3a2214a1868ec7bf9f15f4c33928bc6b6b3faa1f76cada351f9a920d9d083ef2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Size

1.8MB
MD5

98c4c23a6d6ac375b420866f88e74349
SHA1

23bc3c19fccee8a0b2d0f6f56b33abff2ee24fef
SHA256

3a2214a1868ec7bf9f15f4c33928bc6b6b3faa1f76cada351f9a920d9d083ef2
SHA512

bdb1792e2eda667fe76e4a4dfe5d21a1faba3b986ace0e4455f167273829efa0754238431cd7635910c483549f30d4dcdb4a9fa575a2d449527248904bac76f0
SSDEEP

49152:aE19+ApwXk1QE1RzsEQPaxHNnrfPOkhqvq:/93wXmoKjOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3476	alg.exe
884	DiagnosticsHub.StandardCollector.Service.exe
4164	fxssvc.exe
1744	elevation_service.exe
3576	elevation_service.exe
2428	maintenanceservice.exe
2760	msdtc.exe
4568	OSE.EXE
684	PerceptionSimulationService.exe
3412	perfhost.exe
3524	locator.exe
3616	SensorDataService.exe
4908	snmptrap.exe
2836	spectrum.exe
696	ssh-agent.exe
2532	TieringEngineService.exe
1900	AgentService.exe
3740	vds.exe
4824	vssvc.exe
3116	wbengine.exe
4400	WmiApSrv.exe
4540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef657808aa61dacc.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{544CD458-F493-4888-9A56-33661A7F5454}\chrome_installer.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaw.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9bf9bd7299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b085c47299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d674f2bd7299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054e826be7299da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe

pid	process
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeAuditPrivilege	4164	fxssvc.exe
Token: SeRestorePrivilege	2532	TieringEngineService.exe
Token: SeManageVolumePrivilege	2532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1900	AgentService.exe
Token: SeBackupPrivilege	4824	vssvc.exe
Token: SeRestorePrivilege	4824	vssvc.exe
Token: SeAuditPrivilege	4824	vssvc.exe
Token: SeBackupPrivilege	3116	wbengine.exe
Token: SeRestorePrivilege	3116	wbengine.exe
Token: SeSecurityPrivilege	3116	wbengine.exe
Token: 33	4540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4540	SearchIndexer.exe
Token: SeDebugPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeDebugPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeDebugPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeDebugPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeDebugPrivilege	3856	2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
Token: SeDebugPrivilege	3476	alg.exe
Token: SeDebugPrivilege	3476	alg.exe
Token: SeDebugPrivilege	3476	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4540 wrote to memory of 3864	4540	SearchIndexer.exe	SearchProtocolHost.exe
PID 4540 wrote to memory of 3864	4540	SearchIndexer.exe	SearchProtocolHost.exe
PID 4540 wrote to memory of 3244	4540	SearchIndexer.exe	SearchFilterHost.exe
PID 4540 wrote to memory of 3244	4540	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_98c4c23a6d6ac375b420866f88e74349_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3592

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4884

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3864

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
d6c1b84975e02d8aaae1b4d2abec91d6

SHA1
16bc04c7d58d2a1c100f0ce706c4ff4fe8580fc2

SHA256
4c868f55c240a806681e25be56d0a5d8cbff07e1303fe95d481d6cb18d71e5d4

SHA512
6ab636540f73a2235c338e0df8e1e67d5a4fe01968854bd8170ceb12ead59abf0a117ed607c1321839bfb9c8dea45ea75871f3e65e5078f58d61abb14d396718

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
75beb37bb123ef9558f54165934a4195

SHA1
33012c25f37f25a9bbda8eca912ce81af53b242c

SHA256
b3ff3e571002b8a024cad9329e626819ff4f1720f3cb22663b2ef787b925462a

SHA512
f1456114bae9be9d0a62f07a484d332d86ffa9f79e20b514e957acb1e32fd66a030a5077725fd8f574b1e69904e09f455705d291920dd42647ac359b7f974d9f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
799e0c09e08486cfc9db73b53bc624fa

