764e3fd7ad328752d6f2e52d2ad5aa59267be5c1716f8f041e82692e23d6967b

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Size

1.3MB
MD5

3202497a9b2e4e3f11c1d03f7558d77c
SHA1

60e908a17dab524b9f379cc9fc8d5cd95bb4315e
SHA256

764e3fd7ad328752d6f2e52d2ad5aa59267be5c1716f8f041e82692e23d6967b
SHA512

f169a046b92353899fc51bb1a702a2a20e3c214587aaa3892b7ed4064d3cf3610aa5c1769e4030158b37537e69cf78e7b066d642736206318a08c15187ecbcb7
SSDEEP

12288:EtOw6BaWMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:a6BwSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2348	alg.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
3868	fxssvc.exe
5056	elevation_service.exe
2436	elevation_service.exe
2860	maintenanceservice.exe
2340	msdtc.exe
2308	OSE.EXE
2088	PerceptionSimulationService.exe
872	perfhost.exe
396	locator.exe
4484	SensorDataService.exe
4064	snmptrap.exe
4108	spectrum.exe
1820	ssh-agent.exe
3028	TieringEngineService.exe
2008	AgentService.exe
3880	vds.exe
4200	vssvc.exe
4332	wbengine.exe
4012	WmiApSrv.exe
3320	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9a7be64c720dbab7.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4bbfe4619dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051d6574619dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009087684619dcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065a9eb4619dcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a056a4719dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a9ec44719dcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f80aee4619dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aabddf4619dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085d1d34619dcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeAuditPrivilege	3868	fxssvc.exe
Token: SeRestorePrivilege	3028	TieringEngineService.exe
Token: SeManageVolumePrivilege	3028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2008	AgentService.exe
Token: SeBackupPrivilege	4200	vssvc.exe
Token: SeRestorePrivilege	4200	vssvc.exe
Token: SeAuditPrivilege	4200	vssvc.exe
Token: SeBackupPrivilege	4332	wbengine.exe
Token: SeRestorePrivilege	4332	wbengine.exe
Token: SeSecurityPrivilege	4332	wbengine.exe
Token: 33	3320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3320	SearchIndexer.exe
Token: SeDebugPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeDebugPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeDebugPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeDebugPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeDebugPrivilege	1652	2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
Token: SeDebugPrivilege	2348	alg.exe
Token: SeDebugPrivilege	2348	alg.exe
Token: SeDebugPrivilege	2348	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2076	3320	SearchIndexer.exe	113
PID 3320 wrote to memory of 2076	3320	SearchIndexer.exe	113
PID 3320 wrote to memory of 1468	3320	SearchIndexer.exe	116
PID 3320 wrote to memory of 1468	3320	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_3202497a9b2e4e3f11c1d03f7558d77c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2340

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2308

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4108

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cee167f98ad0d0b678d9231ef072062b

SHA1
3adabbf532394adf1ddee85c622f0eaf31e01d96

SHA256
fecfee79e30788888fc56d6f48966a4395ee1fb9cd851c5b9a9d7970d91c0522

SHA512
d631bc88aaa0933fe465ec9fa461cba96a0a7a16676b31e7acc7359f3507a7c18f9ae8d558603933746a680e12ba8d1ed0ef2e6c43cfc5450346146679337f2e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
250adf20507b71c93cf2a5ec1484c947

SHA1
a623f4f383b2743b674b4df095c1de9f515504f5

SHA256
b7c655eef4ace8a1164aadc042e5660bcd6d8f6fcb3ed27cd2f357fa92d6d1fe

SHA512
e9a2002dabc7572b53320a5111fb1d68fa604db6924d98b0b4a99b3adf5ca94e74a63b5049a0be3a7e255adfbf2125d3af3aca0d85f285f8acf2b70b2df0e73c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5cb17dbf72a5409c34fd790fb9061ad5

