4b44ea072908a7b4b548bfca430edbaa47aacf04b9e838c55d3a7066dbe99eb4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Size

1.8MB
MD5

f7ac7896f36fb09991663f4988f0abff
SHA1

7465a1919a008763cf3a2fb2cce5909ffd02ceae
SHA256

4b44ea072908a7b4b548bfca430edbaa47aacf04b9e838c55d3a7066dbe99eb4
SHA512

6ca0df0e9efebd9ca83f18e1879027a3e08fe1c94e356c4d22924c67ee023758e7ed7798d059abe35523b51c2614cffd21904bbebee449f149385c4308b6fb4f
SSDEEP

49152:yE19+ApwXk1QE1RzsEQPaxHN6/snji6attJM:X93wXmoKyEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2452	alg.exe
1128	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
1352	elevation_service.exe
1404	elevation_service.exe
4668	maintenanceservice.exe
3280	msdtc.exe
804	OSE.EXE
3092	PerceptionSimulationService.exe
544	perfhost.exe
4008	locator.exe
1940	SensorDataService.exe
3660	snmptrap.exe
2544	spectrum.exe
4688	ssh-agent.exe
2796	TieringEngineService.exe
2828	AgentService.exe
2456	vds.exe
2640	vssvc.exe
3432	wbengine.exe
836	WmiApSrv.exe
1900	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a3fdf5e5c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000608bd4fe4eb0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091fe08ff4eb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000878007fe4eb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000221c7fd4eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003f3b4fc4eb0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021e4eafd4eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb4aaffd4eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009416bffe4eb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcb362004fb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeRestorePrivilege	2796	TieringEngineService.exe
Token: SeManageVolumePrivilege	2796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2828	AgentService.exe
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe
Token: SeBackupPrivilege	3432	wbengine.exe
Token: SeRestorePrivilege	3432	wbengine.exe
Token: SeSecurityPrivilege	3432	wbengine.exe
Token: 33	1900	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1900	SearchIndexer.exe
Token: SeDebugPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeDebugPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeDebugPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeDebugPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeDebugPrivilege	3420	2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
Token: SeDebugPrivilege	2452	alg.exe
Token: SeDebugPrivilege	2452	alg.exe
Token: SeDebugPrivilege	2452	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4808	1900	SearchIndexer.exe	115
PID 1900 wrote to memory of 4808	1900	SearchIndexer.exe	115
PID 1900 wrote to memory of 1088	1900	SearchIndexer.exe	116
PID 1900 wrote to memory of 1088	1900	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_f7ac7896f36fb09991663f4988f0abff_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3928

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:804

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1940

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4808
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5c9d07fba1cb2ba8a150dd5c5e1089cb

SHA1
5cbbc107e5ce9dabc0b672f9aef9bc2f5c8d81cd

SHA256
1087386430828a321e550b45ac5615ca44320036aa81e9f0863bdd7dcc93ff16

SHA512
0aed421a3faa26c7ae63c46882146a2e0978e5a989dbaa18fce33ed1f41fcaf90bd38c54c5e2c4f90696cb9119f3cecef4fe34d94d94a46d21b4725a5f45ed8d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d28c26dc9dc01753d93c0fd77a072c3f

SHA1
f6cc9952fbb41786b891b212136faaabb989dd0a

SHA256
ab410b7c3d7848c870b1812ab066359985350d2fb67cc951ee1a20f3515b1770

SHA512
950532a685d2de5318938ce94206cffd678f3e355551ea7795dd880e72987e70eafc63dc00878137392952302cd3d2dbb88e0a7c47dc301c5cc7028eb529a1a2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b8ee2a8a0fa8303bcf8e34c6f5f4d14f

SHA1
13e3df3cfb387876ec54d0a7fe27eed9b68a7795

SHA256
1b312c88a9d26ffd2a178696ee6a514855876546ad2402293132b5159da6d422

SHA512
6e04b4b5107d5cc0c79e99cd1426248053e78edbad6641d4727d2804b62c68342fa847c6d2bd6a8d7cd7254b8b06551d90f8082d894fc7a33fb4585e3a002c94