SHA1
e7a13c5ccee72601cd4a50dd5ee21eec4056958b

SHA256
95657a16fab6bdcac8dbc72705ce6338509d65e79db4855ca32f58ceffd7464f

SHA512
23f6b82f4b2c1eff6a8bf1bf09a98cc06c7c9f57d98e2048599b609e09c75590e9f91b1329eb0ea74668bc7c783a5977f98d6edfa60f52d77b9e15a9a4e62b4f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
9eafcff40fc24973c0f8fb9d31ba0a9b

SHA1
d5650b69b8ef7cd3cd1da3d607959c2b45468c42

SHA256
77e143e5fa5d4e959921806fb4a61dafe411fc722ce0a9aa275a886c087c13e7

SHA512
a08b247ea4b7c1468d246df7f938de3e01df85135c4b8bd34ffe70e24e360f41be938c01bdd0453b35779531fccefec606e49315b89dc43da28544486211a994

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
22273c60eea954bf723cc0408177e2bb

SHA1
f8ac038a4dd2a5b8e9fdc5707b95223bb1d517f5

SHA256
ed49a5d28c173519c875ef65fbb94d7ca1e81e68649a68321c1c1ae581a4248f

SHA512
ffcf63fbb1628086e090e4f243d2579816cf12c2c6f621c4dade0aeaea8209de66008ecdda2ef59ae66070dbbf28ad8f73b43f38356daa796eaf03e10be5b8e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
144100be4873e17dff05caa640f2c45a

SHA1
67fba2a8507428ef4075ccb13a2c8769d28126ad

SHA256
00e2091debdfb10b4d69f39b5191c4281fcc4b7726a466096bbb929b49c27b31

SHA512
d87ca2b1c8b17d77ae00e565f518be800a8b295f47a2a2d3428fd897b9958be73ecfa48345160133dea4e3d7e57d980b08a08785c3f4b9fcca56d81edf3c3b91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
aa70d76c3b75454056339a5cca6f2e01

SHA1
620a94e408a78cbde0fd648ccc4e495c9f04b32d

SHA256
4840adbf9d117e6c5518bc8391a83264da18422681a6103f91c083230b0b025a

SHA512
8df43f7b73b0634c5c0ecfe7673980886d35e79850ca4e4fc2863243fbaf7f26c1de75f77ea96de33cdc02ad8b538c666cd2cda36813df4c129db9503a571377

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
0997bfd1ec839999152d41e02272be1e

SHA1
c7c56967ce2c7c026683339188fa7d1257725849

SHA256
901ffda11b7ead472b0d17942f0d31f88663b3a7b62551c4d8a692858b021932

SHA512
bdc03eb7b703430dbda69f6c5d202f743ce50c85106d0cf3de93bd52cca1d5f072eacb70266b807b06e4df6b430b12f7d2eb3a79b0d508bf1908960411c0eece

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
c7f78cb7935ebd8b69b67507c4682708

SHA1
d1ea58f5bf346628380c2f5e9722d3b11b2d403d

SHA256
b95922178b2588815938f508d421154ad8eba233eea9e6ad9c039bb10bd831fb

SHA512
d0293c513d8c37b044c10cd43a9d0ea1d6826a271baaf6d58b1a1d8bfd10afa08addd475be7690fa27b48ec47b77c266500913d4d9da7ad822124e31414f41bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
a064eecc518c67ccc44469d99a2607d4

SHA1
8b465db12e9e205b1bcdc48be211918e12d39671

SHA256
1d82da5f65ea64559d73227a2693301fca81add05ea8c68fecb3370cd4470e4d

SHA512
eac49b21e939a56a0c51cb788363c7b9caafed18cba49bf63cb47538c2d4e6020d9c4d392dead0d58705ca5d1fc9cf49465f65aae9182c9c191eb7ee3410fb4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
2866eebbfa742e9aa7b1596fd30c50df