SHA1
ce1cc941b86d559f11f631f47819f527716c2746

SHA256
02bdd6eeffb51389e8bb21e6c08388c381223f9b556f756d79e454e47a872af7

SHA512
6a7c177bdc57a5f90a7299461f76b3479f218ef65e6ac6c0651cedface65e9a50226cc913a5ad73667e4d7bc83cbd0496dfa02a51c32b46f649a0bb504fdf18f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c93a2ea4a39c2b6a0301d44b0f6fedc4

SHA1
a3f564b6790ebc33d189c0e6abcabea45d857cfd

SHA256
974e3e1acc26693a90c43b46c2df6114564419948b457da3b303e0b77ef50815

SHA512
3dc4b30472fab4521b30f0548aa9995316e49ef610949e77c1390eff3874958a89200c7fe6544f1150e6bf977b7f027e42c748310aca39258f4c59a1767b1700

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8882dbbad9765416792da0b6c0912885

SHA1
5a84262598a0dc61175590d08ef6598eacdd2a9d

SHA256
8fcf4b48b6e4cff56aa0f13c3afa10c85a6354a8afbb422f849c0750f95f27ee

SHA512
d48ad3e5e51a3b75374710d4253737602b59e155d7f13b8cd4c7ee10f87f0e5ff0174ede5b08a51eb2ce95b2a71d0173212a5bbd3afc8418da3611d35aace77a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6901f529768374e24f7339a5558c9555

SHA1
4eadc79f544bf7e42b57ff82f5ceade3064ae595

SHA256
2b23939b8d0508b10346b7e6c8843b6bac41fc8b7709815c4157a99a96547e0c

SHA512
18ce059510153a7cca7cf866e88df954906f5dff021939d276dc7e41c8f7cf85563a6f096f9d008acdea27a8023001bc01b447eec7064128bbb17f795a5b9b19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
387f7e0ed00981b84931a8022534316f

SHA1
3f6c28474eb570299dee5390df450951cc8fb9dd

SHA256
784b30882cfffef2be68f5dd2e51d63d58995150663d82f62a8d50c6fba5f28f

SHA512
01f25f0b5d2cbe91feabd0adc0eaf3c5a2ab6397284863f5f3c0b935cbd68ac1b0e6fb1f31f1d0786a73a5f19174b31198cd8961ac1a04d48bc1c513c3fad646

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f5c95d407e91577498e09a4372d7a6fa

SHA1
cd9bc8c5adc0a477dd666d0bc3a7bb446057293e

SHA256
37ecb988ff3e5c85185159f3efbcbc149e9c0171d553c605082fc7a58390d042

SHA512
70774c3146cca4b5571b7541a3319b818d28adbe072581c090b8f3164b11e1690d54c5341eb3870d57fded2b1be881634a7b5e860ed9a0369e755374d5184840

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
730ec2f42f26793e364cdd5fbd84805d

SHA1
98944f1a26974a8bf74657854d81e8c47a2d7da4

SHA256
df973b34ae4e733ac7151cbd17261d627cbdd1f06713072bf2a4ddaed8c40545

SHA512
f4362c3dc0f4d03042cf1dc7678318451cc952d8d332acb30214bfa00dbf075c3cf7f93dbcdb2dd7c0ddd20b866dd3950e27175ce7850c001995f1eed13825bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d1925b1a26e13e203358432284f541c2

SHA1
3824b742e7f73c9bbd0683af639ba6552a92250e

SHA256
4857aecfaafcdb69e72f1b13f2ec0890103e8c38c326f1b39d273ccdbb437fab

SHA512
5a4edf103608ef1a8b8aee4b5ab40effb6457bcc8bb54bbaea8dbcfd62b5f8a410874395c616df41fc844ff352de6b4cbe7a6614c0e33ab2d8e1086089779aaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9e22968626170088b134e7877d01e850

SHA1
f3b452328cf877cd43311bda21c9e700e557c8c1

SHA256
d1909898459ffbb0e4fe130a8f85f057373748d6682724900b0b62c8597f3c7c

SHA512
0e08c0667e97a3c906d6e855815eaadc0922f568f0cbddfb038686ffed2a6858a6a9a57a2d0b277a55ccb3fc406bcc537d0af5d094185bf54ee49d78d60610d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f60e0791b28f0044d4b5bb0a21dbbb52

