bbd4dad204cda09ea66bf979cd13fe74bfb67f78e33608935cf7e41e8478b941

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Size

1.6MB
MD5

210b1865ec1f2da90fa2e5354528e4f3
SHA1

543bf158ef18842b2eb675ebca0c06101e7524d1
SHA256

bbd4dad204cda09ea66bf979cd13fe74bfb67f78e33608935cf7e41e8478b941
SHA512

b883c7490fd4e8831cff4710209b429a1c6e5d5e76e4100ec9d2937e72aa255c00334987de562bb7f313c0c39984b66dd3bc2d901e9c0c0df3d01a6b97bb3e06
SSDEEP

24576:86BoTNjx+mZCkt76f/24pN+XNqNG6hditW:BBAf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3932	alg.exe
3016	DiagnosticsHub.StandardCollector.Service.exe
1436	fxssvc.exe
4936	elevation_service.exe
5028	elevation_service.exe
4252	maintenanceservice.exe
4920	msdtc.exe
3864	OSE.EXE
2108	PerceptionSimulationService.exe
1048	perfhost.exe
4380	locator.exe
1856	SensorDataService.exe
2132	snmptrap.exe
2012	spectrum.exe
5036	ssh-agent.exe
4852	TieringEngineService.exe
3144	AgentService.exe
3176	vds.exe
2760	vssvc.exe
4372	wbengine.exe
1924	WmiApSrv.exe
1252	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\13e7172d1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008793029aaabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9bb092aabada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c821993aabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebb9289aaabada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd6b4493aabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e2d3e9aaabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c57079aaabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f036cd92aabada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeAuditPrivilege	1436	fxssvc.exe
Token: SeRestorePrivilege	4852	TieringEngineService.exe
Token: SeManageVolumePrivilege	4852	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3144	AgentService.exe
Token: SeBackupPrivilege	2760	vssvc.exe
Token: SeRestorePrivilege	2760	vssvc.exe
Token: SeAuditPrivilege	2760	vssvc.exe
Token: SeBackupPrivilege	4372	wbengine.exe
Token: SeRestorePrivilege	4372	wbengine.exe
Token: SeSecurityPrivilege	4372	wbengine.exe
Token: 33	1252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeDebugPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeDebugPrivilege	4616	2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe
Token: SeDebugPrivilege	3932	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2336	1252	SearchIndexer.exe	110
PID 1252 wrote to memory of 2336	1252	SearchIndexer.exe	110
PID 1252 wrote to memory of 1240	1252	SearchIndexer.exe	113
PID 1252 wrote to memory of 1240	1252	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_210b1865ec1f2da90fa2e5354528e4f3_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4920

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1828

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2336
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d5d9260234c37b2da6b910c8fdbb1ba9

SHA1
2a125f8ac5ba16a93db55da89d81a418c183747c

SHA256
ca562856daef666d4692f4ff27b4b2e43d4ffeef91d27c5e2fbb20374ba03a4c

SHA512
555d9fd3a379c4be5a623ca1c21b9428e5588389fb1cdcea414d535b97c18f91155f6a6e11d0fcceef25d600825ec7fce5d4dddf94a4ea0a27fd0a95856b1feb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
90c5de5f26dcb44f8e6ff421053d645e

SHA1
fb28be7bd0bea8cbf0997951dae8f1d1ab38b15a

SHA256
e5439b50484b0dbdcd2a71797b1aaef1c28f9bfcf1e96517fa24688c4a64d8f0

SHA512
2fb90f6d47781a326e5f8d4c84708cedea95e0670629518e3f2666675145c04c49a466d80cfeeaa42a4e75f2baa1f80a187ae00e1a9eb45e2f27c2e4ce1824dd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4875a22d9f26c928329658863316e190

SHA1
a514b4b79555dd455b035b20e3653e8667f2ad06

SHA256
7edefd38117428317ee290846fbb34d9ae89afeb4ff1c6888677ca1835a7438a

SHA512
64c7ea3b5ea1c4041a851d55f35cabae34a494a038bc48af6d429022ef4d44121246832b24f60cebf578da10b6744f096659adea7a5b3db3226dace2de846c3b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ab51036ffae2d5766798a608765829c5

SHA1
58d0ea65cac0dd8527e7a8197e39595da69c0d79

SHA256
ac51befe3583ba21e3b1db2c5f97698fd91a1476cefe6900fca75eda75618922

SHA512
0d400b9478dc2a9a7e4ddcfa45b5c502c7401e0af9e336c431c9a1b0c2f77683740bb29692b6e174a9c0008a6e7cc41499df3e30735f0b8f61ab455b39ea56df

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2449b78d6ef67cfc01a9172cf869bc9c

