb76de017881730ebd0e6659a3ab61f072894291acab72

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d68691bff1995830c5963493890efc58

SHA1
37c3e1e56efa70c9bac6304f9ccf65a807382bd1

SHA256
8140ad36c8fa51a0ac32d9b2cb12a3c48581d90aba2fb3767049ff52c166b612

SHA512
f8dca93b8ff6e54943be834e1050cab6d2643a9db733c278569c107159098515402a2a321c55bc52ab671c6bc2c85cecb4ad28c1670931e77b33ea576b7a65c3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0becd72b55c9061e89097e168dbafbf9

SHA1
a3d64a8c363dd113e17bb188c69aa3da52de992a

SHA256
0b032a22c399ae020cda09eebb4906bbe94429d1d94d9d768ab805f0cd2fd9b3

SHA512
16fb777ccaf353d88aa10bd9001a78863b68bec3ab59391b68b78b7b7dd677173d2c70e6a186ca3349889741dfe7b9016be7a9b56f42611d9db16722c1b84ac9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7abc121a64daf3652e4d9ea4e7cbc7d7

SHA1
95d7b2b827891133df1ab66b1c649d7fa4b16baf

SHA256
ad6b1f65e995141af604c31f4391e1b0f42e975121c414184a59905f0b3246cb

SHA512
d1927059404d5b98114a6a167cffddf08fa0a5d9a79ce8c07485315ae15fbaed69d0ab5ace8589d6491e5638d376cceaf0e06c659e3ca3ad531e360c38d67719

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f8ed4568f934f6d416b231e99688a928

SHA1
f18d714df6ea82fc5366fa1967447358cc2491ac

SHA256
8cab950d50b5d0f5fcd6e7293d45d7ec93cacac25e1172343071a27589ba0f5c

SHA512
b8afbf5b613c89aa9468c4d2ebde5db5876cec5d6faba3ebf051e97930a2e45e14c22b2366892db3f46b7af772088944899af38ea91b867e0b2423d9328913a0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c1c004f52573719b2b6da820e5396f75

SHA1
083b08b59871042294635974488f27eb41cda1bb

SHA256
75f09b2208ce52c40f7e1ffca39f344418f9d17e2d281bf085fb7d52bc2bdd66

SHA512
cd93c9688236601adb8495a204252ad90aa3dcef500ca6d94c981c1f712e166a88f3340504c69f5c7bd94e16b97cbd1ed4ece810f1f0b97e2362039a85fe3bd2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3cee1d28ca3ef6ce505dc838670ad3fc

SHA1
a9c3cf64427fe8d2be28fea51ca44f5f9b847b36

SHA256
9e5b3b5152bf243373a52c44789eb948d91c209c2d3b14070fb29b7e339a01d1

SHA512
0104815abedc63531507d4fc7e21ff94d28e25fd606d321d330d7d4156786a33705e166fa235cb6911bc051a384bf7f4db157f27ab1535b88e06e79a8468f32e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3a689ff4ecaffaac12732d26668b7685

SHA1
2b08f84ff21c2520ad1990e7ca71aff8ac844f9b

SHA256
b70b79f566a400b23d4b4a9d826604b51bee357f3b2a6fab0ee730f7185ee20f

SHA512
a479b68cccf4e4a9fc6f2e0a7b22fd9e23f2523c458294b6c88c1a88e2c8a8d63346f8f83622b206ba8616ccfd1a22ef5def75502ae178774e94a1bd5d6c4b12

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e872269201b8e2b77a9bade99c77b6f

SHA1
ea2b6919938302ecb39487b5595942117891d7dd

SHA256
a7b1db5383534c6921adc2fe8ee7b554bda4210cce100d8777de124c24f2de4e

SHA512
f48e7f833fd45d7c44c9da1ca1fa55f1110fe1024cec3d393ef6057bd0ba020072821f3c75fc417d8265714001cf80d393e2367d124e09a0c63ace9bfdaed5f1

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
20d28b99eed354e865d40bba2f443ff1

SHA1
4f34d3946f4c6d5730924a8f237418ff50697436

SHA256
196786aabd92eca5186c600a4e3270bb30d59994fe892aded18a60e347135776

SHA512
430183f1fcf9c07f1d39fb1527de818beb3c3969bf7b4ed3b21786ced291d14315bbbb6b032bea440c2c07d7c112838840263bcd27aebc4c95b0ccb010a33713

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4266efd63c79a0081cb7bb315bb2f270