SHA1
d297214fd231361a78f7ef55204302d0cbadc801

SHA256
f437f0a769c9eedfe52070384efeaebd0e0b2eec0c097477cfff7b6495f1ab9d

SHA512
805d3058ede219395c4af832aa46daa339228218b729dff3f277e3d32517cb7bd09d770a38f2a7e03f60cbc6314c2311ae5adbda0b997ef10d8fdec4e33b7189

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3002b8f648e25e40f24baf458727c051

SHA1
54ee2528c4eb4232f610ad3e4d71d04e8c1465e8

SHA256
c40d36fda06d96121017307f5e7eb1b65137cb6f5fb324a78a9a9c8add217b36

SHA512
a04c804343a673a301c98c0c354feedeba2426a45281950b15f7c80bc7c33c5420ca71119dda06514e3ebeb97dbead39d7e96590055a1ac761438294e9895a8d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
dfda6cca8152f6770842af2646425777

SHA1
630b31c23429490ff27c06bf4e29325ad3788b3c

SHA256
ef8bcdb6ad05f3c70b288c81993abb94ad4bc9044492762411306b80125d3bf2

SHA512
632cf64095a53ba5aca1f424834d0797c8c28feade817e3b0dc5f0eb1433119551d7724bb3cf057fffab8f3aa1661674e4ee64b3fcd9afbc40ac21fce07446d6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
33846bf45f75022ff688dbcd0bedb48c

SHA1
5dce7452697394d651cf92cfb356f7ccde322090

SHA256
bcd2bccaf805212f71ab5cb9266d8b9cc6de9cfeacab55ad9da5979e94f42d65

SHA512
ab061dd458690938ff2f50564c9a0566ab02682e8b4bfac876ee7d2751661342149582e40891debf89b1a08aaab7e2675c6ce23d83213b5035d8b6d20581458c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
41b1c7897bbc920d5cabd51205c20e80

SHA1
a37b0c89b45df0226490f43b59f1733928ed1d1a

SHA256
e0858a6de2fd6e1c6fcd708ad1fc01407a7dfdbee788d40cbf54593eb3ef96d3

SHA512
7b93edb602e36e1b323e207ef377d68afa6dd03e9a15eb6d1899136cce0a9b6a7d39239f2b840921e67ea45a7a69681c6edbd9b3b2e3016868c2472206ecbe28

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e540304d24535a5efd794b471e0da6f5

SHA1
594cfaf36677bab97e866a0df5ef39afc895afef

SHA256
4a459d7537ececff908d6630af6836beeca8a5e94f06159710fbe16393997214

SHA512
4e84a51c103dc5daee68e8e56dbd9b44683639ba88f7d1bcd539955ed653575b00942b98846a1f56c79a3fdbb4e22d817d9fce910695425c3a436e3ee3ee049f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b1f3fdddd66c708c02989fc9f9cdb2fa

SHA1
66c0237f80a0c8384c4f0b18ed6a28b73fd53857

SHA256
f9cd707feaf8952349a769377281bf75167899ddc671a2dcdc2b6479b7a034ab

SHA512
b27b628f59e6592637b9c699929c7260837630198ffc27d3a405a8b3a6680cee9cc140f5120d724a085bd5efb7793e89e335d543343abeaf0e5bb38d8b28f5ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
317bd5be4bdf21531e417de885ff499a

SHA1
1cf3769f840d26568f398349a2bd59711a05ca59

SHA256
9245292dd583f66370b3822f0a562f5121ea6be5f6de360c1fb1708cca931490

SHA512
1601af40aec95b04a5941896dcf40f158a8ac46c19ac9b33b1ae73c783f65d2474888a71000ff6a821eca151c8a36b3c1b3469ec169c95ff5cc8f7dc0d4357fc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6924f97611f321e66046b7c124736a45

