5462b7b7023db46232d1f8f9b800f9bdf0028a4eedd4d89cb34f47cfedcec921

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Size

1.8MB
MD5

b30dd402f5b4a14d61f29f7277340976
SHA1

144adadeabe87d836f01130441220bf7a6774566
SHA256

5462b7b7023db46232d1f8f9b800f9bdf0028a4eedd4d89cb34f47cfedcec921
SHA512

6d5e6df1def6583b0321a4a628ec89090d367d411e12ffa732e213fdae992d84da391a7917972124de2496a971b342f1d5bed05036dc328876b06b30df365c97
SSDEEP

49152:cEy9+ApwXk1QE1RzsEQPaxHN27hfw34Gof3E8p4:O93wXmoKu7hYIL8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2280	alg.exe
8	DiagnosticsHub.StandardCollector.Service.exe
1628	fxssvc.exe
548	elevation_service.exe
2908	elevation_service.exe
1248	maintenanceservice.exe
2272	msdtc.exe
1352	OSE.EXE
4016	PerceptionSimulationService.exe
2692	perfhost.exe
3024	locator.exe
2144	SensorDataService.exe
4924	snmptrap.exe
1580	spectrum.exe
392	ssh-agent.exe
2720	TieringEngineService.exe
2068	AgentService.exe
1672	vds.exe
3152	vssvc.exe
4492	wbengine.exe
4684	WmiApSrv.exe
2400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abc3cac4293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0d5fab93aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f12309ba3aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000384270bc3aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdfa5eba3aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9650fbb3aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000617036ba3aa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae7d2bb3aa5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf335aba3aa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeAuditPrivilege	1628	fxssvc.exe
Token: SeRestorePrivilege	2720	TieringEngineService.exe
Token: SeManageVolumePrivilege	2720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2068	AgentService.exe
Token: SeBackupPrivilege	3152	vssvc.exe
Token: SeRestorePrivilege	3152	vssvc.exe
Token: SeAuditPrivilege	3152	vssvc.exe
Token: SeBackupPrivilege	4492	wbengine.exe
Token: SeRestorePrivilege	4492	wbengine.exe
Token: SeSecurityPrivilege	4492	wbengine.exe
Token: 33	2400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2400	SearchIndexer.exe
Token: SeDebugPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeDebugPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeDebugPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeDebugPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeDebugPrivilege	604	2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe
Token: SeDebugPrivilege	2280	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2524	2400	SearchIndexer.exe	112
PID 2400 wrote to memory of 2524	2400	SearchIndexer.exe	112
PID 2400 wrote to memory of 3900	2400	SearchIndexer.exe	113
PID 2400 wrote to memory of 3900	2400	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-13_b30dd402f5b4a14d61f29f7277340976_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2908

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2272

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2524
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8c46d05bc7ffdcdaa0fab1a2de8e87ba

SHA1
6a6adbc6bd2dd159a75cc0836ac29a4b761c649e

SHA256
7f98fd93e2aef36499cd524f04eb185021daac78b82ee2a52e175aaddb90bfc1

SHA512
50a9a21fb7f41c9eddd15467516c7c6fe5c8fc778aa6246c734e675e25e2bf7c2cee46658dd9ee39c88c6ab9c0718f8158fef71bc251aafb4df20c7bdd40eca2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
174afbfdb8406d6b6ca46c02806949c9

SHA1
9c3f998250dfc039825435ca645a89df75782eb1

SHA256
f9efc694f37af59dcdd0c9934897075626d5fbac12718580cd408ebd6e5dc4da

SHA512
f08f044c5e6b450ec6c54255336388025718b683c4b7cbdefbc5d14a028f87672a605385c62770d9af2539b7f602e97d084841e44a5c00ab00e0acae0470aa19

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c15caa6f3276edeba172ede3a3ce3b94