SHA1
9a1d0d74d39e862f9a4155b5a5efec9ecb716e90

SHA256
b449a3660f007801b07b83c03edc24e24e85766be0f411dede709dddb279e206

SHA512
0df13b737eee457d235e1b4c11b1d632717f6072a9ee292182e2bf27d3a222c4d79ecbcba0a213a3c0f33fbfd35eef495c61722cf713cadc037950eb5dca5929

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fc8366b3ca4e66910b60b107c683b737

SHA1
d4632b51a6d87330096bdd5282a7a9d5bbb7c287

SHA256
2099a39ebb51cf43a45dd63472df8246d1738cc35c3d7470b523c36f8e3132ab

SHA512
921bc2ca715ad67c06664d12af1a127e93318553f3cb3406d58cede1d3349674254e5d284204d66929f331bc5f7d6524dd01b0a7d13bc90918295cfbc34e623b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
d28df7d080aa48202bc48baf4f51b744

SHA1
6d9001b9b09432a89f01d99b0149c483b0c21533

SHA256
8e8d8573b1de95f9003492ced1c4c47538a2d2451b0baae78d1a626c7e09ebb0

SHA512
fe4f6ced8aa720d71b29e46b9b9f1b5fd392e63817ec6283c4108d18b6f9b0b2957e8aa378bd90065d3300706c38a5c5188001cef10c12cbbab41a879fc88ee2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
818e798c16779655ef915829a8f3d80c

SHA1
8e30a1b4a17dbd7195a44b2c26d1ced39a088896

SHA256
199e78bf545d82ae9024bb2a2e9d5ae3aa7c3955ba79ad3361402a75115b0361

SHA512
a7fef79777fca76a7dd968e5d0d02ba77c2fcb57bc48aae89cb369c8f440e1276813a66ee27462118f8a9d8337bc1c893be2c4fd535b338d6570adf7f6b58649

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
01187891ea7485130309e596b1ac92ca

SHA1
6562f987071a7dd9ec37065142fada52eb0b2f32

SHA256
4d299d6f389d1df893c676a8ba8893da9a941a55f29d8a4f270780b2b47d872e

SHA512
5c163ec7f920bfc7c3cac7d4bfdbea87bcb22046ee46cb89dd2b4dd635e7e6f56babab0c4d55af9f815cc68aea5fd069360830796904795b37ffd0112ceb8621

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a4d9b108792e30c8af3257d25aa9d70e

SHA1
03278c1f65163c258ebee1923b09811e9929746c

SHA256
adf15078c06701248080dc4c143a06a366d257d99c574b1706a5ecc619c0d57c

SHA512
e0d42768278b5e911fdbc0403396a2c1111613bf3847068c26b6b4bca55802d0a72919a6f41f466a509604bf7917d6bac1d1d8f5df0f5b3fa362355885dc4108

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
41916de9431ad7b698373075b8fb6dac

SHA1
8d84f4d96586eb66d2e4e6b7a8ffe19bff3ed3b6

SHA256
9f8460f5e9281e36092f63901a651f10d4d29305121443a6b1d5ed0e53bf034f

SHA512
0198a72e2a95b1f545fd687d74daa2a590645d8907db24b6719588a1dc7db6cc2d0ad76803e306bb3ca8755bcc1800ed07e1adcac31270a8a8abd0c6c930892a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b71bf7d812c66564bfefe8b04d2f929c

SHA1
6c4f00b01ad6fe66bcdb6437acd0e5abc23d85de

SHA256
6f6b95ec56f8e270d7c940b1fca0e9bca215b14cc49785d3b9cc0dc6c1f51119

SHA512
d2720504003b38f33654692867287082479fefa35922cfb50d8146601d2872251d62e14eacc1d0fac12b974dd18a08dce797e2087e79ff0155e4f5a74b2d7242

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
584eee7fbbf97f6c452fd3f3b94fc870

SHA1
ef3b6cd0acd0d99151dc1f950fda3c097b158fe4

SHA256
187d5919730e1232b5ba86d2069472f4ca6780e25e390da2b45f29fcf406eccf

SHA512
456391cbfe15e975f9806b09681b1e9c1191d1d76f8ba7f98ba1931fc206026ff143dca6fcec16fcdf2171e253c2ede0b57f87a527d4a3f22f2a0b4830c3b5e6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
39712aa3099193f1cb284f3dde9e30ae

SHA1
511b10a2948e8bfd28c631484d81bd112264c125

SHA256
5850a65f126d64ecdc6e45c863b490f0f1f036ef3a96309c3a4a67021d9f9cec

SHA512
ebe03b667449d440811ca60fa6f62686446b2bb39fe3f267be4df8ef5847f9605c1cfd8117391ea9273a7a5b3a6dcf93a1ce7dce04a88c5ecd5925bc5c7225e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
05be24d742d7827454117e0f0313f560

