b9afdb1b40df7d149b98e15c492e5649adddd6113c11ca4eb74ca8f8a1144a2b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Size

1.8MB
MD5

a453aa368e0b377512eae5fde6022d68
SHA1

6767f520316c9cb1e74be7d654f537c022823670
SHA256

b9afdb1b40df7d149b98e15c492e5649adddd6113c11ca4eb74ca8f8a1144a2b
SHA512

deb3e4b7360a1c47988dff05d2f9d2dfef84acbc11bc51de5fbc9273fa0cc6da33c4659da0fa318b59fa0a28b745880f1aab179fc313b58e65234ca856df2b78
SSDEEP

24576:D30wJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNn0DVv7DxAZquHPH9k:DE19+ApwXk1QE1RzsEQPaxHNWzDOQ0K

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1444	alg.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
2292	fxssvc.exe
4196	elevation_service.exe
1340	elevation_service.exe
2684	maintenanceservice.exe
4040	msdtc.exe
2520	OSE.EXE
3924	PerceptionSimulationService.exe
3168	perfhost.exe
940	locator.exe
3388	SensorDataService.exe
1532	snmptrap.exe
1284	spectrum.exe
2328	ssh-agent.exe
4672	TieringEngineService.exe
3368	AgentService.exe
956	vds.exe
2540	vssvc.exe
2476	wbengine.exe
2488	WmiApSrv.exe
1452	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9e427797c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8e1068f69abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7a42a8f69abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a62e98f69abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000610bf9169abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032cabb9269abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085f9bc8e69abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acaaae8e69abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeAuditPrivilege	2292	fxssvc.exe
Token: SeRestorePrivilege	4672	TieringEngineService.exe
Token: SeManageVolumePrivilege	4672	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3368	AgentService.exe
Token: SeBackupPrivilege	2540	vssvc.exe
Token: SeRestorePrivilege	2540	vssvc.exe
Token: SeAuditPrivilege	2540	vssvc.exe
Token: SeBackupPrivilege	2476	wbengine.exe
Token: SeRestorePrivilege	2476	wbengine.exe
Token: SeSecurityPrivilege	2476	wbengine.exe
Token: 33	1452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1452	SearchIndexer.exe
Token: SeDebugPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeDebugPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeDebugPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeDebugPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeDebugPrivilege	4824	2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
Token: SeDebugPrivilege	1444	alg.exe
Token: SeDebugPrivilege	1444	alg.exe
Token: SeDebugPrivilege	1444	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 5708	1452	SearchIndexer.exe	123
PID 1452 wrote to memory of 5708	1452	SearchIndexer.exe	123
PID 1452 wrote to memory of 5736	1452	SearchIndexer.exe	124
PID 1452 wrote to memory of 5736	1452	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a453aa368e0b377512eae5fde6022d68_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3168

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:940

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3388

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:2692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
947849e155d5a45a454532c61f9c30eb

SHA1
5d6413382ae4463d956210562a2d8b7e52be1bf0

SHA256
cc56771dfdd1bda02b21b5d90c6a12a1f9bbce1df1a6216ace667b92002275c3

SHA512
5f118c899dda643d777a3ed4024bf70e744acb8f378644039545879630781c7047cc771b29102f1a3db4d57b83820f955f34b141a38ad4bb57869baf23530d0c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
5258d8d0669281f3cb2d6d460cc52551

SHA1
05a95357ec6011890e00cbc1c500edb519ea2b45

SHA256
ed20383eacc22b975cbaa81162322caf9d3145e7fafc66e39e43979bb09ade94

SHA512
15886cd02a3dc60367cda516eadf3b725002b1ac85ed7ac9739058a07609b71bcc4cb9ab46bad59bc67e8769f39065d9ca14c064e5076ffeeac2dcd817acbd16

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a06100a8638d71c228a034636589cbee