SHA1
4ac0572df577df8911f6a556ab9f4f67c2c65c9a

SHA256
3decb05e028054699ca1b668a21d15a63fa6c5b591654512590f0d2d94e949bc

SHA512
9cb9f3bd9e6ac9e5dd0e41155b9ab2bdf3346a69e238f0c22c819338fb6ad94440b2f181e0675a8535fc14eaa804f89abd1a82d6acf245fb171aac2ee2f50f06

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
63530755724fd2651d790ad676d482f1

SHA1
0e0f31505538bd398f13c547279da27432dfde3f

SHA256
a93612775c472f01218594cd3334523d7e50f139ae6113866a4bbecc1be7f99b

SHA512
32a5ca54bf3b3948a787a5eab0ffd200cadda8716453abd6e7f61b9608fd06d4184fd6c0db95f2186706273a3666338d344bb34dee41b0f5080789690ac1160e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
39745d935a2d13a7f27c3070195af8b8

SHA1
b9cfd6ce568dac0bc766df10e1819b8b47510cc1

SHA256
2b9eec28df0474d847ff94a3f1833b6d5dd732980e3c9eceabca4ad94d25afed

SHA512
264cf22067e215dcbfe38b1e06ff2cb12d259e983761fff1a772f1284ef79fbd37945a005999fbbc0747dc9927183b8e38473b5a012b75c8111e148e93177760

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
4f8a0b14b45ba5f5d356af82502f39ba

SHA1
051b4e669fe417d7d99e6853851a08bcee85d801

SHA256
422819d2bfecaeb69801ebf796e69fa01cf8bbd659112c2fef87a7b543737e34

SHA512
d07a539e33dd671089fd786ede7f55890c6a44ff6b5eb6f4abce7f244216dfe6cd2d7b68c01a632d66cc385877e687c1af6ee7c4c9a4b0e333cda126cc87c48b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
dd7cb444bda414691471c0be1fde7c6d

SHA1
b3298db76e4b268ce743287c8d93b3519e6576d1

SHA256
fc63d6397a61ba592356c7138ed3c87665200b78e3d7c8c2e03058afcc11341f

SHA512
908a645a24853d68b28268eeb6659fa4c29f3683ef4e778516dfa79df1a088de7a34e088b7d93856f1f4cbd1322d48c4d331c984e7f39a491ecf80d158a033eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
42844eff9ecd6a85f717f533b59a5709

SHA1
37fcda69985f71c1fb41337d1fba6cd11b67512b

SHA256
e706f361f1326f144de261d2f6c95669addd0cfc7464bcb117d7f89e3719dff4

SHA512
fcdfbb02294cbfbd685edae0b4699f3fe6a2b281c70f24e6236325288be9ca54cc3ffb9d09322f5b8ca9e98b4b3f99b8bc50c0a9bcb51b7fcfc8892d03cdfbfa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
3c41f413ad7a59515ad3cf43994c6bfb

SHA1
03169d574e7e823ed6d4919c13ace484f1e51db9

SHA256
6d64413937bbf6eb3ece4ec5c8175d94f302e8a8ff423d9bf3c952d0b87ee863

SHA512
990ba5163679f80a53771dc291e6f8fe2179bcb7ee91514eaa0a1788ddf7c7e2e0c06eef82feb88a5cff0b9b55b1dfd18052c8b46133e3ad8ef750ba96d0de2e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
542700e21ac3a8a9d06a8d4f0afcf052

SHA1
43eb985423f80959aeb9158352b488138c21ed08

SHA256
423d7e470832688fde466081178e88658ffebbfb149048de39bf99b4c5c6e47e

SHA512
36cd1ebc553714cc5e2ab46a7a69ba82d00767a5a73c33961204abc970c24671b17d3e711030047a928a39c9c52dfc6f6efd463760f940d444ed025631d9872f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
d3921ab02b03f865659822535e659e1d

SHA1
501b46b9d0535d310ac150bbea06a192d9f6eb60

SHA256
bf1f4687823266b6b649fca60dd2bb14bc1f8d1c1e9b61ba0e05632968075077

SHA512
06a979ff7bc2a7aa479d883d3f6a19636fe743b964a8970d2e1faf73fa4c6dc9684852b97e5077a14fdaba480a716b3dd3a862731b0824cec58e3010165f5419