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e560c28f1e248027a9ee0b410462db5e

SHA1
34ca5446a710ec81a93c4ecdcbf4600bb8f8ed6c

SHA256
a53424c5fff46f77988dcee7478353358f32d9e32fabc809b253d6540ce46ffb

SHA512
e28171366c71e1ec412775ccdaa6a3f2c6f0fd18e3b346d600e29032cb2aa5bc7ef35af49ee5268de0607fa6653f131914607517deab645bcb29ed206c51f7a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
34b00142be17878eb1d29c5ffd20db93

SHA1
f7b5f0fe85991af2b75cbca359e9ab9a4af9421e

SHA256
7abce1d4e5eb1623d27382a5253c77c5fe6bd81d820a460a51efa8e40921e40f

SHA512
ef9ff560392ae96ef21b60edb2fc5ebf67ccf54843ba99d97b677cdc0a604689975a3d60dc9b104087664ef634560fdc25437a8595d1ba18234553463ca297ff

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cdc21951437850e90072d50072c9924e

SHA1
6becb676b245a23c3821bc9700c08fb1f49fc969

SHA256
41178a37f9f3c7e48b50771262843e55a4b79d70662cc9778d7a9b234d62c80a

SHA512
72b82c6be2303809fa43f13849ec133ff477cfc71dc8c58a3f6fda3412ea50b9c75e81399e4c4dbec05020483feba3c8d72124491915992ec79fa22a10a24e19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2a2baffa2e7851da9e6051b344d35269

SHA1
382e1619c9a07c187fc60805f6b75983a25837d5

SHA256
82372a555d575538fbaf233e0bb19822b2db7313acf7b45c0e811feb87b2a161

SHA512
20e21f2bf268d355e4a0310894e6875067aa31c7de838b67d0b505aab581a36dc38bc8ac76f393add8d3882ef33466b4b743d6764d6e34f702f46c9f4ddf4721

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f90d85e5eb5c917f1aa3b9db4c162725

SHA1
0c79f76026fa29a0314d72e04fdea0a5c029db54

SHA256
1a3c8fdf60c83eef77fa777e7f9258d2d847d7a577d361778bc5119d66221e77

SHA512
5515320a83ad97daead40168416e9ca4b93580f6e5e58d8881ad138ae4465cc3e7bdd6b4af8ad32a6bf37decbf492f480f7c5a8bd8bd338c9b768984a85ac0c2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
be87791fa60d20f0c8a96d02eacee541

SHA1
a024c54fcfa2666485bd1277b11f78fc2c63331b

SHA256
b301e2b364ed1260298cfd19ec70830e8a27cd85a4cb8649243b6ecab2b509eb

SHA512
038fe931a30f15580379d240329a9ef0d6c2a6b95f3e5e59b017ff6a6eb8657540cc4fc00ebadce8200eedc3ff71df4b9141de5ca7a68e7c8f1bcbcd09c723be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a451b9afaec69458867464bc27844294

SHA1
4f6c9e38c0a2e401dc4bdfce57d8e7e9cfbc2f70

SHA256
3d0c72a670eed056e975333efbae91b650dcf59a06ab83a4cfcda4c390bf4662

SHA512
0ae5cb4ee8e8cf64abac9469258885b40a2619dbfff0403bf9b7e20680840c92123db8f65efa39fc0d0bb16b00233d2642e3bb3ff7b8d73a1a4164e5d69eb97b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
929f87ad16422f3fee064ce45d5d320d

SHA1
dcff1bbc3a7233ce5f59edac975c995dcd88e7fd

SHA256
6d5dd7a89e92b3d7432e4fce7b79bb3697e6eed259672646e08f56ee47c3cb51

SHA512
5a7e83b8c8fae372c0b8303f3121674af2c738166949da94fbe304c3098c13d8eadd1b2169a064b829e787bcb1b30d6036eb45b309b539407dab73ff77b463fe