SHA1
25424ad7f1005937aa00f88b754ce1343bd2c0ac

SHA256
3b6a80571aaf71a296c99fc23568cc48b74c883bee50d90960ea7870d0354787

SHA512
a2a8762aa23866308ca75303f555260c6d2e4f9bb1161f2c68b5b361751ca5142c755c3685b50eb8b2263dd19967c3ffaee881e998b744348e8ed547df0b4867

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
07dade3a179c168c845eb1ed6d13c172

SHA1
f2cf4e619a3b38c1c46b1858becf2ce52efd0bda

SHA256
dd741bd73a7e1ff52bfd58dd301e101a64910e017f800264afaa78620c8b79d6

SHA512
637f564b7ffc3c2d5dce4c8745503b086c5e9b50c15691e7c7510256b6f821ac3b31857148b73cace7588141e897c0f38750ffc206fc691ebfbf14f1aa3ce360

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ef582e6451ebea66b2edc32cbab71a43

SHA1
14b90374a0fb78d8ad3c8d77554c75711ac1def0

SHA256
42c8ec4a59e917ad2ead35f5c0c39af59aee5acc5d7512ca83d72df0dc83767b

SHA512
bde80ecb1bda64ea448dc5da11a4e556cf80e29ac09765617f9b723277c90c5396521c3b854d9629400b1f696acbb96f84b646b741d1f737e6dc90c6496400e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dac266c58b6db574b4b62a0629b9bac7

SHA1
c83951e789b5d5f97463080d0e146a802e8927fe

SHA256
4c06eae86c6eaa640ab950c500ae6a907ec8b3cbb68fc60d38eb40d81f6e0b75

SHA512
dab2c16ab62e5061795cd916843e6906ce34d7f8e2035217f1acc1ba0486dc6cbbb68d8376e055ac292b916a3510f0496d0049ea46d6b2605d1fcedcbefb30c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7888e31b53d16e8fc1540588bbc7c83f

SHA1
9265f51a97e5720621e5e200c4a752dc6bd8a211

SHA256
8215ae091b8d82587a1216f438455f65ede0db53d7810d72b9cc98ad600be503

SHA512
52b7588c5eacfa8c055ffc4311b7e29ecdd6ca3684294d93cd2ff3157dc600810ff562f0b37632e101d4db0a557b7ef6c455d0b2b716a0b19053e154970c4b97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
11d1ee076c8310e8ca8d5ff963817a99

SHA1
8abafa3bb453e97f2f48e1fcd8855723cba5056b

SHA256
56df1a5998d5f4c287856c8a0bbeb53823163798b4e3675dfb07758b038ee9a6

SHA512
57bd5e622d8ec498e881c970191d7b1fd00e9eeb47075f806c2e9bd9e382e8b546d079c9dd9258d680ff0640475918aaba7f93a72470c7732a7761ff1886fc4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f505205a31019e9568fc4e03c56e937b

SHA1
73c825ea85a4a7b1f179ac53c15882965aecf76d

SHA256
6f3f6017e2d1fd9587a6e7d7d731d33c2ddfd0082c97c6abac7ecc9f188bc2de

SHA512
8e3a9d433914a6023c88510dd744671b444606ee23e86a37fcb412ef8f456e5c1f42bc604ab4ab3b75e4bc15167cc56c0581fe4bf5f2a0113a866068b95bf37b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
03c5aba79a9c5eeb975da126944a6e35

SHA1
450cc5f03433eb51499a536a1644439979ff52a7

SHA256
93a595cdc73195c1a524d6e7786d43d8d3bae70245418ef9c5379b3a552b5a27

SHA512
1f5a8321c54b4465c3e1d963d67a02b528a0958aa9a2fc6c64e3136f143a651df5bb3ad4a6300445aba9c5b0f30572b3ac870e23272d6d3c0259043c115182c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5253578bfc8c8ac4994805c7f2c8988d

SHA1
ef0f60a78b03d01968bc701bcfdbb6045d35486e

SHA256
fa28aaf44136f1527d5dd78b54fc5078f83f45e672087e3f63c178647fb16112

SHA512
14b823eafd224b2475a1fc54601726837380c74e749a35e2f1b16d82c2def2c91326100492ab9eb0e97d6fad3346ea0bb1612c924369d0a7f42feab97e5905de