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
8f45692285cc016a521d4b84f3c47162

SHA1
efa5ff5b9f38c4b01338681ecacae786e32ca22d

SHA256
862c03bd7aaf0035e1fd3315499394f719c39e2977306d9c8e3085e0a635a3ba

SHA512
4a7c88d1d5f972b9aee6510de09d0857f30256df006284497b8c754aecdecf273575be65555beb0013784b6e2ea823e4f075086167d11bb6f84f2ddbf6b475e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
a5fdd7db368386769cc058bac11f2188

SHA1
bdea2a3bc9cd53e79cc2d438223606477d91b4fe

SHA256
c4f1c6bcbf3265d02dd07eb71dcb8a14f7b73f33cce516865d787afc3f2bf571

SHA512
be727cee25656661f185d797421125bac36fa70e0311a4bc9c3c1636910d70f68dd2bc4a6ead6689d5828c14102580234df1fe8b0f1f3f209b34a0cf605e4268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
cb4ecd6f5814a2156890dd057671644b

SHA1
71ef2a17f4ec01ae46fe6b268914106d56edb35f

SHA256
61e2d0969b710cd7ee5cf9ad2bfa07466ad10c4b61ea567469cc36a82d49a201

SHA512
34c4aa53a23b8f151c82eff52fb760ec4420af49670bd0a8229c70adaa9a5a8f6861a0cfd171e3e02576ea55b89585a6a8007a096a74588220dcde61272dd8c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
69fcfd2d473dd777701e4daa29cc1f2b

SHA1
b0df8919a6cf464ed31fd809e12a48603cd4f8a8

SHA256
a8c0db01e5134f5743ad5186819cffb0c0d6d7221f6ed4f3c0f4a9a530834116

SHA512
816a69622af3c49871bf2dca3b1c17bcfb47a0cacac3339ff2b095431a100fea5041c2da8234b691195b1b757aacc011d2ebcc73508462baabf96d019899e375

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
62069af9da11d42b8b15818f553b485b

SHA1
0591774cddbf2d70bcbb69744a4348d1e342d14c

SHA256
9677cb95df3fab9f59f6df7d275f4fb05bc917e036d2dcbe18d8ef2351e6cea7

SHA512
d1bc3b7e580e4eac629e7348d649bad4d01dcc6fbb8ad6bd825e455169b876989b84d98c7a7e881814d250c6b588add02d602257019e21759869b39519ecc06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
63175c7d3f6eed57f3664952bae5da5a

SHA1
489e1adad94f54af666a848fb49a42ad50cae71f

SHA256
0dac821df4363ab8e29fdcd92f21bff006f26a6c844f236d1e52021a34b1c3c0

SHA512
ffe7fb99e4bfbc282cb96ea5079350b8a807ef804ba27c6a70ea80c0a99b96d1a92a6ad6ce692f295f593121dd93435332e3130f129bee3c14807c705bff3576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
4ec6b19ac6000bd799e4bda3c15b9bce

SHA1
8297065922e3fd5a017e9bee45d4bcddd61fd089

SHA256
0347ba30b014196ae2dc236b56a0336c3f2dc2e8e3b442b6763d3a054619c889

SHA512
15f1c386bd42ef74ef5c4b50dbe6972cee1c8df1e4cebf907dbc2d40cf526d35d5e60fc3f3e4ced73a8728e10af8ccacc1104024498d27c8f2f54380f448765b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
906d4aa5c229878c482729b325b654f7

SHA1
4b80f61213b4f3f4973ef6d385c0475e3356637b

SHA256
29af15055aeaf0f609f5f949d87216df28c29ac334e5d2383d3fe35b196eace9

SHA512
d9f2e6cebe3b472f40b98f8f1b17619e219630f4a92534c014a1033c88428360bf6f7ccf99983b4629db7be19ad2c3c5623c87e2fe9218da0ad3dc0e861950df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
00686d6567710924a87aaa2ec4609c60