SHA1
4ecf2d47b1c381dbc6218f33cfb0a241dab9ab61

SHA256
724f50ecc6a15e9ee0acb85f15cf6f9b720fb986e96acb33a90e3f4b22d90295

SHA512
26fa0c1876d935f2ea4b764f7883774d64a3ea1e319c28a9e27923de6073ecbdb547c592728521cc508773428c5afb839ed683f0ab96464105532a1cd84c02db

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af0b02aaf8c053e7aa676b90f51a6d27

SHA1
67cac88cf2860c0214f5c5c2bfa7b1ad5fd23d98

SHA256
f5f92a9ee632e5304ac97a5246de509052cf1a9add34ba8eb22b70c91e7d28ab

SHA512
487a7784ee4da4fbb70ff9f4b955b55138164a3792ff0d843157549775bea21abb1885e3abedbb47f10143aa0da98d2161e1b59f7ca50ef647ef671a5e96f89d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0f5fc886a3a129239b4d45d892da9f19

SHA1
50b3d2f6ec7492ab0bbcbd044dc462a8fc6e48c5

SHA256
ace9d48f0fabbbb4baf5b6ec5630c19dfbe21184cc99139aeb75659636752fd3

SHA512
3fcf1ab552c4f0fa8187dd32d05ccfbc069f80f657de8e21fb658ca27a03f5e9250b7c77ea71f05b3ed767cbc688521383d0b413c86c7cd40eace5385f8a7b32

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
9230643b5366da7183376a2c67da72d0

SHA1
ed25da5b6df9269c65747f6867bf970bd60080cf

SHA256
3d8dd45e517879d0913228fd4a7018f8480adbf25294125f5ab61bfa7bd08f83

SHA512
d2acf2b24cdc8edb2e8d15fe7001703488d6c8300731c423e3ee45648321f378be2e63dc2c02376672e7a1e1aa8dd27dc42ece18e2da1d5ebb0d14320fa89482

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7a7340e36f315f1865a93ad8914cc653

SHA1
8ecacdcc967c7e2384fff028946bcc345402af37

SHA256
c6f9f57c55bc33a16ae663e3ccca81c29386f3a205116a61f5ec376929527220

SHA512
9e6a17c495bfb20cff47c10db860df2c7aafaf6a716f78388b513babf397e7a94362b6f3d57b6698ba5cd78a5c30cf1eec50a3e6f164e2a0eb12bd487794b64f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f1a2300743cbced806b1d578db95d67c

SHA1
df3d7cf91ef0a9c878ab53c7f997a0a3c01ee02b

SHA256
0d33dd32a1f7b635661301cbee948fc795b1e252fa2ac995d60fbf2916383a63

SHA512
cc16ade05b397a22b850c471802dfd69e6a7f5572035cf986016f463aa7444025a839bdb731978977afd3411048f98b86c7ba0867e7cf03952b8126c34e99d47

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ffc6df63c2d7afe9c25f1e6524fa1b50

SHA1
795be8b3868d9f1669bf1321c16a6228e281caac

SHA256
9bcaa1668ee11643c7b0e6ff6e76463c2062b9ce0fa84c3d791872c4c52a2a8a

SHA512
98e6b893c8fa5dd943a816a611d9b79b4ea40e26566dad41c1c6db3edb746a894dbef286d30af4c346dea6adeba3a8abf6582298590cf63fd4b2aa08e6a74f6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b26c78cb6aa77752d652d113404a6ce2

SHA1
df1c8f764dc60c9f340e0fe6bec13e207b3d5645

SHA256
b3295425f47934a518a75a82b80a484879395116e045dc00a7c9cd88a14729bd

SHA512
30baa2ead0bbc9492951a2a0201a6a2533d7a0fed7b1f8fc1ccc9d6f3755d167ae724e28d21ee54a6dea31a04138b1f347129dab556f3ee39ebf9ed6506c1e68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1c4b2ec177195c593d038a5cddbc0c2e

SHA1
048c6b02907a2bcd6c0d1c5b2813c9aefd7ba52c

SHA256
b5c7cb631000493361e3a7862aeab402f00cb0cbf9430f09d74b360b552b1611

SHA512
3e948a5dad2a6118af5821a0cedbe68f93787933267a766f390937904019a4fc357de7f28a7c834ae9a31b4495da23c938f8f432809502730a73cbc0de3164a3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
614463b020c111a650f4dc7dc823bf16