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9b425d007e50f8fb2f393dc68088181c

SHA1
49df4f363d2d611cc5d03539d3bc8a5f3eac1f23

SHA256
8dba720ce0269ca3e7e330c54f5319e52fddbd2c9ab8185d9a712f62cee19ec8

SHA512
43c3cd65d475d01596458de060d213ab5654dc52ca63b8564076225ac6c368b2553ef9fd394c32471e1e3f979d2b5000023d502967a20fbe5f3ca5720f44bcf8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6cb98fd8c508f5fbf90602e02f16bd3b

SHA1
8b132a76ee74e2d584523c963a838efa796ecf6a

SHA256
9145d3f27159806a38e9d7bec1666a238026c558fd67b5335a46bff3e670b68b

SHA512
8e91552468711beaa6575364147ef7dda55a06f9fb9fe2967114d649b9f7f7915858b4aa2293e0997cd6a47ed0693e20bfeba9f13c63d6b2d83193adef3ed19a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
734d5f77624e508282eda7a03f90be1d

SHA1
c420612669acecc0623d60187bacacd9efc16264

SHA256
c59a99c461ba39ec711d505bbf57173ef2a2f9231ec3ba066ed2bcaa89ccddde

SHA512
4dfe5ea0bd9291e411904958188c04178ed9bca4109e6752f45c42564a7e560bb099de2ea70b2b15331babd31c1997f1b297f92df369bb94c173cbfbb21803e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
cfa995414ff2f7bfd6e45f05f9a95839

SHA1
fa39d72ad4db80dab6661049b0ee94d6193c6523

SHA256
3e261c2fddfde53a83386920b1f065573e1490ac50d5c982d54ac5379f55cdba

SHA512
ec15972d9ebcca2f976fedfa14cb5f3db477a6da7489c365618879991847682234c4a3044911eb87efe89318331c94badf6e918862b19eaa2567b0b39670534b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ece18360bb30137cbb2542c6ce516560

SHA1
3d7af96dda3cfeba3de920451b875415e08b6ecd

SHA256
13a8fcb950f263ecfa9ca27dde6ab014cf5cd3dcc77f05456ba7ad72303445a4

SHA512
e5b73db6a499415380fa242d61f38df3705f09850e7d1ac7ae65394d68b42cbf9b144947db2560a19a07ce0b530eae868601b9819df748c50e485fcbe9c88300

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3d878d6e84fc4c4fc9fb08193f74cc5b

SHA1
24e8fdf11927c9f2cce03ff3cdbde2065a628bee

SHA256
aacee0e00d7d5acac6a9a034cad90ebf585f1bd040f76ffa808318aeaf44dc81

SHA512
1b020e8967f55622733d12b46a262326efc4175ef95a583f298230c1bb1d0ef35d56bd2c352e07fe0b3b5d57589a43c61d5237f9a8b5119a4a97ee39d7fa44b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
63b6efa69ffa377f0dc8b10b89ee395e

SHA1
edd1142278c3b502b43bd7451d9489e4c5ac6572

SHA256
2f52da30c8e175e8feedbb0b2ca0ab9debd81354bc37e4dff73849d0f08fea6f

SHA512
be7e194975fd6eb8058ceef769498542b2c556e6bb4863dc0d4b879bc2a3fddb41f99ce59e04cb41d794285a410932ad25454570e75e125eeb678938e80e1e5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ffa2ac9afd7e930a68ee0ea0c39665bc

SHA1
28d51b5077bc7530d585cda0ee9d7df6eb9e43cb

SHA256
8a69cc51b8987e4870028311e76a0e6307e2eb952228ba668389885c4b1c7e84

SHA512
472c3c88a32495458160f2fd9ac71ccf5e686ab965073b21b4576053c166e8353a13cb4d8c502dfc000a728e24a5fc82ba0787c502ff1fd3271a54fbf9d4fa5e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4177f0abd318e5480ee92bd874a63af4