SHA1
b1ff7b51ddd658e93a2353555a9570411136ed2a

SHA256
24228cd615f6cc833b6c780f621bb63c98615c4fe75095b9c603c0a052f93511

SHA512
2397f11742339074d6eb70d9fe0d95e0ecc61f2a40a92ce97509d6827c2cb27bab3df2723f5bb338cb0e5d4455e7950086974de5255a9d87011d6da84423abea

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
97f971ff0c0057a74e31b6d3c256f671

SHA1
efa4c7859977b19a9d496d13d3317181e483950d

SHA256
31f836f4bd7dda35810a138c6a8d67f2addac43ffa94e5ae937dd1858a989c16

SHA512
790f66059f2900d0596fdf1ad1ae1d8457722c7042ea045cdb892534c2bef3736c9d8fa9a6042a7091c3b273accc64a07f24feac50feed369d945d041eb87965

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
83145ca2a4f5f15c1aaefb0682250b6a

SHA1
f1f5642032aff47cf8825cfa5b07ac547da68d3c

SHA256
9db9b071cfde3b009d8208843916ff20ae28be4cf39f12e40bd5dc070c71ae6b

SHA512
1c79e1c66cf33f5e3e7c3c69a2e8ee7012012171aaef1d467540a959d98e8ea36c6e9b8ad42d2228b28ca9600298e3d0b8ace6a2399fd1cfe48e844052329024

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ddc0b12cca2f62ea455fa677f46a5ce0

SHA1
7b541b6439ea29c080fa284e966abaebb2a0b04e

SHA256
24aba0306e26a59911f527c8c0e47267817c80c09dc4c4cdec2e0334d7f9d8d8

SHA512
3e6887a9e9d613617ce2e4ee290b6c7477a7a20143032d5366dcb4e0d125f6364a5257bacdf9e80eb9d9fd8e7ed5829c9f93331f78cf22206696e40bd01eae04

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
56cc2c3e18e1e74c026ed89e3b25b80b

SHA1
0dafb7f55a61cf6aaf68db4ed4fb5b254e5668a1

SHA256
d6aa7dd08c756096e1293faa2d107fe6b7be5d88db2bcc4d7a23bdb6d291cfdd

SHA512
28f42e7cd9796c4877bb35931afc8a9d73cf13055259a038ebc5ed20ec256cdb4e856607cbbf113f0c832e3b56deef89b2812ae54abf963fb09b5528b6428bbd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3efe0845c5a83df2873f23839a9a93db

SHA1
08cfe03a92d11d8b0991c88b1beb6710e4e1d0a1

SHA256
41a0a21343f1b5abc74eaed3b3a78a94b722acbcbc8c44384e83666e0cc7493f

SHA512
ed4d09d2165306eeb2ab0d795f03671f4333ccbf6193e7a3252ee63a07b5493fd082c8298ccde3baaa2141e691d742c8c65697e62eb44694b13aabf21f616333

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9ed58f973a51ee6d610b375b8ebb4875

SHA1
aa3e170bbb512b02b843ee4edf435370cb2a7d30

SHA256
4221c9b50b7bbf385edda6630a33302d6490412e5b7e1c295853457d44725788

SHA512
0b5b77bd73b89de44fcfa233a87300466f5d03c2608fb04028d28977fcb73e837725038138b8b28dda02e8889ae80250f7403ab4d9bbe5a52b4a907c2a4e295c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0edba3fe0c35535acc832b60a10ca26f

SHA1
be656cce183f7877d0ae4391ffb7bad719aaa743

SHA256
70923b8ad2539f3c2cdf724cfc7e561c6f6a9421da6e05a2f28360eb39f5e2e4

SHA512
c7bb92993b454048f2ff05a183fe446cbab787fbe23e5c1c3fedd48fea685aef9e48f6331edc9468e9d7bddbbe11d533a4b197225373fed679277708babf374f

Download Submit
memory/920-146-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/920-1-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/920-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/920-8-0x00000000022F0000-0x0000000002357000-memory.dmp

Filesize
412KB

Download
memory/924-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/924-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/924-157-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/924-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1280-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1384-136-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1384-83-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1384-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1388-443-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1388-154-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1512-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1888-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1888-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2044-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2044-150-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2460-158-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2460-446-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2612-144-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2872-139-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2872-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2940-143-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3096-77-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3096-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3096-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3096-390-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3328-101-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3328-96-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3328-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3584-140-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3704-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3704-147-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4072-142-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4164-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-162-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4580-385-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4580-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4580-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4580-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4720-153-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4828-349-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4828-37-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4828-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4828-31-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4880-54-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4880-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4880-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4880-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download