SHA1
0805c0d94025f55b9eaa33d14dbf04a5c7e0c210

SHA256
5c8c9cdb892db93b9de2b9a37f810a13f78623647a649d31e66a3a43340e0477

SHA512
99a1171ae1a37c5be7037b749280752fbda57d68902028cbb7af835825dbde2ea7924d722637b0a4e5c7197bb8ac23bb08377bffed2613b8280b317e47a51fd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
b1f9fc202778b753aeaeb82ebc0398b5

SHA1
bb4ef45858da76b77c8bd0b600cc0b47ff54f985

SHA256
42fbd45c2bfebe0572932a93da8c0beb9be84c2b2e7bb4d63b0797af7504877a

SHA512
becfb4f1d53ba47b024874b068ee90b85ad5069ef424a78385e20233b7ee11af67f74b58cc76cbd80c70cbffdb23566013e8959caa287ce0ef68b0ddaa8fbce5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
b26e4793d5bc60e91c8fddf6fb529f4d

SHA1
638a99d833feb6728712ba1b6ee69a92339fd968

SHA256
a1cd191ab08d23af9d48e4565f1e8a3dbe839283305ead66b3b32b8bc4b11567

SHA512
7e5f4a5aa898c03327f41340fd4d14c393550ce456a17ef64c27f738246be711181e863e2d32191d1bc1639c86c8c8b1468fc1e3c891a05b0ac56d52f7ba243d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
a57739f6092e4d3a613246bb1429d71d

SHA1
684fc9862c32d55cd45485e98a5a874ec3106ca0

SHA256
aa84f63e3a545f7643795c9b988c3fe136a7e2744f8f0293e20972272200cf73

SHA512
df258fdd7aa0088d43e43962d7d95d10754453365040d999f2f6e229378394d6cedfe5b40f207fd37cc56282c479b42dcd07489cbf180d0d8abd7cc907508bf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
38e1e55e012e2d17e3e4d2f7a032f256

SHA1
02a8f9be2effd4d56cef2ed4c144d2e403f6f18c

SHA256
dc3b2286b20d7173e5ca9b1501adc867ff5c092411341dd076d2c3154c29c11f

SHA512
1be6ba34a0b8a005fe097a8d28cb3059259488e29737e22fa74dcc7dc6d204fe12300e13fb865ce8af55f568f66a276e8cabeeec5f0532ae392e096869d678ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
8a1b36a25d559408f06efda2419190f9

SHA1
413f66ebe98358ef0b87e9b9d7d533f27e04a62f

SHA256
6a392f54e256d0011472519172c8f344dd13ea8a81ead975f8e3dcd6418d2521

SHA512
5c5fdfbc6360b45f60f47624fc582c09d6c60db36f7dcd81a56fd72874e7366efb8b1e6989bb7da478a0b61e01f5109bb356633b00fcfecd958e530d78a2a5c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
7feb2aba3c7bb5fd1b7893fb9ea555ad

SHA1
cb03a6e710f5fafa1bc63cea9f06127ca33807db

SHA256
353233ed94d27dff6b9d3aacc731ce5969bdfa3901ca801ff41fbde36222823c

SHA512
bc9f4ba46b586fd9cac10287f88714252f6acf4eebb1a312adbe740c27eafd56906b40c22e2289538e503e3138723f167e4ccd40f7d4de4b3eb5b4b8d6cea35d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
85fa15bbcbf4c15399f607edc7889816

SHA1
0e6976560f21b9d2368b95199e3adb9b74139f63

SHA256
e43c619b78c11a93692a40472ca926ff8778ff2aa9c0647e343644ce81b18aca

SHA512
cfe82dee6bd93b766a62fa0c9f0997d8fce96f4fe6322f048ca325b37b74a533efa79b3ca89cb14e5fb3b787243af4f922c98ab3ae4aedd7d3004ab6d9f39b57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
07eb3c053ea12acf7b0d21da4ed1b716