SHA1
b9e28b7f8cf6a522bf3257cf52bd79b3db2a9006

SHA256
902b62ae3a401139f9529d551652df15eb4cada177eccd6f7796cdfd886bfafe

SHA512
a6c68082b956d956285a3a56c8a108dae6ad8f2c512f484196f919310741d1d8aac1e5a69e53fd621278b00f3f0eb6510d0e964df3b37c1c7d0a895833c351e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fe573ed9a50c98dbf7d07f1d803aa976

SHA1
75e25a98485cddf389a70ef0417beee9fb38daa9

SHA256
3f5658e90e0dd0675ccec474c4e6c7f9d8d7c190a6b23bb8e5b31e2931a31769

SHA512
e0674e91a3a907699234050f5d9142cf7dd69088581612ce9a3c85bf97409e953edd84002aa22155e58fe8c592983ea3ea481fcc97ff7dfbf0186174160cc5ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ddb188aa83ade2c8e45a0a9c81b2cdb2

SHA1
79ae609ca2c41969e975ee475e48058f136e30df

SHA256
e92ebbcb3793ef8a99ea2a6f5aa1250ad076795ba24774a6784d546bc69ff751

SHA512
3d80afd6cc908c485d920b167e6b84a2189ac8233558fa2803eccbdc48f9464112dba662fdf7668649a59d0c43cace86e32ee30b152fe8230527392cf24cfda0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f692a047ca6439798a0a9daed2ecca66

SHA1
9c53ca876f77cec43008b5a5d7a5e793769f9315

SHA256
2a98a3154df2554fbfe9fca86dfc5b143d0bbc99ff1302d5e38966ac67004601

SHA512
61b98640ca350ceb461a2fc9dec1a71a973a863e5286dddcddb74953352f568a97adbe7cbd9a7020a4e8a305e3c6a4ca1d36801dbd10b5dd9722558003ce3df4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
9f58278af5c2e225f399f96408879aa4

SHA1
1275932a1cb69048096efc26bbdfc221e64164c8

SHA256
0ad0d31d3afee8805825e187cbec3b638c8ae6a4d5470e64cf80c7474f250cea

SHA512
270c83ef4fda648fab5e645b727a6da3e5294ee3e339ada6197ce62a81ce8d11d60958100061677ff0464609b94d343b6d5ec92dee767202bf38fc7baa237a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8e70b778ed12d3ce6a7b7596ad8a6e58

SHA1
73d3ec44b5530aeda98c123e02cf1efcaa29caf6

SHA256
137c7ad2ebabbb243b95abe6141f55d68fb8ebcf928590ef346d1d415f6dc387

SHA512
858acbc2f2124c0baf87a8d11abd2d59b9f57e957049c6b93a8897493ac0a6e76dea6cc46fbeffbafa73ff481b5137a039540c7606024061e9c2db85b5c3af73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
420b7538b9cb8cd86e71fc322b45830f

SHA1
7292dc2ed000a411d5d7599d3d0744cc4612157d

SHA256
c0405d0698ac9a477bd0d14e33cb9f542404e5ef44a3f18795894a5eaba8c7d8

SHA512
a050bbe77cf59c04805147e5603d2c7295bd19fe2bff600114cf330a411ceee9e3beec9179ba472462fe2c26bcadcfbc66f7cf3a94b5b799bd7c6eafbef81751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7cbf5b114af2b342e5cd312f078f4b7e

SHA1
aa64476060a6723dc32cc0d07d5b28eefac69d19

SHA256
209e4b8858d6525332dfc6bddfc66dd8e31fbfb76e0aecf71fb22799cefae4e4

SHA512
9d06098f11e5f84790344ee8cc2bddc1cd7a7e93f6260e9c05366c1fd5ebf9702fc26eb6dc9b6f73af8684ad19a9b3be425633157ff624f4ceef7087cdf55958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b55c320965fc7b832ce95b2bba00f403

SHA1
ab57aeee9592f5475edffecef5304d735965e43f

SHA256
5f131f6679c31dd5f51c7e83e905730524e69c744ce5764b8ea540e96ef6668e

SHA512
c99436049c11b8547e455d917583c71e9021d2dcd2f00899d4d88f56ac03bf06d24ef70caa7cf53163eb901423980b2f4c0153ecb23fd55bf1e37d376e85a664