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
65928c604dc208bddb2c6adb4b355810

SHA1
2ecf9233f179c614186acca46094594b5256d07c

SHA256
b2cc71d1bcd45d51ee5d928006e4adc497704671afcd8088d2a3caed324e7ae2

SHA512
4bed4a4370213f4b4c003309bdca06b43db5690dd82f430203139fdffeebe41c476cc3c07d4494a27f0fe10b6073218fe40ba8f2416fe96dbe09e3a474e5dbdd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9e0c95c6cf0f9c1c6855eb9a2d0d8206

SHA1
fd7cb63e36ca2a2c3564ec84faa1a46973b3754d

SHA256
17a4c37f22437bcca391e487981caab4b2cd75423ea9bdc8dda575c83a7bd42c

SHA512
9b93c43aa82d3a9b8ed501d79299ee39737bd4ed650582cce931a3ab118c176e7151ef2b20e0c3776460620ab924c6f74641c646a703ca4f52c722bc1806d8c3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
065bcad004045f344025e43af175a87d

SHA1
3e71f78447d3a2f7f748624b8cf69ca9bdf841b8

SHA256
f815800ecb0b072d702bb7848f32e9dc04234000d98802abc38677990420f4b5

SHA512
665a369abeacda3b1b44329d206e81278604ff236cb668b71baf942c393a171375795496f5f50bb4abfe33df5e73a83b9d6a308a68f75073896c3b582b73e54c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
730df2a44b92373511fae04207e6621b

SHA1
0fdbbcf0b6921c71518988d6e8c029340b28a057

SHA256
d6b4f2bdee45007d43ea78f975ca6134c415e5bb9c72537f1759f09c419bff60

SHA512
19ebc85ca6e39fdfef7fa279c1c5e172143ae5e4e73027002df4c90edbdde367f50ebc300a6903016ca5c3632593eee718819bd01085e80215f33faba356b125

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bd7c491658fb75daae621a8c205c3d2d

SHA1
c686cff55db445b14d4d1028e816466d179851a5

SHA256
5667b69842660b170ce25c1944a2219387aea59d01cf78470f5e1b03a08745d1

SHA512
dad7a90f1298c579bfae803c59db63236bf114f0923b02cff1b2e92e83409ba1e5758381d65c6e93806b58ae7b5d42ae1c6205975fae259fe10bc50e956274b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c9db91a32e5429d49a85506fc8ad622c

SHA1
251b8aaed769ecd4125c5dede555046ad09c3252

SHA256
9c3eb238ad1a4249f1661a090822f7d9b5359372dafa88db7e9658232a3960c9

SHA512
97e5cf3eb847387d6f23716bb897a855ca3bad1cc90213c7810ef3153885880a997f3c4c34bc22c6b42a64a1a7274ad964044c7e6fb383010b34b44cab9a6d95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
25d9467bf90795b7bd290df019451ffe

SHA1
0579805df78bd7b69f85a2fa8d9ac9d8b0db6450

SHA256
5d346d26ffa7237b7e391bceb607250c9cf025fddeeecc097816c4ec12834e22

SHA512
7424beb22abef5c6f3494c7549c6051bdbea63abf1fe76df8eee0146cdd9d4bdf3ab74b6d17c6d0ffe620153a47181f454c75bac877038ef5d8f7a50df76dda0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e6b87985a37f7af59d8cefd5d1bd7b8f

SHA1
7c80c533a06f86c3a19e4d1e966d0a31ceb57725

SHA256
11a8390c5b6ae0b564a743d37df477dca591be51873984a753efc2c74ee9d12d

SHA512
204964128aa23ffbe20ea384e9c3d38d72dc93e82bb4d33b391acadcf680c3e626c0a3dad91e60b5136e24647d426614aa2242770840c3467033dcfa14cc10d6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a45399e66d49937c4f4c54da7254a659