SHA1
3c1eef7c3314429fbe6c6529e55270e8ee179c9a

SHA256
bc9988b9e307673fcfb2e5aa2fb3e0cef148ecdc6c349a91715df7d829f7bd3e

SHA512
affc34d98c8f3b1c47395de10fe993033ea466bba6c5f54b3fcfe848f9880a1b5fd3ef1e1a11bcc5ad819a3bb0a59ea6de9527366e31cb18e515baa3833ea448

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
36997d5a4f5a5e3d2ae21ef9950c2d80

SHA1
6eca23b1a3a098017828132d58c5f35e894429b9

SHA256
74278c3d7024ae0ab54bb9aead193246651250ac4b61ac807e4c747898800557

SHA512
b91236a70e6119d75a31f3396620d85e83d0b53340d5559c728ba19c3e720dcde035cce032135904fc035de476c794f8f2be6c787bdd845183c33b6dad2caa87

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
72eaeef271a9c2d45231a68159b22aca

SHA1
4f80c3566299d75f20bdec3987cf1afaa3bdfc92

SHA256
1983f02320b9e3d691d32dd9da9d284f88e523aace9b1cd5a8952417c3f1e612

SHA512
4f6ee6ee697bccc3e963ac17b935735a7ec8a12137a2e3f486e65217a37e541c86c3ab3499e7e68256b70df2d9e918ad7c63f5fcabcffb65af194e2bcabba18a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
239ba49f989af1f25e5ac53c721f2819

SHA1
e3744f996b094c5b9878a6908351f250dd17bc1e

SHA256
8464a1e1d9878d0cd82d3e638f34102201498d7d2668920147ed4bfcbaeff51c

SHA512
8cc0128731d91c412f2c3022f25043f50b7809a783170275c7f41a97ffe7cd7c01abc31ff8b849ec7ac2fd5a8e008fc15dca0930e0766e3ae0ef74c3263a1f9f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d38e6ba6dc9531e016ad6a5746e9d944

SHA1
7f1769ae79babbd1aa7e4fb071dc025c68e9a5d9

SHA256
a98c5f6fe1f63969d441a58627c59220af31f51bb27f898a618efa5333663f89

SHA512
bd49895dca938559286d234ba4cf828a8a7666104f1bd8e0a08ae4d5bd1e448ea60eaa0b384a98ea46517af250b5e3dad9c16f512e0f9ec3a96120cbc904656a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
596c28f2a24905ae1fb426d99f15948b

SHA1
5a18d1b47fda0948286b824565f0702e997e0187

SHA256
509bf980d6f3ff2df391177d7d8c8ab05d50cb4628e404f25a0b740994b90dec

SHA512
bf9193d1cfb2870b1368387aabf275a722b1c7e55f041cd716b8ee44784d2dfcf48d26d655135f4f7aba9b9b63936162947f611b186d22cda8f7d1da897fd323

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
214997ad36e13f5c037d70ba56bf04d7

SHA1
9279c4837af79d2932f91dbb7110ad62199099ff

SHA256
4f5cc5277362029bcca6c1a6a09401e08e50b7a0feaaf8aa3085eff536316945

SHA512
504655fa344c677dd90923d030882d6ab0e477fdabfbcd363364a9568f5b4f350fba42d023d25b81a2bb97b271e1c0a5a727ef8ed9f47e74a652d78da838885e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7bbf7ac3239c44b0119216d951b1bec9

SHA1
b2df7b714d90bcf5b5586a4df34a4ac6f59a0650

SHA256
10b3982a4a9c2cb65570829a434907def0c15237f80bbb5eb6947a5f8fb6009a

SHA512
4907f42f04d1797da7dd67276a1adb947749e1faf85e80160e1348ba2121ae22db696c987966ef7f066834488a1da03717f42b479d50413b4ade1f0e6b264a49