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4124d8bfb54c385dad224c2eb3ad3d4e

SHA1
2d5c1078e47d141e84adfdfd63ec80d0f4a3a872

SHA256
355d502c7c935c0f40d4c1755545bb4e1d15e2dad9d7c567f2abba260a4d88c1

SHA512
dddd273655ea514327b2b42ca01c9475ef9a7e2626f05eaa0cfd947bcad90f80cc707fe5655e31e4010d6d911ada07486ff97d9738ef50af7d0d372d94d730ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fb83f1f0a6f540a4a944c8f689155ddd

SHA1
8aca3148d33f822a367787c4fca7849d640b531c

SHA256
1c16a12671aa01c5c11181342472ec75f4b081a3271eecebb312d11ef49dd28e

SHA512
27bf42daa6c8747568ab7dc8f952b9b75d9f01175001bf2a24675b1792348f7691cd5f9a1be694f5e9d1c2ab6e20072f197962dcf97623685547415adb0abbd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
100569dabd3ce9c1a007d0c1bd4bd2ab

SHA1
2ef803e3666975d736674b9df6772efa1f5ed08a

SHA256
8469b1a9517999486eb0f64a5624649a382595e1d915874058a5e934cf9d169b

SHA512
22a6fbb721d45c003f7fa5922e082dffa85b4f7c84c9837a0202079ebff2c6ed2ba768437870f0dbadd8109b087ce74c9314164740e788ca331a3c2738b50790

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
baa49e8f98efddf6260c2eb1af80d683

SHA1
21aa53147367e43532f5b34d98e586a58e567824

SHA256
205638ff7c01d2c1910b4ff6ef3631152f290a4a9bd02304a643111012ec832a

SHA512
399ffd4749b8d2763d326793bc55a84f1a4a0fddbc38db4bf77bf5eafb9888d70ed4908d6f55966c18c9197c40695f1a9bdfe29cb2540165ad9b657e358b7633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
15008229a3b4e2ea949ecc100aece95a

SHA1
4be1c3b3c58f2ca3a3c8c7994373f31810dc1112

SHA256
62408e4f8da638bf05719ab18a0bec6f0561d804b033919bfbdbaf6bca2a1431

SHA512
f8882b90886f300465bd2c2945969108baf40a35786de7a1c80a4816188c8502461cedbb3b9451e09c92375fd91f55e02d727e915762ea13751317be3d1fe0c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c247c82e4b8df35b0559358038d1eb68

SHA1
67b6361ca291c4c3ecf6340088b91a87ad25ec86

SHA256
fc46a6bd146b2220bcd23b537487c3fd38d32f135220b0377cd1c366bfa2b9e8

SHA512
bc0b824fbbc91d5601bf5036742ed7a05dc74cdebf5f848b8139d2f0273eadb6226449415ea5df8c71ea4ec47beefb37e0bb3cf71556c86fc553881dd6def777

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f08390bae57e8cca143251ce0cbf5949

SHA1
4687db9968dde2fde152158704c722bfa0e891e3

SHA256
39c1c302c982f820aea77260572888918606ab57feab3914bdfb8bfe1d1cfcc2

SHA512
ea644fd51ab0f65569ab81f2de45f205de552bf68745ffe6ca74fab8b778b6182dace4161dbc1a97e298ef21a8ecdb0a391a6c935f3904215fbe41505bb559c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
149fd9a960f9b1f099b19a2defee92b2

SHA1
34c098ca03694d3abd19a1a49733619dce6f3617

SHA256
815aeda73be693b5ddf42cebe3ab46dc1c134839a8197a666f8686134cc4dc10

SHA512
22313259b6dc0e0f24bb3d7af127905155c2ede79eaff363be5fbc8f58f628d651653a22a0fd11b899f1bf5a48b4682249a340225d34f513a668855a75865595

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2ba0004ed6858b68f42500ca4d09ea96