SHA1
b3c5284a273265e227dcff8ff1b8d81d3972af6a

SHA256
fb7b2e2f0f665264833ff984f49b2d976a58b78b21e36608bb23a7b0a27dafd0

SHA512
006f7a423c14a9ca3c97caaaa5fe4c370900b57258018aaa330faee78a44312a9a34371b8671799d4aa33f8274471e94f501748edd7e826e6fa5f5751dab9fe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c9d9f2e04324bc6f55d7ec4969b2ab1d

SHA1
89a2e5bdba713189d2b7067408cc611c48b4c2f9

SHA256
69eef66437587a6fac3c5764b1dfa1eead5e8bf5ebd03230679c17a0dafc034e

SHA512
8443c4f92f75c34dffe18a1831cfebaec2bba1b554878b2639ed4f5d093d43948b86dd4db6c883f0c0245cd6fb584ea05609f4c379e2e5563e9ad287d610adb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
61780ed94398db7eb128d02d687351a8

SHA1
55f2634140d760f3aecd6c51a418d4c3532e4535

SHA256
516f8e9f2754afa2cc4566ec77eb8f0970d88a788c855473680094cd48495813

SHA512
580f96f6512a7267d16a8c7693e429b30d9e6ac30c5fa71f5e500cdb1937e431fbdc60cd0a41ccebd04204f5e789b9a533f363f28e8288827b538aef86546aac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c67cff4079337304a39b21ea57e3c0bf

SHA1
4ba612f2c3fa2641a7040e7630ab752073451f18

SHA256
e3e510e7711a4f3b94914c326523c82f13a5e4ad5b4f97765b9972c89acc9b9c

SHA512
b9d2862e767f40085d10487214fc8b0484005551c5a07bd52cd0ed1f2c4f13c8226b88ff3e056a2d2416cf07b0b43bc53ae3ae35ed88debbfeb3eeb97be28d48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f850bf6007a0746f0b546d927dd9a8ff

SHA1
02aa96f9a8d5f29318d949d78676bf598117eee7

SHA256
42313918b9f1abdc4d79b543d5f73d93470769d3ae46add24a9f08ec3ff66f67

SHA512
b67e7ad4cb953c2d8a13ad3829acf2d40cc9ae6e96d733b13f098725bc4121f162f9237604424fd685fd618f250369f4031dcdd328466252f6a472db5b1afb0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2989a617b7277970056d500e0c97fbfc

SHA1
5bc53f9c58aa4c9c8704aafb81b35f309fe52f1a

SHA256
cc0dc30056a562734307aae78bb0608c745109f915bc5ab789220ed22408d048

SHA512
038ee089428e6dcebd97ebb0f4815b939fb3ed731f4842bbda1a877717f601e87b42fa87b2b9b7f70e5ebe79bb8a364b64e90b7115060b1f1968a1019c0d177a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
53b2251e733854d681049387073d205d

SHA1
be95926aa704b382bd5dfdd88b597a8222325571

SHA256
cc0af7b7f83218c9e7e093652a55a47a7b2111d4f3bec32b2c4a4dc4b1f638b8

SHA512
65ec56b4cabdf9e2f0d6b296f080cee94bf6dfb385b023194c05b341b86034f39646c18c7d4ae062ff959f869970267b59a38d87083522c889a18b84cc6a3b62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0a8fe60903b424a06cef27986b7bc398

SHA1
ff23a4b01ca1d9d86a3ee618c940b6583f40a5a1

SHA256
605b4a7d448a532e5ba202ff3c1152101badc3829f38d1b52ae9f1eacd87de58

SHA512
76a013f4d538ade245655a48c43ae2092222d327420eb955d1748bdef7479a118ca356ff1aaefa8b9d6a57432ade378723d80c69e12f8533203a951819a863a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
43fef8ce16e3fd4d9bec8c645b4f42d3