SHA1
aa547dd570694a23b9379841a0c844e00895f3ba

SHA256
8876acf88ffa857edfa0c493bace3fd809899117fa772bce1840928771e56b42

SHA512
a429da050919e253171836272c43927c5b9e9196f4716e0636c4e8ff83d2feb80a0bbf52d3ce5e6631f2e12eb71dcf7176960d1885dca5631389e0bd685a7222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bcebed499a88c0cb70e6159c057560e7

SHA1
eb9889468f25f6a760da9ae1b4fa73bd7c19ed39

SHA256
4cbffbead4409a54d97b5a7066a8901b4eb493cfd5317b65254fa5775b8f9c6b

SHA512
ba591dd7b63baa5dbedb3152d355bab46bf3c92029fdb1051aec464962220faaeeac6ee98acc123abb958459804e390c00cdc12765fc96be4e8e8551c1b49b64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
56b1274641f3ea06a4eaaa39d288355a

SHA1
6a1ea99ba7a18c4c89807e38d5c6286a01939821

SHA256
a9751dba64b96c26dba5115289fa3e41878fa33ec16681c5b71c86899de47743

SHA512
6a130d0108e8ef22aacd4c1649c95ad7cd8b8f1bcceeefc0c8f28c7bd0b70af2ebdf64a0a48ab7ba9b591e62108f761d5d4f2c13748be8fd4b22e33035195f88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b4250255361c3f785e895850a116fd2b

SHA1
395c2880917e5d66550523ef04f8c1c399b49da6

SHA256
ce5582e57f3c301388568af8c4f8b0fabecc56d3a42d1f0a681e4e4714e56602

SHA512
bb8a30fd553565aa2b4f8772b6dbf5b845f08c110881a81022b645ad4bbf59bc39e21e9d2d75b8470c67894498ba30300df362b91e557f2fd08c25aba977d2fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ed3aad5e7ec9973253116c768dc48149

SHA1
9367eeb7f284fa835a11fb0a3e224b8a238686ea

SHA256
ff6c9f8af5991463e0f5b7746881600f02c493dee28512957d9155970934cc83

SHA512
83f944acc6b21401c0d3b05437b08b09981d47fd08a935a4aabcc21bf1309c5cc27c2a6049f2d83121d2d4c362caf5978e102ee91df1fa9d611c91c9b9416335

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f67b0fe03ce858d8d21e9c259898ee91

SHA1
786c42b5e412a85f11fb2e0ffc0b9043b480733f

SHA256
8ea26947fb92b917ae4608b25af4d91972331066facb460c67c30e2a3461e421

SHA512
05d9c1bcc0138959d9fa4c9e9936dfb707ef060d78677785db7cea72bad94ed3983f70ec6710d574183baff3226dc7cf8894ec64754c430e97a805cf8a6b377e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0a6b5a2645492f9c2e320e26e9b14054

SHA1
ccb109c90a7f8414e69a206726b736d18b53111f

SHA256
65ae2d4ef6992077ee8ec27cccde6b316334d7a21fff1244e7cb3419d7a245b5

SHA512
b5f6e6975f204f26675c70e8d1eba39f31f2ef60d9f451129612d1688de9da4a69ae93f101d6976814e3fccd19d10c40124ae97a44094d522b77bc09ab603beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
045f695266dabb14708f004504921f83

SHA1
f72744cb2eb3b1e6359793200ce9a7b64d4cb039

SHA256
cc4f06083a3dd21ec4230d90f4972d424de2db2cc5daacaa3c5513b7783fb4f8

SHA512
0cb8e05e5372587f6959d1d937c42b5834e2721318ab88c3363c9d7a000f53dfcb3642289f9e160cbf03d5060e289137c582ae2c9cc200ab9e7b67c7461c9900

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c88611e0dcea3cd4e16dda1d83d9c78f

SHA1
30c70e8c4358fb3fac35438eaad705313f5f2633

SHA256
245386e4f48f3392d0f1a7977b4526e8f61e1c968070117f990918d0452a03fa

SHA512
7ace6682dfca350a3d651f98b02ca34d63ef7c27688189c26cd7f2b521477387a188ee64d6e92db0f9bf3304e3fe4bd5d377f2e99c3aa096872f235bae579a5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b6fdcacbbc413769ebe2225cd4741dae