SHA1
9fb36501e0fe42ad621a1da1c3ce7ca331b3a6b1

SHA256
fc7f819fb6af43938b5495ce5f9bc1beb815ac308a44ca4c60f6f9d69c4ed593

SHA512
2f242961500a017517fadde0a566d9a106ff4b4eab9e15a5dd13b58286e6cb5442bb82d31cd49575a6df16d9925e8d479bba85201cd04cc46a4068bf470f5619

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
ae379652423bc35131461f10c0107159

SHA1
bcfbbadf4982ec6384f627c1447e2ce401bb8397

SHA256
a3ea32218173f7f635a6be9a2b7bd3be961fb4666379ee2988ee8420aa255740

SHA512
ed2ab8e304db72a731d7a9039eefc23ef1c4b0fa4bce9480cc641e5a56fbec853cbc1d31f98eaea5e0561d12664e373ee26e435deee291c925e69be623ea8fcc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
136a762853ba6438c03bc6c46caf0d63

SHA1
92c4674a0ad52445cb85def22a75381dbacb688b

SHA256
b2f563aa98306764dd9e87ab63383c99fca9513d26fe62c44f81497a76c0df2d

SHA512
cfab2d887339e7d7cf5032b9a43cffe3d4e8f7772dd82ab3bcdde7e17e1dc230ff2e600d0135e8962cc5c49a9e6748964f4a3d937f1a60fba223541289f07be5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7cdc2775c02994fa17ce01a6ae6914fd

SHA1
05646ad1221a30852445df90a095674687554b18

SHA256
1000e50ec4e6d8e06c3c2900e42dbf50060886bcc274fcae36815f42a5261f48

SHA512
ca52cbfdc1304e9018089f9a65716b813a05ada545b91d955de4cdb7941bfe50449656bc5c52a279c7c4dc099053886b3602b81252e9029c70803740af10a96f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d0935de4a0447328ba969ac4b735c8fa

SHA1
8f79c18290122bd680ef1669ff2864697522c553

SHA256
536d8888de74eba79808619f5c1662d5ce594534da40054ca6114ef28168fa7d

SHA512
16a14ef0e817f5ca43206a04d5d1fd67943102d891bfe73afddc80aa14f3a13b26aae4f97ec24bdfb8ca3865f475cd03f285ab29b6ab3257ae65e87208d1df4e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e32a62f172ff2acc31e0516be1fb0b29

SHA1
309b03d9dc2549e2507d89f2e17fd231886dd999

SHA256
7ae2c967082792b6a27ea728a84f3c1bbe7ac5755bf02d3ff00afa2c16b0f248

SHA512
928972bf66b7ddf033511edb6a61712c1a09a5ebcc69ea97890a66f0e3c59614de048b39748e9badee63154b62e13e8671b9c8ec0467f3d948311b06aa8af9e8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8175cad8f0cda9c1ed07606870f980bd

SHA1
36845683317687a67b8ae9fa71a84d04ecef2f40

SHA256
c570511ba3fc3f166f4644e22b50ed9cf4adaa298605be3b93af12e56294f951

SHA512
f883acc54007571cda920445f2d7572f0daf0516aee50ae3dc53a930966d8acf2c0d241452d0bdc9c7be007a0296e1a845f7abf8bba7e2f086ed6cc0e34af6a8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3ca761b34b68f9ffda66630a6d7ff20e

SHA1
f6a97bcd1de8dea0cbc836eb4b839de75d76c77d

SHA256
5ddaaadd8bfad2be35a1d1da15314a991fd0219a34b387eff8c9ff124ec38a3c

SHA512
c8fa1cd380253f6426034ed53cdf55e6df6399ccc5c8d6fac0196d6c1f3d26510a240d13f89af4a7407c21d404cb85a7e301a53bae52b4752ad22fb7e439cf3f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
701e0b1d146d7525717fe4ab8a57e8e4

SHA1
c2dd5222fc9e5f1adf2f2e5fb8895a7df36810ca

SHA256
ff82425f5c20dd9e1a4acaf975466e92fc1000b0a6729df36dedd8c11d5639bd

SHA512
688329359f99cdd6d53891b2b2bd925c9c6f73693173d65f7bb268f7f0bf28ac56c35cc4240d7cbd8046e7639ed96313c1280e5ae160e0af2bb17c7a72d7ce48