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
17c1a917d5931395eb4555b5a75f09b0

SHA1
82f9f8ced3ba80332dc82cb5c9586c97a98761b0

SHA256
0689133eed52982341b51ac1ec34cfadbe501b399b4a7b16f31c5169713ebc25

SHA512
132ff6f60a697c2d9ba6b688b646eaf4ae0b194881c5edf416659058e5e507393bdb24ea248105e56b9b0d359f846127b7ffdff2606b1e1709366b08aa55d4ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
661263b1f15b8cb34714250fecb2e8fe

SHA1
27d632f91f79230265e6f95fcb9602891256e46b

SHA256
50bdd8b442a9fa91406b25ca6c1bdcd9109a1c415c4584ee8a7aba7e34ea9900

SHA512
e0970463c2fd4f440c02ea88764e6a5f7eae228d3b40bae6ce6a21b25c840d3c79514866a02bb7be2b5095c7872664ee066ca994d85a603783f172487830721d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9032893e941c104cdbe5c24870847568

SHA1
80c1a11e41547854d138983eb32be70dd06e574f

SHA256
59f6ed3f76610b618d74c59e4de34fb1b0a915902ad299ba3c633e9bd1b02fa9

SHA512
c080645378a7c469681e9b0e1fa42e6003b0b4a7d08db576c907debccb73de6669544232e9adfc317a8c864fcc7befd344b2de8042449c3b5ed8bdde716d043b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
32295b8628ab5db2ae3dc460c608f94d

SHA1
a4b288af6242e9af676f8e4d06f5b8091950be45

SHA256
d8abd2edfc187b710fbf531c441b88d31418974bf52530b66a9371245e1c7df7

SHA512
af62fc89c51d4c31cf10abd56134297abfd9ad2a183abaabfbb6a19b6e26a3387c7fc0836b3ff0f5a4031e78f4d044db665dca5b2cb0b431bb93b96ccefe2a44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
15dfe64068f3dd02bce7eb0441847885

SHA1
c91282d5ef4528f7644b4b78b5a9c021e344c6a7

SHA256
e0e4546d7df61510509676416c8f9bae07f6cbaac375d3cda7d45459f8c61015

SHA512
6b7c0384bb33a7ab4e7cb60bc2fd8cb3cbe1e3d7b095364a1bb6691e0a73e175b4e41d7966f81d9166f0de35987f782ed83c69ecdabde4ed5e1ad5e96700f89c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
cae4c145c74355117d8da749fa531932

SHA1
83023f0ceab0d546043f3f4e24940215c11f2aa2

SHA256
ac17636ccbe2ca7babad8689ec8fc0bb9e78d93d08e6cfdbb2658b14f72deb8c

SHA512
5f6a2678fb854806ace553885ae459d72473edf603becb819a16c56f09578169f3682de6d635bd9132c6bd7e3b4c89d4925aee5744f248335e253d73cd46e837

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c728759a08e6b664fa7a5fc03e9eabe4

SHA1
7b1cd5f2cd4f7bd5dc348345731e85f8ee81c60e

SHA256
3799d06e3d372295d42e3afa592e728e97718837a62481ea7e5e596d39821d40

SHA512
280a741f531a743acc21f91e15494c6da4a0066ec40a92a5b483644f1930a91ce1cea05d448f6c5aaef406657a9967500d56d1cb746667d0b2feeed1eb028cc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
ae5451b765a03024636fd5f4518de7d7

SHA1
a24b9c229ef840a9dd6fc93433302d2ca811e94a

SHA256
508034028918a83cfa7fbde960ad30b0158ebd93a0cbe575a01afee6f8826f21

SHA512
153b7ad54d819b9e80a9687d01c22dd1cfd474b3eacfb98323808b1f8a923c5146918b55db4bc0daf9ffb43e43199ea23107d6476efad284e78e1ae27a92f700

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
679402c4b95f577f22c7c2d0c235ccf8