SHA1
c94863dfad52168cc8e17d82ee2d2d0a451e1f49

SHA256
456a3b8d5a8a0b72443d037622180d27cbf7f602c8711060da2c59cdd0160873

SHA512
8240c07e006e0beb0fefba7b26a613a1d5e1b0df02317089c4fb2114931e225d4b0ddca7b738f0b44c78d4ae627a0283c2459832164cad8e34e3eaf3a320c217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
dc0be4d80545e413f7abab14cf31d1a9

SHA1
f9a52d25c4e9154c534c28a993961c308e21e4ef

SHA256
7ebf5426a07e5bb3f9c39a851e373d8c8dd7aac79a4cf29ac132f20145eeaaef

SHA512
837d2760b4c24793cf808f2296ada836ceabb3550b80c609740e42d31b85c5a69bc6b4e9fd5f3fa62f53388c220dd17428738d9a4aa6dc3c8aa15b0465fbe1b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a70661cfed44d9afe51c4cb97febc2b9

SHA1
af2a6f6ad8af37a5640e77b443081b7829c3bb82

SHA256
cc99c896f1f27cab9977dad8c1baef9bdcb730d712d4c113892724ed255d56bb

SHA512
c412261beca4a9335d2ddee9b2334f4a3920d53ec3fc0f6627f5e6a7fce8a6e65f0cdff625444c9458e96023a3327a466626d1f711e86f0c6ae724a812aa2a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b27caacf8f373c23d67456b5fa497ec5

SHA1
866ab824d8ee2326122a0f9589f241dcff8d3ae5

SHA256
4e65f1a0ede5bc3fc23652bafcbb3f532e06e33afaec119f9eea65152f13e930

SHA512
d1430c126eaa864c9bfc800b6f211c1e9a1265b888e949748379adfcf2a39cf63c9b19975ef8233aa41e90f491aef6dae997833a6961d95006f9449381dba8f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b90cedfc85e86273deb25775fa3461f4

SHA1
565dbab59eee72a1d02bc94ebb51b27ff4e8959e

SHA256
52e46b2602884907063817a8af4aae7ed4559077578942a144b6dade2b485962

SHA512
10ecceba0ce730dffbbe771931597b57880206bf1e7b089f179816eba9b669ca0e2c8ede982fb47c8d77caf81e9fba5b2aa588d10b1e864384e7443770b1b16d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a63ffc99f4091d38cec8010c9ee58d7d

SHA1
7cdef03160a31bed72a869f6d99a12f118b04ef9

SHA256
56fc775db8aab90a2ea4f9182d4508eb98f78f269ec3f5d6dc8c125f1b8c0f41

SHA512
722a0612722039748f7b4636c513e6f7744381dad3769b67d147f4964cea4bcae5b6f7fa38ddfbcd12ba98667a6aa3a9b8caad8ce661163ab9ca20e2a5a23494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d4ccac3fd689af540ff5c78819f89be6

SHA1
6c3a826c8842d2d549f57d81eb6b488dbd540e2f

SHA256
ef8e501d117defae7a96927700e732a69513ab7faeba53703f96eb28e7bd36c9

SHA512
3d006ab86c20b0418ecaae6e70688d59a6ae7608bae30049edd0e1ccfc8d59809d7ae5c7a309531b8f59498b760a9733279f54ecbae96aecaae5e97a54c959bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7b24fdc851e3228998ed51003e3c1d1d

SHA1
0a0468c18d176a037323357099ba43c85c9da46c

SHA256
93e86d0d5b3755369d054e3595718303b2eba540dd3a64753e3f50bd51945ab1

SHA512
369359423126c53bfe1ae078655a2cd3c76421a40de639adfe664f403187bc3844837fb8d4c1a8b2cc5093049431c39b779a82c23850c0322412857d650196a7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7a9a582146fb190fad137a1cfd645bd9