SHA1
fca684e7d0f8ae04add6a696cb78bf0f5955cb7e

SHA256
a72936bea9b88337387656483f9fa1cb1c78e965f8a982c79dea9da9fd0b0e75

SHA512
f1bc2f04c15b4f0aba04e6364689841006ee36c49ce6264a9ac120546f7b3c3b28c580f2084ea5fe257a890a8e1837945f891a9cf432b0c14ec35b9cedb96e99

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ff1f4aef3fb0ef4b5acdf2eae35404d4

SHA1
125ff33db2e806afbaa8eb47140dbb389c11431c

SHA256
83ed463644df810bd86453f8ad1d5bdb16aa434b0cb6269ccbba62d7d3c5f9a4

SHA512
9f2aaa9108a407f816a98bb5d5a8906f02022373d9403d96cb7ea08c2c3ab7c4d816957862e16be0cd89d23ca8cf89d6fff3e58fdaf11d08a76046028b6bc408

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
430f6dfafc4926a8d6af9dd15132a75c

SHA1
f8dbf9a5b86a26365ee396b87a7d16982a34cb2d

SHA256
85399330c026436a16db3fc8bcea49046e7b604dd55e1936be74a5822cb581cc

SHA512
087cc8b34cc6c915942a28628d6c98e025188419e916b72df8d9a35b4edd746f04b91517946540f1833cf1d1e53077b32fbe474325665c4632bb054266773f85

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
c47fb6f9146b8b2ce3215a03c34d8729

SHA1
8bce9c2a87e12dc7da0d243e7a58a44e85d6bc29

SHA256
b8603b6dd125aeea7bb088fac318874d5ff19377c28149f6a454975b6824079b

SHA512
71d446426178cb1b2edded5c9517d4183eace4b2bf5b1ca53c9a7af835043a0f50c0cc0c07053a6763104f74715ce4a323f9af76d7b616aa5b7dbc2ee5fc13ca

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e05259c64e2a62069a08deb2bc266ef7

SHA1
45fe0572a973a24a32239af51becab3e4d757e65

SHA256
9fb8e6b7757c5c7983cf12ad5412f684a64b1d34777afe8b33c1aeb26e13913e

SHA512
87dbe17804cbe8908387952869901a0c98ccbe423fd98365fbfc8de363295a5db7f1fd7b2bc75e2364f818f1e0d88771d8859e888d63a519d75d19f22a997f3c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
2b63a7af6eeea646ef02bc32ae0bb855

SHA1
4f3d92fd003e231aa865749d74e16449d80005c2

SHA256
0ee11e0a2ca9e52b83be4e54b5f5bc5dd091c50b154d63b118645df7383214da

SHA512
8f195665804bf6cb7588cc4a3cbb67be9326cc4a251466efd5d5badb1659489e0bb4b7135251c125514068df16983155ea7ce6ecba4c7641d9b2b3c2c2a09de4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
03357897488a047fe8885e899fce7d9a

SHA1
d36295756248139548c5feb3bef6e6c2b95dc4dd

SHA256
34f9cdeefb8971058a7a603fcf68122cdd1fa1d7db9aa49d258143e6c09b98ef

SHA512
8daad2b78a970a9421d1c92799d09e4ddd80de68b685a2797dc8c0af67313ad2452d8a714fe8d0cc752e7fad36f532f6169c847c7da667a245ae992238f6341a

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
61f1330a04f3806a259841dd3b97b38d

SHA1
0c67f12c4d7fe0b2bbec91d50376c9129fe58390

SHA256
0953b37e3293b192ca7b80fd5c3e6bcaf73ad3c713f8d1ed823db4a4fc3cc53c

SHA512
30ef4d8961f605e7aa87758f43274db79603d1dae3b1d76e821926973d54966a309372f56c7cc4a1cdea6c7fd6bf17d01d504f8f589f0d73f579ccb64fbaf10a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
df56a5ee068c40697eaabab1c2b6bdd1

SHA1
2d6929333dad5379578c9e266cd1fb0941e6adf0

SHA256
f2ad3efeccb0a172568f7950cf38bd35609362c54e2b9c8eec327fab4c36b025

SHA512
d2140c1ed2357688a52dde08181a0bdd7457bf3a3edec3382b795030a1326a2253c6447a0ac8ee4e22ca55b9451e5a0d4aadd2e8d4f5ef57c6c0009e003ce37b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
a5a55ca34f1a8a9a4c18ad39d679c167