SHA1
361bb0ab0822fb477d647366909b4b37f7b9270d

SHA256
9ba36a550a5b16e0fec48f7f3de988d1633a58b3b3cbd7c6522eb0ed5ae0cddb

SHA512
d3177b795aa009743124a3ff8093dbf459f2f00b275d4720588afc0fd2373a471135b62b48bad0d9cf0a0396f65feb2812a315f6ab8747e5486efe7a5d21b89f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
dfd93da32bb72fc40cebb7b92fc73dea

SHA1
e92e7fefd285935f31e20f72de34ecc4aeaa8f71

SHA256
a5ec2c530eb634b77d57e0af2faab9c12eddce16f2cab66e9529f376a73d9076

SHA512
0a107b10fc18746bc11c86d7d15de8c15004d9780da91e3df10f78d9fe9fa7e084b47ada9ec824530f2b6be344036a8414ce1d4a44a3f225e08989614523509d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d96829fc0bc6c4b1fba95d5ae2db64eb

SHA1
9f63720dd38ecd309bcdb7f5dde97996754a6eac

SHA256
1a2bda3487908074748a55915c42ee5bbd2217ca4e627d5c97e1be9f8471907e

SHA512
789e50059c95167c94b38d587fdc6d91f602eb93c1f6dfeb3d389bcb5f8e84f23812f423e8c460a6407880007b2bb5a6ec85f1b0937917ab2284c0a7f597f21b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2f9b566527baa424aa9f0f384a398ae6

SHA1
123cb1f0ed8935ce75e120a6235c85d752cb56f3

SHA256
99f860cf14acf18dfbb1ad3f2f2e09bd5b34d9f3e5c288ce82b045249c811778

SHA512
60c2213056d02aef33f350a7700dbdeb5c9eec4b87a18d0a78bb62744aa349ca5029fea43674e6a3dfe6155c69cb32a265b97901c1be0520058ce8fca72c562d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c51fe04862d72cae81966ade21f735e3

SHA1
28522b2f494320cccecadb5a979865cb6b7ded21

SHA256
28666408657865d4ff420be7045ce5b15a979bca272d186ab2f99538a575088d

SHA512
b70920c8beac7fc0d74a16a41b260be46ce537987aa6dc36cb44c9e7b48ad777a0aa100ec1ccba8fddb8b104ce8fa847924f280ab70763ede39623e83eee7e72

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4cadab908392d3dde737ce49da553208

SHA1
a7f2386ff5bb9af4b14b3d4e333f9b2cdfca4ad9

SHA256
d84aa285f88f6a8b7646f0aa5a3aac79cb7416225c38118281e83c9a57d3b438

SHA512
3adbddd4e4e6f8ce04e65e459d7dc59d5b59e36851b67acc2952d7e4a921e0dd9042cc3f5c57d4db8c86447235c28a20039d3702bb7991004cacc70ba3bbc42d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0f94600d16463a224373449d3e5ecbba

SHA1
cf55067b9ad5e2a6ada42e0526a47e28f9b1b35e

SHA256
648673277d6d326e83d10884f82c29fec65496f2f469cf80b68b43068f5aef36

SHA512
493df24ad25287d0372fd3112fe648b385de9204b11303d0e7c28b45403b6008ccb7d0ae976c0543287772fae128f4336f7fba11e9e686e632662e5f19e17163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7e2a14a490be067525779e3b19a5421c

SHA1
08401f99ca9a6ea06cf99b70b86f7d55353f6f80

SHA256
10949405170f952426de69b4e54803fcd86c7692c43550f44cc907af48923b3a

SHA512
7a0080a8520457759f9a2ea01695d53b382d3d02263ce197ccf5cc637be66032d2b9ea37d5b15d10d2677e4f44d48c975c5c5f014c909bd09036a3a57d0a6573

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
6a73a36aee7721d8dfff76b336435946

SHA1
fe85a0471f28bb88ae4dba09d4f135206115b5a5

SHA256
860cafd82363693804fcb8f6c68d18019de89e2d033fdd39325fc50844de890d

SHA512
2930fb580cb92236207da7e2e3de5da378e2484e2af7799d5ef513bb1335d2eb6f5fbaba4ad2924ca4fd8ca64826e92413c59e04fc155cabe284dd8f5e51f486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
495f9111210e26c48fe3ab81dd648cf5

SHA1
4ad3baa3ca86bb97b37613e66babb553b6be98f2

SHA256
472b4632737ac27dfe07df33e83ed20d0af06c2ce2a6a8e5c1f82df6d1524cac

SHA512
1913e19d69deb0d35bfbfecd8e7c00d6fce0817e9c1c41e0a4ea3ab5636019a010de88303cba85f21b41047e216c3068044ae94a90ee8cc046fdff65bf24dd9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
61546a6fa1165f2b4df4b0b2ee5d40c5