SHA1
688927d684d06721ae593e75a7c134d3b409b370

SHA256
a262d3be34f329c0a016a4f98aa8be75aab7983b6f0ccdb5aae385cebe865fae

SHA512
e33b2fdd75cdba1c26e46ab0e921e25e6b463b5ef8d7de8ee5bef0ce3f29c2a4f5f896604460071e7f5f537cdca0b20a9a5c276217bacb42aaaa96d2cd755b76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
28c5b1fe7dae0eead7b1cdba91c446dc

SHA1
04e4ba66e7115e5ec13d761c8649da8554b71d04

SHA256
b15f57e33156df16df6e358969fd15c904b0cfa397632d3a19187348294b5fc9

SHA512
d924c6512721d8346941747afdb5058e6ca42e4ad61f3b7e48c5872a3dd8e4e7a365edb9f050b54cdcd24b5fe9e7f63e0f2ce9cd977ae21c8c6420e15a868e62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c41e76b5d358a5d6a2bc25c7af2053a9

SHA1
66d6fef037f0cd72d44640666ee4ff556ed1cb8b

SHA256
7c1774ac7e920f4dcf742824a412a7775c2a267f9b2e62c892d87149568fa768

SHA512
b23c28c429f8b100a05c4369808bf4eab607f13f849b4b63e27eee9ea2a0bc19d360ba747979b3f8e0301be7ac3f99167316eea8dacbba20b9423c5f1a150f6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d00f346403f41d1898f6ae6bcc486e27

SHA1
1cf2d5bcd32d9cdd9dd6f306b354196b6ff50797

SHA256
6f325ffe6c0782e131f214550fe1602e1e4b60ac46fc221d7bd9725473393079

SHA512
474e28a91730c58dffcb368fa7dcedc95a7bf7e380912391ddcbd0e7b769efb29bfa8b1a108e337053c596c7898ac75f73a05732b1b3014bd85cf2ef93463be1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
aec91ab0085d1165e24468eb7a26fdbb

SHA1
148190a5d1ecd0309c7830f03173e20cac55f826

SHA256
151b5cfbac029ff7ff734ccb378c60b75ac72c15ab6f96d51504eb18ae3f6938

SHA512
d353d956279bfd79d670f40839bcb922098cd286df01743cde14554bd6f5ff0ba7c99bd52c3a1b2718ea8000a417fc80a278ed49b578188c31d6815bd5253e05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1759b638496ab73f35e26f79b1333056

SHA1
bab4a78d88f32d0465cf6d122fbfb08a8fd081a4

SHA256
d05dc3a09f8890be4ff5d65808bc554505a454ce97e76a0cf6c497e7170416f8

SHA512
2990e88d57eb90d715ee2905587cb60d91e1162ea6e4bc23d9ca28f312bb53d4327676528201a2bf2b50174725b6b378b3ca1373f31108a135fbec8ed020d5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
eb6ac98f22c21ef03faa62c1464cbf04

SHA1
9433d7af17fa6960a1eff0a746490f2f4aa64570

SHA256
d1bbcf7c6e6a5e810bb4deb6aa63f23b4d2d1d5ba03d1baab821c39c95dd1255

SHA512
79a7c201008bfcba3b12f5b43a04b5458a6640c2672b963b90d56c9aa84195b7ec9fbcca1c2a06b219651237188f4576a7f4ef8cf6ab9e0c509149aeb0fcf2a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
24f52a2667ef837d9ca682645b9efee3

SHA1
d2f022831414070f5d7a61243ff4ce9abd7ba56c

SHA256
5b2f0f59d9c4b13cdc978a8e3b15aedae6502bded60f7af571e91d5ed014ed1d

SHA512
7521002572695fc21151753f22a591cd3d30f6ce807c2e8f3267aeaef893375adf716d3ff25f306a7c2b7520697aa3f39d1edc426a058ac21c276f00e83d6387

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
daab1a682b6bcb38d4759deb8972c639