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6b048b1714914a85e2d32e537983578b

SHA1
9e58866d97a0a31007daaf74dfd6f1e827a4a7c3

SHA256
95cc3491cbf752eefcac7dee36515a5c493da6d24830c11e151786839357caf2

SHA512
54c74e2483c8b3c86eb8ba4150fcda47f64eb63897ebaed36228e158fcd232ab66fc1044369523bfd90e06cdc92f2cb058ab10be7d3fd0ac52e01ad68898a1ab

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ce3fe3e6efcf606070ea8e23110848e1

SHA1
c2c363316d4deb1392363c1bc1071c93cf2cdf03

SHA256
8f61f4deeb8639a168e5d6fa357f520298da01ca5b6706278aeb0cadd94faf47

SHA512
28f2b9b452066788a6a909dfdaf1060862711fe9339a0f826ae2168988a34ef9c91413bf68811a2261a3f95b51acf74192dfd8f26a0e3903c2772865c77a4ac4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3e01569aa129142bcc4c8411f3b7646f

SHA1
4e03937c6604fdbc8da1e3575c89fbe21adc63e4

SHA256
81d1f1cae6baf040881977f848f7fe19eadc6d3e0905f957e25ff6a72d5fbeba

SHA512
1c016d6b9435800c58d1eb2b71bfa6a7965602cb8ec2b0bf4215d2d8e4c8294f9ab06eda9eff7d58950565af186e08fd30fb52c663ea3a9a37f15407e5850ce1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f0225b55e6403abfc6d0629a21a2476e

SHA1
7c68f64e8ecad8f5ce7dab33c5a2b2376654e794

SHA256
3d9249dcadd24bd42e248f1a77c1a78da274c739593c12871d3eea7ed509ac84

SHA512
b3f781c77eb4f3497a72d681089e5a83c2a5ea88c1e1d787fc6bec93283de7a1ea369b58c79cf74112f660b34085abcd2a79d31f7fc406f63140f4a2bae2413f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6d732cc1250ff3f1e192da1dc68ae031

SHA1
109f9824aa026b2afde65da0d311cbcb6a178305

SHA256
5540ed2e176e2aeccfac52096099510e3b35f4c108e0666131bf7c7415107b76

SHA512
b3bc4e7f5b168b9af226b5ac25cab0f3aff6bd53211ab2ab111c7ce933918aa24352ad1fa1448d84d72dbf4ab50e5decdca97f193cbe5092489e98b78b336e3e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5e29449b266962bfa17986a9366ce091

SHA1
89a0cfbfe96095acf314e8c4d59d6fd1cbd7093d

SHA256
38e9a119b6112ac29ee2ceae005d43bc89ad465b9c98115fb8c9e39d2838f0b7

SHA512
75d47f2db61e10d6ad1694f549ae934a6e9b50abe5c8538469af39a2a8a9ba40476a1f63cbf0a661952456249da1256a1303c9569c34b62e8585faf347ba8dc5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4d44af93856fed2907e05e5f159bd641

SHA1
167b5d40f8544549a87e1a849cba5b20986393ef

SHA256
2aa986cd04ea559e4bb73d130a7e64147ad5873eec7cb3382fd79f3ab9466f0e

SHA512
08d6db94ec239a3e21fb753428c01e2ed3fa72140ebe101190e35b14b47074d88e82b96760a27adea2612ef01797278d087ba2de31aa15b06eba9a846efd2811

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d51768646802c736116729991d3f1565

SHA1
97d0b87312cb80363e4935fddaf32f42057fcae2

SHA256
1ecc56f785fb4f2bb57e22fb2244bc5350f2c8c9750c374b4068b43a3fa738e2

SHA512
49c1db658ce7a8fb134359af4643ed73b72a37158fc883e7165602126dfabdbe2823e9a9eeb08df153aacf9af23514f8319572bcef135a9d68f0925f8df67066

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6972b6d2caa10d144f8ad748364055a2