SHA1
322e8df3322d8275a2ee4981a558ed0f5ac528de

SHA256
fa91acb2a8f4ff15baff84ce1d78128d2a2b4792ed69f98162a20335177200eb

SHA512
dfc100f52f250d240c41cc335f81f01cb3f47e9643078cc7079895381729736d8cf2050f78f89f457ef973ebad656a032d2148592420a08eb18353a46c55d842

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
a473884292be4ede57b66e84c61a3e0a

SHA1
237f953b2fdc009f2e28f1c72290245b36dd4d2c

SHA256
76bc42c7992af71a04a6779c74db92ffa6d06f557db480521fc8a5c221162ac8

SHA512
b9ef04b0a312b6f1ac0c4c446d640789009e014511678dbfb20eac02422fd314eca313a2ef965e220a55b4f5408e9779b4aa4e7f68da5e983a135c2f4d64d9fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
94a66d6f7734f063013e5f4f249fd6f2

SHA1
7bb91d5efa894232f3e3f89f365175e8691c5a0a

SHA256
2c54049741117772e462c19e6d7a861cb2b6b98fe7383b396c7b7e57e737acc6

SHA512
f9526183798b3a8b6831c0741c2679e390b242a5f43aa73eca80bd20f72d9871b2fd77755d522dc4bd3cf843693527f856122d3035506c665ad137d911cbbf4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
99b5ad74d264bd41f505e37719d80efe

SHA1
dfc92ad427c165c0ae930c3fe11a1291aff8d8f7

SHA256
ad0d095d7115454278de4c85c95c48822e95491080904fa098322c5b9b205bc5

SHA512
7859e5a7e5684e03fdc7ac60ac00e9f21e6dc3e35460e011061ae13fa909420721047a32c2b240b906ed166f26fdb0672e846f7aa583c9aa0c8e2f90a3f2bcb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f534a628892e3e76448871d5206571b7

SHA1
0ad0cb55eeb703e74e897524d4cf87378a406f6d

SHA256
fb454e5bf8b67be6d64822b9ad55b8e2f268be61d144e709d7e4e6bb776b571c

SHA512
6597c9d52966bc078bf170619cd9a5e45a6503815aa05f60d7b967856d38c29ebd5b74c08068ca725ac7cd452ed7dec2ebc89a1f51facca1390d0eacff31416a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
3bd754ad5a5f51db265483a1166ba5ed

SHA1
e280d13da2ae0b196b39f012259d546e6632c559

SHA256
8e43d3b4cc88a0c8278fa57f62bb8e6e6d95f779a28e9100102a5f706774e88b

SHA512
cff38e83a2c2ba65e05f1c2633efc84804d5aa2115b164d839696bfd1f66ae07adc2adedb37db9df44868d830e215b63e547b2db9e0a1056f16997fac2e782e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9ebe492ddecf69a89848364ab0d5cd6e

SHA1
f17b12f3f46114ca1a6e3bd980ab19b9b08cbc7e

SHA256
308134622fe28f1efbb611d286cf0faa904362df62857661cabb01d7a6c80fd8

SHA512
74805bd691e468f9fbf725283752ac74309220ed1c57efb40dc1dbe5607e7d569a295f6471b6ef8c1b9125ba27979db764bbf79e735268041a88e750490f4bf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5f123d00a522888330342a85e2883c59

SHA1
9bac55af5b593814cbe45417689217c755acb4dc

SHA256
f961ad6df2ff3f328334809ea78e518103e74d5d3a5321d7c5c2af0f6f28f315

SHA512
db6e20922ea7b73d2820be6f153cd7a5b8129d06e8ac67a017a6cf44f2942d751ba79864d0ecc4c0b3f91ce07c9c4fc2578de3b1d8a8477ecbb146ae85944485

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
9e040eb5b14c3cce3a9d07a038134de9

SHA1
381bc1aafda1a38fbf6c47377430d8f1641d14a4

SHA256
32397c4693635bc8cda8a53efb67eb2173fc1aacf5b6615162e0e3a2bf566c41

SHA512
8c0e99fe3df18d0b4220a58642679bca2d07f59143a097241dee30011a3778ba44e2b4b261fa20b8583f26ed6526dd6e158b4360d9f55f13792276fbf253ff4e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c7c152bf1d480b3e87660aa33a86a3b1