SHA1
8b12182709d919e4078abf50c3261d71a11f0cfb

SHA256
53c03ae888dcd91904f1749be206ae2316e74f49cae2280e0a4dfc9ef19b1da4

SHA512
ee3b484e87a241eb977628b0a8e094c69c91b556f08924e77cc2a802a65790c4646062023c0eff98f16c86041851a1a609264b7e333fb1ad1fa40aaa122b9589

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3320ee682deeab3ac2db961217c1f1de

SHA1
89db7e06d1be163ae840acbadccea302e42cac23

SHA256
d817298e55a63d56630adecae5e0c9f61c15f6a94269d519d846e542a3d3b330

SHA512
59e82b82693ce695445b9acafa1629ba6733f97362974880cee0992d51e91ecb5036d5028136ca3563f735cb0d86fa6d465264f4f984fb81c8280fee4ce2ae68

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9e134fee7ffb45b8f6f8238fa933c709

SHA1
72f9256bdc01bf8e8e75cfe26232d41e770066c1

SHA256
08ac57fb7a91682f500f8f0b0481a35f5393c50c81412a76d3d2f40f6c1d0957

SHA512
4a910b43a2d3cedf8e45d6e3b7b6e7a30549d79aa3d45a25abf0f253a8e7169d674ba0dea725c806cef13bc49b9b80c85c4ff278162084f91e10913ab0955104

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
82b52cb540a890e52681cf2319ca67a6

SHA1
48fe7b598c81e1d0e9ea4add2541838963d36459

SHA256
85609f731595999c738594d91f20fbbe52787ca94163dc3b39a96e1dd2649f06

SHA512
d9827332be8b558a7dc7b3cb96d5a5d2ed5dcc87c204613b911e32da4a56e689720d3cd96da036e930b28849c8dce3b40854d4c5643226a4278f3b449e2fab47

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c29ab48b7396620c8a6bec5b5568ac7b

SHA1
bfea871458f2609cf7bc2317f6d769965aa8f682

SHA256
d0120537263fb285d6729a156978cec56ec147cf309b074e3f5c2171c5e3853c

SHA512
0525736b71a200e3e9949d8a1c7c40845a42d28e999023e2d8ec49b133fdd8d51f4aa9b231940c0cdb82e1fd104a2b990dc39e52a7491ac0e4af982c83d14961

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d7480c5c6f0330b312b9287507b5dc72

SHA1
95ebd6dd3880bf41434447c5e390dc4e7b851087

SHA256
76724a75ede8f2e388d5086f64ded010e6d72d4bf9cf3e1721d7b40fd8f33944

SHA512
0ff8a53c697fe6991fc1839cdaced61b1752fab5cb9a0374f695e766e65efd65303919b39b2ec04aa644b53ae7e9ffb1ba3e0139b4d3f24d21d0347898ed8291

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
16b2e2d6f2441dd36310d26e0e493020

SHA1
1218750532ec145f53f5c9438fd67298914993f8

SHA256
9038fa1ec6086b508c18c198ecdfc36cf36e4e92bd80858a72c29b2bf12b820a

SHA512
4209994e239176fb4f8665a2acb30ab8ec7c27ad6e22799a5f27ace2b0b32de399cbb13c4b2058fd5b26bde8257ac8aa0f6a5276678befe72659ab4aa93eb077

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ce300e71089700814d81775fcbafedb8

SHA1
7d620cf8ea051f174a7afe18529eb35c2263982a

SHA256
2588d28343fea84e3cb28889015aef9101a002dcff34d9815f190230f31eaf74

SHA512
c5da6514687c17700f851f2bedc3bf0db13b134c34caf76af2da7b199dd360050d35ede06b26f66fd559707f9b32677f719c0d7b1996c9690d93f99ecdd5b4da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
23e83a756ad18d2cb8bc6975dd0969d0

SHA1
0049d09aca0cf69a5353af7922071db006f80020

SHA256
0f0427c44da1d7406eff331e9242cc58b9a232d9a53b5e7e1722f88236791d64

SHA512
41a83136fa8d406a9e273ab6b54a3ebc1c5df3787050b717eacfa121b69eef5590382a21d404f2c78a0cdd4b30305b8a4f96ace38ed74cca531ce6e8a2ae77a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
db088f0945c9e10c215810fd0057f8e0