SHA1
1e0a20e48fdf0292bfb76f8078c1699de62369f3

SHA256
c72db7d458a462b4324a69db69ecd51111f9ef3f0fa9c94b01a77138d8a0a17d

SHA512
8db87300a728bf07eb0cfea95f728743a916f66f26a80d04653ca6bcbe3e09375a7f6b7017aede939110cbfe898d983841428c6b1b548ab3941a8be5bfda6df2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
14695153e6b0601d11131bf49a453823

SHA1
5be15a388a75f351dcce012f0bf8ff8b5ab8ee49

SHA256
fc9b1d4bd45e2fa2239f6bf9d9a3b082dc9a0b62692c49af5f2a4d0f7527b671

SHA512
288670af158474d7c6a538bae76f9554a018d5856ee543752a1d2b2ab273a7a0e6c1c88fdef39470808c003fa817c17534bcf82912ea70d217f39b30caadef3b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
227c0f17e9727e2d8859c4a7078e6796

SHA1
3dadfebc5888a444935afdc976362ec058462ec2

SHA256
3f665ea88e6022db8b3dd14e6c5540c4e65441f83bdde73fcfd9d71d61c7b2ed

SHA512
acb864b24d36ba639e122a3856b7a5a25c6fed7baa40a6d036712fe9edbd2de9c15cd472a8573f36507f517e47f2f9d29fe4fe252fbb018f01c6692122b64b26

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f43aa78e6e4f4256f063b3964f16072b

SHA1
e46c70519854e4fea08e79ad77cd80cef2dfd81e

SHA256
66c4bb106b1b522418217417a9abc12a5b7f9b22b2ee323c3f1b4460ff81da38

SHA512
2ac9ef9279d81ab4dd3e07b023a8fb8d8edbc6a0047ac4f031291e54f4b394a4a64d740aa873a11f592a1b2b49770985d2b0d72f27a4ceb3e5ca8ad47fc11985

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
97fefd2d49864d652a51dcad0fb6559b

SHA1
e6ffcef33663b26e6302ab8f5bb8cb9fc24dd0d4

SHA256
cbb503143ac62e4f4db86546935aca6cf80f4ccc052889627f4f08c6ef4f3b2c

SHA512
7f8521153c3eb909d864da72189ed0ae8e4a6d80c771f42c20d40bf89584cb350b79ed155616ae03b871ebef62dcd8f4521194fae62f85aaec138b9072e9ab87

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5bf6763c28db39f08d5c8f3bd153e5fc

SHA1
5ef55dd81fa4ded25b1d069c213619d1c167e80c

SHA256
cc666db90a6fc7f9f477b8e5979b650660b4903c153217aec7c2c1c355ca8599

SHA512
5709d4bf4b462f9d43acb421d32d2f8776ef9be61389e03845afeeb6c8279aae0c86940d5fae3a111689d749a6162f941eb8067b3690bf3ed33279486c382991

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
95e5bac4dfd14dfa6781628903f6993a

SHA1
a977b4b732f8f0a20c91ed52001479b3d2012b14

SHA256
97c97cb3c40c4c21be59c90ee1ac32b94405bfd1233c0ae40025a0db03d39a56

SHA512
ec25e576c57b59502bb746c9927ebb59ece804870ed8f945edaeffa8d6a080673f8885340854017992714a389175de96b932da05b9f91071f78edaa0cb57e16d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
323404e724a4e5296ba9012b10a49bb5

SHA1
a1ba8e3497105f569ad0e2335c514f27718d77ae

SHA256
25e341020ad8a5e73de27f01446abe0f29053d652c8c65415503b95f1ebcf66d

SHA512
9d3af681b3a32b936014cb9d983d4b4ce333586975ebdfc8056c9bd5c4d01b31562e15e71a41798be57532f9ccdb5eb34e0f62ad26c596c1b81b21ad502ff514

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
78e5dee650e9905b0e0f788074c376c0