SHA1
88c645c9d4c966c314a7523edde8a41a075b81af

SHA256
7e2d7448370bbd53fd41beb8da8bd4786b21f544b9c1ea81de00d6f3b89e3f8a

SHA512
3bfbee7e4699e293badeb184bbcc6aae6e40a4d7d6fb77966fdda49a22a24edc8ad76a40eddb9437e8dda4a37244b065631b0bdd537899224d0fb3b53971f0ba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
c684b8be3acd914386ed7f496c38c90f

SHA1
94e1395bb7f902c0b9e98cbe558d2bc92c355863

SHA256
882532fd2d68c169acb84b365801f31bb2027e0f41e7d794f5222e787999c96a

SHA512
6438cbfcd745e2f41d8f8757b40e9695944be81f6a3f3a563b4309449f2578ec2aee63a2096c23231b1f850a0f74bf14e780e141c42175019b80d4eadc15feeb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
36fa6b99c5fa2719820f5d87b6e9e0d7

SHA1
ab673e9c1718476731762f75d847ae16ea50479d

SHA256
86f62a72355a3e3c3f63fb513bcde8364cd34bde7cca5545589c88ca7f6e97f5

SHA512
55fa2a059c73ceab29ed980e16d7ee23f429788ad66ff4f0aa3d07feb059da9eb3eda8bf25b51811c965271fa16d793c27078ecbad80379c87a0c1bf6e61c7de

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ba55e3aadd42604fc2bf9d89f5f9fd1b

SHA1
ed389ffc68bb3abc9af908762877f1f3669cf3a9

SHA256
6e9be8c3af5707c6e25ccd1ef077ffc160d393540fe59fea5e0db3d74bb8848e

SHA512
3a59045fa3305524e87e62b3fd3d6454ab6d9ba25174c951882f12ada8d3a4083d38254b625762e4bceaf0a90e8302978f497ea46528fc2ef53424354e7d3160

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
408cdf1a950c9c94b47d3a486f8281eb

SHA1
bcdf37e7431d3ffa251ff7bf6c3b7266e9c49ecb

SHA256
fa67cc9311cda7639246c337205821d9a7b5f9069d10f8c04d83ea0f46ed95d8

SHA512
1b77c6dba5716b778ee8d0c6e1b2fc884d189242f9e6bec5093a027e16f15ba629cc44dfd7d324db85d8069be7d4b54367049f4d01e8524e2a684255dab53138

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7bb5022217cbad77d23214537e53da5e

SHA1
0913d5385592aa899a235549be354b1cfd6c25ea

SHA256
efcf6e21fd1795c5a6848c63052245569bb7d2e4a4ed4ffd8ebec2fd25271cb9

SHA512
71068e9bc50676ac731833d44d686470131e3d19b45e6ed309911ba51ac9fe3b1d787d21faf528f737d37cf51fc8bc998f8808d3ce0a0579639c86a71032c62d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fa642fb9fc3c4db3f28040a6478fbf31

SHA1
b78eba6f1e7c9453db1f3876875089b9c240d7b5

SHA256
6c7ad45e3f8ef891ea40a0be7091009df11d289146a2686dd8a185516876d23d

SHA512
2c26ac6b01b8901ef1e08d1385807bd321f507839c19be51328aa9d988d0dcf4b66d2ac198088d4976b4e4b0659c9aae2d22c32e794035f6f387ea225c8421e0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
49b9fc92ac3ef31628fb91b1d79d6a46

SHA1
03e62a7ad8d906c500e572b29338d0f0887e25b4

SHA256
6961f35c9aaa86cc6c015d1cf9b908a0e841b0edf502c81c95fe64295dc01e4c

SHA512
f877117c8d9e0f16d9224cd8a1b72ee15052bb7618338ef343d33481f1a5cc32679695f740f0273091106add3e5d0f556b89934d2bc6d520a2550f971edd1842