SHA1
901a099ab086b463c814797a2b87708c976296af

SHA256
eb1e3c0c7b7396efe6b158bbb67055a86f2e1fad62b9c5e85ee89c2e039c53d4

SHA512
e697fb7545178af7d8964a17ead1d5ff45c659ff85248d1df309cfc80e6992ff930b57d6e6329ffa3c155641502acce59b382ff4c360052a260bf60710f966c3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
479f8660c22cd94368874c52908a5224

SHA1
d96d337f699a85ad3e6d458d69263b6c49c968e6

SHA256
2875e67d3fb4c4e3891688e9b1e945b16ba79856dc3199413529ec0f7acae698

SHA512
b1d272a8dd46a82a9d43ad3621fcbc8c104881cb1547a771394bf4f404fe2d9c762d0dbccb2ae370e3451afe1510e79001299f4a0dc7369ed59dc84f81dad38c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a9ed75d8394843b255af910a0bf6a915

SHA1
17098ad9db183ef0ec94e26ae8e9846bb56966ac

SHA256
f06fb8ef0d488fc56351c18b99085ac6d15877817f5a8f58c64304428597e017

SHA512
793b8dfaafa0ba7d6ae583c7fd4b4cf3eae44f777b123c491295c5f592b59bd70d20b50e4c77012301638e9e2eb0b3bfe27769e59d77c96865d07776190ed139

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9542ef4021894620fadaa61a7f07abf1

SHA1
ea96fb676bc245e9eba5996ed96689cfbd0d2af7

SHA256
43e5e1239d23531afddd5b433cdc8461532160f6d63020de4e0bf4c3f575ccea

SHA512
5321db2820d7e076767398d7a9a978d067b1453d7f9848456a720ac243ebfa02012fd23ac932f26e9dcafd47358aa03a0cf433149fb0bdb7c41fc6f730cbb0eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6d9e1c842c85cd41e03261795447d16c

SHA1
fedf452f656484f0b20c582a88857a96be55a93d

SHA256
19bec3b86e248bbfdf2fdb92f0b4070f2968acc04ee515ab66d27557f29435e0

SHA512
46f915d1e9f071330fabae9a4775adfc697ef70cfba8268b9f1ec7eeea8e2515599dc9fb724ac452a6eb33d18716354f3ad27db923491d9a1c9286b429c64b54

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6e7e5556a33adeb6eec2f6f26a27e503

SHA1
db70782fbe2e0ea014a3bedeb96386387f6af78f

SHA256
84bdcf326f896c64dd29eab3716f1a8c2808a6d4a87849c2a796444729146afa

SHA512
368ee0e89ab4875967e78b1796a258470cf810e319a214d3f75de36215b229f33b3c7e4be63871c09ae3f1e0f576f132dbdf35495f5a30b9b5bcfdaf398fff7a

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
123f19a47c604c15dcbe462e7f3ef4aa

SHA1
de8008f43737bc8548d6f49fb58318b58d5f3aad

SHA256
7b9a3ff1950ef10f39c1373145a29a532c94cf3970c99d6c63a3eba67bfcae18

SHA512
71104908d84a5688a6bfeb8fdeb9f86a1d361e3d19ee9fa72ad2afe927dce90eec840016e1d7c01f511213076070f791f98df2f372bccc0361b093ca80ae50c9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
88f6a2d4a402d74d24fa9069447e527f

SHA1
676a97c9fd92156537ef1c5e0b6ad3fdffaf2033

SHA256
75c3498e8412f80b3405984d92055203e03d0d6c71b791b7c6071405c81a5e69

SHA512
ea29b2f7d550d04b045cfc3b740f914c45e5529c25af361c380725839ce9a8cb1381949d37a6d28d233db820d88bf8e2eaa0c870a5ea8810de14d94dc45932bd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3ea23a3ca2b45e20d456c4bab6a729d1