SHA1
c4f23cf0b86fc2599aef7db10e58b610826409bf

SHA256
2ce1e00fe906d8147c71dd80c948091ae57f4cc65745a8e35d9fbbfdc0569020

SHA512
92b46fbc1809fa2741464f22618ed7c7ee8b3b12173f311340544398cddd9470bd30391da7651a7a54e742524a9564091e355c5a3e3fa887ce4c721c777982d9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3fb82f23e867bf1d6a45d83b8c970d98

SHA1
0bf1be2a49c5eac896ac5359f5e19474f78a4866

SHA256
ad03fe0a1b44995b15cf97b66f85ef31fc94a17c75502e9bc8bde3786ea16695

SHA512
eaa916e374ccbd64dc1663ae1239d5c2bd30103b59f9443548214a785da4b07ba2b41d564cafc94ee79da2eeae660eaba6a6bba6881c554efaa769ac571920ea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c7524976baca7cfd6bb4bc86a9552fcc

SHA1
f21bea31b9d762153ca85da3565cb9dcf9473b39

SHA256
cc21dfe6accf13c9ee05c1fe1fbf2a9508a6ed9d1f593cd257f6919c8a8460b6

SHA512
bfaead9d4f1d11d51a363d841f237f2a43ab7cd4b07b5a543669a63e5447eee6788ac181d9f2bbdc1a3c2435bcb94b5364a6acf9162ab8786d01876c301b0f6d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3582395530a154b2dbf27d9904503334

SHA1
b7e546b21e8448ce19d2bfbe1485eb2133ee2edb

SHA256
a2bed240e34670e00b701789c8644157bbecb567080148e408b66cf555ddfd5a

SHA512
7253709249e2d5b6266da9a7eeff4540ab7c1deec7b7210d923ce0e94f9f64a8495636033ee7a4de625321b3bf6d6a756f52958f60d62da08c6e6d22ddda32fd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
75959f5ca56fffb37b0fbe849ad66eec

SHA1
cc6203d6edad8d151ac318c44b6ab0f8b75c3fe1

SHA256
5a263c89545fefe07528499883d700ae47bfc8654c0c39be0d305eeffbb28fa8

SHA512
3cf035e60c347074d8b06bad196c0367550f769601bc64c9dc94e36391ade1359c3d0c90fbca0ba417703cd37992e272d1c84dfd843c40c06de29d82e092fb09

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ea61374f2aec7b1f1f16b231779b6939

SHA1
48177722055dc18aa8b5e3384b2004fc4e016816

SHA256
c8ca93aca608170c4c24e8ad055d568cd103bac11b9a91364391418934698404

SHA512
76c670cc91712be09dd41d5b9be8cd6bc9943f6e7b147aa78415978fbdf3ede1900e1616199127784bc2115baddc049ab296db9f359b0c3be0a3692cd064aa1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
aa513838312684e12afb58e85cf05dcb

SHA1
0d7b6d620ff60200403c80e9c63451c44841f57b

SHA256
b72e8c70503eea14d97c20b24269e227e6aafa464e8c5e82f7c6f4cbbd783ed7

SHA512
90582149247eb1220cf6a862ae7e91782023c4eb3536db8963f93240fc095aabc53fe5493601c68fc28c9355014179e83f1e3845c78ce34d7b115f3e621a2fec

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bc0700ed97be2711dc26b2f7205611de

SHA1
c853cfbe97cf09463dc8534738e47bc107984508

SHA256
b94c156af7ce15f8dca5f92886b7724c92c3d52bc1fa0592726f650f9e709574

SHA512
88d822a9c5450c83b3fc91be64578273530f20582d920336ccdc9da8ab88e2512a493e19beb08f8cdbf0cd69e952628299c0882ed0cc96299d750e00396d1d29

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3433f9e2a72d50fa8163f4aac1282db1