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
23a32869b00515346aebaf84ed216728

SHA1
e194abba53edcbe74766df0ec9e4a61bed88718d

SHA256
cf62a046847821679952035fb57e96c6d94bb118db6182d078a802c9c9df463f

SHA512
b8e70682aa6fe36902c2f485883e35c0c573d86b329bb5d4819eae00c7241de83f5ced812f7af017143a2e0f6857895692edea770cf68889942446385b75d4a4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
16edcd1ffbad86dd6eb2248bcc8dbe5f

SHA1
e9fbf3bd50dee1b7f35d0759b42e50e4e4a79ff0

SHA256
e6bb05b1f0cae8eda7e3b9359f12c07d840e1e4dd76838f581ae2159323003df

SHA512
571c259c813555a34aa59aeaa058cd8dc06be9cb9c5eabb8c29eed91387d0ca1569f92cb6faf6937c74844f5ac5089f1453e5b58a62aa028f918da7f19ed10f3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1076a74466886c74abe45f3aa569118b

SHA1
a1fa4c7c670b74e7e3ab4d51a6da2c562137316a

SHA256
11b874783af8985dc0f3476eaa7d7c577c2cec41817e99dfe8c06280ae2f8c67

SHA512
047c94704822995ad71e3b2d859cb6bef6e73fd00ad034b281e0f455c8bd9ffd144697443322767f92c738e9da950e9e78cdb68984657cd7c3cab193cb20312a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
351dce3a6de99eccc81d2b80c75ce465

SHA1
92816dcc8b8b658a7dbcada415292a5bb7485135

SHA256
5da7d9b0fa1fd21d323ecd831f1c6ff134d58eb9fc980c6042271e78e690f111

SHA512
7a98f3541b71bb493173898c62e5c1f5881c8d3c18fcdcbabd3361c9acdb8d80ea7db6c126d29d55e350a75bb2c24cc041996fc40c237ac022bcaf01b873d650

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
406157d8c8aa2e3e741968afac754537

SHA1
515ece281d3b27038473d9d79983f9a674d66f80

SHA256
6557ec438097f687e2f25ce4c76ea0610f951fa0d8d58984acf341b5e050ebfd

SHA512
a7f9570ce8d441ec6a8b0398427dee36b50415d1700d2344f26852e0eb52b1cacc068cdf9f335d85067fdaacd49fd05b6b638d8ede00a9a33c4bbac37d84e01f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc475f534d0e67199ec2d15a72701bdb

SHA1
d3e0ca244a45358c68a15dbaa7f787eb54e44894

SHA256
f564ca1a8a126b4f43e9f2f7ffcf401e0ca0d2a88ba86f7db72d76889e553d66

SHA512
518ce62fce87fc2ce6d1e89204a226903dde6949d5435f9e386238b34d0a3286aee426f924f63c93ca3dba1128b43180ea21c3fd392e967c7d98c4544528e65e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
fddb464f47df6096b46f920c75adf30f

SHA1
3dd22ed696fd1310a67da3b25412ee43b1d1e487

SHA256
f2bed7fbc4b47845b3be37e3b01e2d0e5650ad57209ce9187caec88e14b7d3d0

SHA512
20c6a6f042aaa8986ddae947344246d90aaab6d120b5cad69af4e470e18d028ca52e755646a22c5cb7c674c6116d9114d399db8f0b71b050c6f23f262f43823c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9254af8a398a3c374cc295ce7fb04b53

SHA1
d824cf129e3fcb093f5ca81780e7b4d6b1d5037e

SHA256
fcd860f19a28e926dd6c491d9f49f9b3d53d47a41dd3bcb88af5539925dde43a

SHA512
b28def621311e0f99c436fe206d990ccbf84810dbcd6a1b751d74330bceb1f84829a38cf075a0a80e7d1790f8b88c5168aabaf61f30f71d0cdb7cd3e8a41e7d0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3798a11f7c9038848671fdbbdf70dbc0