SHA1
cdb765a32573116f1311bade53bcf1b2c398b252

SHA256
375e4beda06008e76396f478364a106e91171a28c7c8810634a9b8ad29ea5683

SHA512
b4e9698d70d44cb3625ee19e3f2fe046e94090ad8f3ace6cf2d119fd870ba201b80c03c964f0e60606dbc3fd6beee3cd1412963fd75bef155b6ad7ba6a51866d

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a6b01282158edd85ce251e80cbf69d34

SHA1
66698e03b169b2a8cade3e1f08d7bf48bbc738ad

SHA256
9d7ec180cb872968b3083538a80f4a95adf5e6d792ee9ef075343cf6b0b54ba3

SHA512
d99a09aed102ec84335f06ff3964b33c0f729e88b3c45b9b26cf63f3cadb711e945ca3df17ddbf2779a71a9296f048221f90acc5fb291691f638af0e688faab5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2c4a1691476a5de67e520c609ea7b39e

SHA1
ed0c3abeea178fffdb7b66997068a37405b54a36

SHA256
1b74ee7664e17a8c28be4a1812b0eb7e8f6a133fcbf7545e26cf36a6dee289bf

SHA512
3680f6d89115ebf222c39a832ef745a799e7b6451102618af39a0b0ed7080b681bea063d43ebf6b5ee52b37628205d1bf2e3128dcb5fbe4d1b0f1dd4e686db4b

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
bf93181163fbe263b6183340935d2dae

SHA1
9d4072af27a0357d18cebfa6308f1b2e7d0ab56c

SHA256
6248f682a68a96e936629cb5121c74b7b54ac0350a675b2274993cfe58fae57e

SHA512
bc191e1229408004b120b885e425aafa874cf6b85ae2cdad5d9bce18c46a307720830ea0e8b67249af4d67308e3852656a5f4803851dd7cb8c40cca8600e6ad6

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
3efb2992021ba06eab6d1d9932331c66

SHA1
dd88e029d87562f38f5aec07e41f8ea0957ef7a4

SHA256
cd6a790c1eededf4e29d4d3ad581682bb8a9a9ebe9af982d297301daf2737d46

SHA512
2b8fa4347747cbbcdf86e6e92734ed011dbf4aaa6cfc67f99b9149e5fc8973ced17e15101ab3c5a8a56c3fffc301ef52e0643d6a24a9edbc9a8cf693688c5d9c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
4f5bea94a4c1843dfaa67d999b801a86

SHA1
8fe39bf10af2d5509f7bd07d57cf9602397e6122

SHA256
96bb33451190b5040c32e1032ba974e6399eb6665821763a8e9989077ca11d8c

SHA512
be0ae36eeffa93d9abb8310cfcffc4ced9ef5522b76e98e8573ff5a902500ca4e583c8c9c1f43c6abc869080fd80f3297dad151f956906bed30c6ba74d684b9c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
1424f15b012a7aaa741c16d95ece0486

SHA1
34f65e9fdff7e6771163c12b57e91af4e3fe8742

SHA256
fd041fd211d32aa242d872352020b2713d9ae15451b5776e053531ee1bfb69c7

SHA512
439887d8b1a35935da9cac0afc9cbea4cec942d47baa39a9b43c422ecd806b7030ff0a298e45bfa34c6d638b5373f98ba03df0c1608c6c9c3806d90a4f614e31

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
444d77f1fffa78eb713484e82af010ff

SHA1
a85ef16765e000cbd7717bc9a2a7feb0d5aed5a1

SHA256
5284dc6224d89ccfb5150b37ef475cb8fe59245fd139ccd490d9cde07a500962

SHA512
7481fb1633464e5cce667bf7f9aebcf3996284a2432c9c238d095f1307d2f3bc86fca3c54e07064e72323c77c8da0f8324bc9f4730f98cebfbdf5359b0a343cd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
c4483d4a5ac937681d919c40d04e42be