SHA1
87d435015e93a531a760451a828c18961dd4a019

SHA256
059d92c5b730d4da0d8515eec517f1b9e48058b7bae51647033678a30ee6cde2

SHA512
841c9a4c19ede8cfdb3d1f8040fc0625167a0b32dbba0f159de1a2f8e3cf97d2b76a16dd228506a85eaeed383a14503792896767641e48a2a880767f52ac5d33

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e8fdc2ae96a12494fb767d554ca42e70

SHA1
29754daa7ba3ce41af503e52b1a92a9c29d23af4

SHA256
1a83a5ae73804157046e5318bdd1ef2d62a049746cae88297a91631ecc201055

SHA512
33141a9efb59a2979630793a9fe63e652bae8e35a145a52df8455305ad666347fe629c7763b60c1605b7e27871c8137fc5fed4819ffb992dafa142b2b82b42df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f457413fdcf790086627aab0c1ea1dee

SHA1
9f415a797a2ae6552f2f95456e8b22f73b344f53

SHA256
1e64153f01ad03681558003b96c2767fdf8c837b4c75404d68358e9018419b82

SHA512
7fa3a9c4bc27928c437971ca98d43862c701ae94c903965208743d40733ade9381eeebfb3c7c88613c16eabd20921061cf16e7564ba5f9758b37bce2c13366c4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8ba036c05e406a9e8ced5a5c3b2aa972

SHA1
cef91bf056a2134fbc9564adc497afeeb1f3e240

SHA256
8796305fed4e3e85601e275bcf637d550aa44743c17ec19477b0599493b1e67e

SHA512
4c5516bd911e81fb107a87e11d6b0a283f5de46a600d47cbd1aee643a8a4aa76239e31489f734fefb2d7050a9cb97d5fa4622eaa6355b47cca207854edd56c9c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
14e153a18f577731f706eaccab6824fa

SHA1
ec49a8dae2d377e315fb45e2c1a34e8727473483

SHA256
d937f31c62f6774400b85c30f1635505d8bd9e64fb01eb5b6f019e9f5802be32

SHA512
bef13b39d20a5b909fd937be701617845d45bbbca9cdce701103ab5b9525ae9b8768df168bbc4a1b0869ff99f80ce640e9bfa71a5304f857ed26d0a011b236ab

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
71ef253aa1332af7d3c4fd11a867e551

SHA1
d6f2a74fcd1f2d2fa321b98a816559dc9e1fb4ba

SHA256
ba0619fc8bfcaad968626a463ce129a774a2e298adbb7789a6f4abbccf8484b4

SHA512
8af4a134f5d74ea1f13b7fd7bd5ee37ab2743a1140b2d0567905fe9eccfcb03ab9e8e0f17a799eede71c98dbedc0b8202f82a4d183b5b7c17a5bb5c1cf8e23b0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0f9c13edd8178e9f9cfcb04d5d97b79a

SHA1
a6ab0ca7034795201d687ad27b4e774ebeab1f1b

SHA256
64123b4b46371e67d70f45a25aace7e8820abe92e218542448d629d0e5bef4e7

SHA512
942aefb80d196216e05c3f307e530b01279eff47d453fc3b3cface2286d4a50b8a3fa9837da4e00c46b4459d051f5a5b7166f2cdd2600fb1cd0e6815e6d20ba2

Download Submit
memory/544-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/544-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/804-230-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/804-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/836-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/836-601-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1128-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1128-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1128-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1352-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1352-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1352-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1352-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1404-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1404-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1404-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1404-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1900-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1900-602-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1940-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2452-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2452-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2452-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2452-126-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2456-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2456-596-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2544-478-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2544-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2640-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2640-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2796-204-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2796-595-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2828-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3092-112-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3092-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3280-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3280-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3280-90-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3420-8-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/3420-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3420-0-0x0000000000B70000-0x0000000000BD7000-memory.dmp

Filesize
412KB

Download
memory/3420-88-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3432-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3432-600-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3660-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3660-436-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4008-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4008-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4668-80-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4668-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4668-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4668-84-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4668-74-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4688-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4688-496-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4896-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4896-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4896-36-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download