SHA1
e6d309ace4e48bd004922d54dd67a50576bb1b7b

SHA256
e2af57301d4ad109c56128a55c059ffcbc79f2c0670891c94a1a320bb1ef9983

SHA512
1b5027979099105705d599678d199815f804b08fa2594602b422799a25963a98e3bfa9cc53bc176812ac8d4f22f97c2f663838fbd5f686e25fe1321e7d32bd42

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f5c8f876d811d08fdd841f7c06a54849

SHA1
2c5d25688adbd208775979d0bb50bfccfd296d53

SHA256
06b3b0a08703f667d8177d0fa013c94047adc9a25480b1b0a296ba499db757c8

SHA512
ce1505d2193fe232fffd0c43b6348159ead54978cc1fa128f32403ee9800fb3fe97cbb9f41b07911822e8d37a681c9491d8c2902de8b3734dfadac54800a8c3d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
1ac2746e5f2f12f55023648057b027c9

SHA1
82f0487e9de789ed4b5acd2c9391e90162317ce4

SHA256
63ab4972809a395d9b66e312079fd1e04d5da096e8ed5c171f8f8726f2d12506

SHA512
bde7ff4b48cfc9f46f54de4da6797511ed57829e75d5e15abf59956ea43b4d0cce8cbc90f0ea102c4d7317b35bd501fcfaffb6456c6cbca3b8a41df5b606ac59

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
95b6bbb2bbce52cdd37eabd10cbfc129

SHA1
19a8b99fe714ccc724a8f4c8ca49f0a12090f417

SHA256
acef0d8d1447aab43ca7604b7e5d57f27c6c31ba0e8e2b756a59efdb8d47d6cb

SHA512
30be18fd6a0af27dcf7071d9deafade76819c38eee62a792231706698a51ba2d091567b6c0f79f91fabea36df0bada40227e196faf7ea109e10013fcb41437e6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0fc9db3340cb0f03ea87e878845186a1

SHA1
8a730c14e913436132c96d2eefec48fddaedcd86

SHA256
49dd81059f4b3dd4ab4372727eb4123a05615542e20c507217692a87d2415a26

SHA512
ba379734a5f7621254f9c6ed6e622bb0674788700b54288ba59463b0f680262349546de490b358d6a1b3ee17527e226b29ec9237b11955b8fd8a8e6a9820b560

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
72d0a80f458beab05f16da580cfd6a00

SHA1
adb430b7b084847c36cff725ede94666ef7484b3

SHA256
c5b08d954f0633c16f7996cffbc55b493d88ed057de1dbc0654be1f82cbdbd1b

SHA512
b166541ad6b512f689c1ed1a7153d4cbadcb44cebde30f32ce15a7ff0c6d4bc6df0b2f3fea1a5c51bf991e911f9fef2b53d04093ab201678867e59fef9871fdc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bfc8b4b7827f0917bb3ed0eb714f3973

SHA1
e0825138398dedf55190401db7821b643330db59

SHA256
1eca6a90cd3a14fbb80119a4acd817a4bb33af47751611fa4070a879087678ae

SHA512
f1809b47371764819cddf7330ef1b7e8131964b3b0d4a33268f20ed1defbd075278ab46567aecdfd2f193f060e897e67c7d71ac302909666af0d7fa3ab87ff51

Download Submit
memory/940-249-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/940-130-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/956-215-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/956-556-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1284-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1284-428-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-172-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1340-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1340-80-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/1340-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1444-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1444-114-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1444-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1444-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1452-579-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1452-263-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1532-376-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1532-153-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2292-57-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2292-44-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2292-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2292-38-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2292-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2328-483-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2328-178-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2476-558-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2476-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2488-576-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2488-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2520-214-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2520-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2540-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2540-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2684-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2684-72-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2684-94-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2684-78-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3164-115-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3164-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3164-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3164-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3168-128-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3368-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3368-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3388-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3388-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3388-262-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3924-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3924-124-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4040-97-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4040-86-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4196-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4196-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4196-54-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4196-48-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4672-554-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4672-195-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4824-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4824-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4824-8-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/4824-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download