SHA1
c4a30bb0e24e5a7362cfc30c219aa4d0945b2683

SHA256
efc0e2e6405a3a7d86d3965f72b07a81c092d0129cba75fa82e687bc43ed2b63

SHA512
676c7ea41870842c48b74bf64e5c3ffbd0d419ca6352548a3520cd6e9419176ba933169143be28a3fb658a051d59825f5c1fb8137394e012094eaadd11e887eb

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
e74ecb33157cd7a55c72dbad730522d8

SHA1
49503e5565f88104615ceb59df84a45db0cf8443

SHA256
9c3fa0c0e370aae62594596c00300f2f3e09c9ec006082e016f3b5aaf703098d

SHA512
3276323320e990e69850732e33601a8e806f648b8dd8601d7336a8db6c26ecde3377de91e2fec431333b49c63ea9529477765d0841f2480dc6cc47169f61506d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
218835bc17cfb06fd37ccffe989a2598

SHA1
6fa1c92c4e1369bd3dcfac1267ef6f8fd94fef62

SHA256
ab14a1752d8f0e90c1af944f45c1e895580c13f8dce0625158e68b0a3a62951b

SHA512
49aa862fb60992141ecaedacf268135dca6d2f76a146b15a4830259ae1610df215ce8ace7f19b55b1fd381ff5ec83c9a36fb6c0936340ce9a8ff7d9a1cfd3cdc

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
bdb2da2ff2499a3763108604fed5ddb8

SHA1
70ae26cf138995398514efff9d2d9b64a0df17fc

SHA256
95f27584f0547d0705d1a1453b89221c2c93843d3de18a9c1c83bd13293b264e

SHA512
fe6925f216d706bb6a13e49570393759c4eb761f7122be187a72791f5c9a7321dcaa7cd208ff27f581de6fe6cbcda64c7a70cac1267507dbad4dcd654566554d

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ac3e161aac324351510bc864236bb8ea

SHA1
db57bba50d7df6617ac3f98ff9d866126811d32c

SHA256
cee0e45296a422374be2798692c769340a7880e3c29c99ad3d09a0bed671f9a1

SHA512
6b206e2e043101d6f4d9a413a664d318416f4900452c666cde5eb22ec48df15d15ca0a2f79be5c4d8e7a10faf782758ee0edb87c14710f2e9cc1ff4aa201701a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
fad50698e1bd740df208a2f505ed13f5

SHA1
75de200c37426460e40336baf39220c8f9972b11

SHA256
cc9113bff6f034edb13c2130f6dc0af96bf90ce2862c99e41e66e8168fc29718

SHA512
b47f4b368c0a106daaa0f91713c550b81b0520c5c1fab0d42a4f980e56d69028900cf354aa7c0821b91a5c1523f4945030ed6eb68423c1c2ab6b72f0b2f6d2eb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
20b674780a281ae905764e1dfce3d686

SHA1
a9e77fdd61fce0cd17da8d83f5cc70868e1cba3d

SHA256
e621d2dcfbf2744371d1c75319212897d1662fa1d575522b9c4b711952dbfd4d

SHA512
914fa363ddb3b9069a2efa7791d07b5fdf15caf9f2751795e9a1a3d674818106215910c438ac3618aa06487cd9731da0d99205d73b21c629656f3824d24819c5

Download Submit
memory/684-132-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/696-271-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/884-170-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/884-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/884-34-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/884-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1744-459-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1744-59-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1744-62-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1744-53-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1900-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2428-81-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2428-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2428-75-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2428-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2428-86-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2532-272-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2760-90-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2760-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2836-270-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3412-603-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3412-133-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3476-154-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3476-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3476-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3476-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3524-156-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3576-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3576-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3576-500-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3576-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3616-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3616-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3740-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3856-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3856-111-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3856-2-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/3856-6-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/4164-49-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4164-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4164-37-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4164-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4164-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4400-276-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4400-608-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4540-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4540-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4568-112-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4824-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4824-274-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-171-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4908-604-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download