SHA1
5a4a183a95560e9bb0dc7ed5bd2f403cd3e897ef

SHA256
67c16ef8166ec9af2b29aff6ced1e032fc01401f036245f99e7f02f098ed2e6a

SHA512
5c01876cf97c7ccc55deacca6d05310bb43e3a0f5e7aef0ac8fc1717bcb194fb727ab07d965e338789f1de7ade67dec33af35678377eab06684cf577b1cadbd9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
ff1b15ea12929d786a35501b1f87a3f1

SHA1
65a9b35de10a94db9967d37ee5088eaa39011fe6

SHA256
f7cd75e4e3d8b3777b94f04d96bfdcc9b8671218211e6aa4a01a6dca1d12f641

SHA512
e5a64a0821fed789ba58c7c0a0d7d1117891a0487577fb9a87d3d32ea47372b70210c2b9906f7a80d570499b5558d14e2041cf2ced88beb7c7650b179190d32e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17c28167b6faabe2f9156ac7d85d5f04

SHA1
891301a1a7d4c54ba9a2607827eb6ece360184b9

SHA256
a007d1ff67ef3901a3566393c27207442cf00bc5ea4a85250c727cd86cfc257e

SHA512
57b13bf7faf4a290b8eb011eb7f9c41f408ec27841fdc74029f9978132e12f0c2e1295a83a08a4e8263a8d904ba99951f09007731cb9fbba0123a41feb6ee433

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
280a47846b13008c4ace04b60a440072

SHA1
74429a3948d281f8defb1d43c5c5e62a1bf1957f

SHA256
5c7f286138fa0cbaf480b1a43052d562330b5e4475c0d2195a195f08067e7c50

SHA512
8f5f8cf13aacf3da01815a1e5b42588bbc0bf083e9b208ebc09fcb7cde6ca306c0ed3903ecbf1f4bed62c63ac3ed1be7e1530e71ccb20d4710ab4aa309d6b6cd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
8399dd2b48f9ee3dc4ee27e8aeb0548f

SHA1
2b6be34e8a39b76b0f89d42ff6662ef4dd819590

SHA256
5ff82b098a40739bf18ae567e014936aa63dfc547e5f90c40b62a5572f195bd0

SHA512
61da94efc18d461bb4a21e359f47ab6ca7d74ad10828cc429dcc15480af5e9ae54f3eced41210398fa7c260642b01618690cf41ca00a9aa98b0f60e7bd080ccf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e2b257dd66cfb36fe91320a74378f3a4

SHA1
87ed1673a8628fd71e5a20dacc8637b186b10d75

SHA256
f0e1fcfde1ce2e87ed96bc0ea81cdd75648217d386b19ecc96fc43dcf43daf5b

SHA512
6f953dd003003213f97227cb1ede86734958997558a6aace040298ff6f8c00eaaaff732f63ff4fee4870c790ec32788ac8e0f4164b9777a57cf485490934da25

Download Submit
memory/396-288-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/396-146-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/872-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/872-249-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1652-0-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1652-75-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1652-1-0x0000000000BF0000-0x0000000000C56000-memory.dmp

Filesize
408KB

Download
memory/1652-6-0x0000000000BF0000-0x0000000000C56000-memory.dmp

Filesize
408KB

Download
memory/1652-8-0x0000000000BF0000-0x0000000000C56000-memory.dmp

Filesize
408KB

Download
memory/1820-565-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1820-188-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2008-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2008-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2088-243-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2088-118-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2308-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2308-234-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2340-91-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2340-92-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2340-218-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2348-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2348-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2348-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2348-103-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2436-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2436-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2860-88-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2860-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2860-76-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2860-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2860-77-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3028-612-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3028-207-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3320-618-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3320-286-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3868-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3868-62-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3868-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3868-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3868-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3880-613-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3880-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4012-289-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4012-619-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4064-171-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4064-472-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4108-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4108-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4200-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4200-614-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4332-282-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4332-615-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4484-452-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4484-479-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4484-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4596-33-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4596-27-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4596-26-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4596-129-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5056-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5056-55-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5056-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/5056-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download