SHA1
6a8aadebc0baeab834ac3597f5b45306152f351a

SHA256
8d72ceb40d63f3032ef4cdba29f245fdca22d3675edfaba0093ec08f7054d3e0

SHA512
5b97d886ab152f2ec850cfc03fe0dbf3a2f4e0e121a6b54c53584399a8e317e49b7714f837010cf9f8025adcec0677abd938efc656960b52a2bdb6c0ac0acda0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7b7168b501d7a545d0498fa5e0592b8

SHA1
29af10a8d7d5b7d8b75f2f12ece31c6589bb97dc

SHA256
8e6d351346ebf8419eea304239b04e8c04bba164dc4f8a0018ea3aa84f8cb2d7

SHA512
75065f239aa93911744f3037c37a7a5b1c80576b54e6b4597f837cbeef6c99922414e2729efcc0dc4072e573e96d0736042c7fd04042b7796bf59ff7be9e6b0b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fe7eb64b9e9e9d3997113a1f9458b4b1

SHA1
20803a7d213e1de64799677a2153a87358fa0cb7

SHA256
fed13798d0d8211bc0008011c60bf172d2ab44a6bd78c81a00b56efd5c144408

SHA512
4caa8c39e699beedc30143532ae7bedad79258d3eaaacae29f0b7a9fddad99a5ec171c2ac842652649e398281ea297fcb8b3f9065561b6417ba656c516efb63a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6549051d7f33a32678ced699fe98f4c1

SHA1
1d00e728ee2693d56d6861655885bb61b68f54ea

SHA256
361b89c42c5e5e1e02a20daed3f559e990c61267d913dcb192296c835041de77

SHA512
92c43d1043b17ea75f3ef761f16373a0546d19398bb4a9f01cedef0d1d6d8e233e397c2eb66b9b782a0f0f5c6b2744ea166c8082d3a3adfa35b1d7b5c13c79cf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e3952a56823eecd28d492528803002b4

SHA1
03af7b71e16e258e81b698b076f9cfaae124bcb5

SHA256
838ef3b05efccedfc0ea4a502a187105e9a989bed34386caa22d30f628a50232

SHA512
2b591d738f733d821e6b17af0a05b588ca605b15514ca77dd3e0885dbb56b32052c58dbffe44b651835fdd5191657a6d1d51fa96a1999689ff8330d41e104ae6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
380127753e799c9f1b02765381ffb5f6

SHA1
33d0cebd23691132da0f91346ffb9d2a9d10ddd4

SHA256
f239272cba75843799eae3536a4670f604c87989e950afb4c3d8db14ff3d79e5

SHA512
44cf24001f91e6fc181f3fe2d0a184b5d9706340e4d4c52a157432b8b25ac7884abc4c2f0544407b20046a34ae4b0a6c9ca1fd3c70e19be4a85a7c30f3b33151

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
db30f9e7e91d3e6d435bb636c0aaee55

SHA1
7bd19deb3f505d6dd78b653b0250b796fc0d9c9c

SHA256
dde5aaa864ad0434b486bae0b786adb4c170484b27a67e56d2193e0490baa5d9

SHA512
05f56c2eac080ccb00fa91f92188c86fa405deafe285b4337dfde29428982c0b6ce88c889df89d3d468a0a966a6850b7bfc5c11e15db27b83e5de682011bed2c

Download Submit
memory/8-30-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/8-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/8-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/8-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/392-514-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/392-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/548-52-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/548-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/548-181-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/548-58-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/604-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/604-69-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/604-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/604-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1248-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1248-81-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1248-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1248-86-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1248-75-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1352-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1352-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1580-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1580-491-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1628-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1628-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1628-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1628-49-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1628-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1672-518-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1672-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2068-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2144-513-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2272-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2272-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2272-91-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2280-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2280-102-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2400-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2400-524-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2692-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2692-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2720-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2720-517-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2908-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2908-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2908-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2908-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3024-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3024-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3152-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3152-519-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4016-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4016-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4492-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-522-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4684-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4684-523-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4924-437-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4924-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download