SHA1
76db6c497b3af155ad94b6e10aa32027715e3c68

SHA256
e85cad67b8fa19a62c013b433f30d7b5f05d019c8edde98c9c547f53373d410f

SHA512
e4c850d6d820fe6fd16d9701e00e8e7b2101a6d03ea071c2a29019720a6da60774418763730033d53a56ded6bfcc4086a79b1f8e5245ab3acd29029e345dfe56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
bddaf59ec9f8fd90a4941f057a77675d

SHA1
5b4995a88598e4b5d8785cea60835c15ff5937bf

SHA256
57672e5a85e00ef649b68e78141e18178719f9b5d36bc4b797a034ea14b950a8

SHA512
c37971803418f16e05a18a0ea44e6d31742b5b0f0957b49c0db046e0ab4d6eb8430ee910c745c89e45cb0d544fd6a7cdab03147f5a6e59506562ad1d0d9ba7a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a3c1aa1c2fd45da7f42e1387835cb7ab

SHA1
e530c94692232aa84b7c2c5fbbc6a250fb0fce2d

SHA256
d307f22f914a102e1274a8366968b099d212c5a29516d6bf44c0cbaf52fcf56f

SHA512
371d28732b33c4b01574800b28de55e483c3e070bf1b88ed99fb301971706b89e750a06b394f68d6a43d470d3ca6ca117762d443abb554a05e6ce642888e8621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
65f971a27bc79abf1d423d83f680b5a1

SHA1
9295d13fae49e803c5b8ac6c173f47b02b0e0d46

SHA256
8f6c4876691852688922cb6054bca88acfa88a6446b3dee4d23e7716bc1aaad8

SHA512
a2d32267ed23f590125a84e7bb47a6883f5e7855e1b3aea37c37d0f31c8eac647ca6018c47eddb8ef63da86e8e5dcff91956c9df716d2d0646b072183811ea72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
d61c47393afe350b01b8adbb3e2f6071

SHA1
ff97c4e3e4f664016677d7a7050bf52048c46216

SHA256
d336347e3e4c4bcf796c49cc3d94598780adecba4636a2c81eab012c1ce45773

SHA512
ac854e42cfd87edcf5edb8c2e64d06a3e5b8f4b14e07c3d97b437bf9bee332c47e35060fee3012a37a24462e467f7740e30b297d21541a31eaae49ec17ec6ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5e31608b37b05e026b3a1362b35a7747

SHA1
eb4b9380ceeb0c0682ccf24d554b023073852cd3

SHA256
0f31be4984cb1b8f91ebd9e420d0da55449f99247bad4a2395bdb78d73204710

SHA512
d8557c82a8dbce298d1ee4b06f6e9fcb2e8a3ae7d255a05eacc1efe2f8e0b747aca70f97eceae61edbc594e0ec9e93cd1f9ec1228eccda7cbd18667973049151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3e3c87b38d20677821ab83017a1ee2cd

SHA1
b84820de53f183fd7fe43527ac8685df5773b754

SHA256
a579a5096e36446c87b592d3f4a64ee4c5b7b6593658ffac5695b8e563e1c0db

SHA512
fc0ce26165a30b7f6fd80d0eaa5a57f769c06b14fe2871be390f6891f59d1a3861c9d0db09cd1cf8b8140c91d942a7942bfef23c805d32da456bf85f0b84e51b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
82b438c2ea1f18aa5dea8be0445a6f97

SHA1
4195296e2727c9410ae7600749320edf19c100ee

SHA256
8b2c09e0dfcd39829a114369c04500acde7b34c310b198b219a1e3e4b115eaf2

SHA512
0703f726a0c639ea00b3c3f779e583c33099dba21e5fb3ea402173d83cce4f97e648967f08c8fbe8039e1e2f0e05e2e78a40e60ab9bccc1b1d196c251c848567

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5b037b8e84ef4fa731c1bbde9aa52ecc

SHA1
cce7f9ad77a3aa38a4f868ed4065bd4509609181

SHA256
f43251de67ada8081b4d818867071d1de00979c2f0e73c1d7fb15eca44dae6c9

SHA512
a084e51e7b97f8da63f101cfb3b9d554ad46b5cb6a4abc072a9c51999d10c647c8562213f70fcef2f275f86c92af2b6252780ea11b81ef1c62376fa270445016

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
174f0b062f347028cb881d99af82221a

SHA1
f61c6d48046af653f8fca62abfdd4b5c692d5d4f

SHA256
8657771b1e7afb12b46272bc4b652ee619eceec8690e6e282b8efe9480ad51df

SHA512
980f97db88561ea61dc5f67b8844b1094f2de298e1c20db8517584569784d791a9966a38b4d0ae8c534ac8a3494829b582a338e0fae617b2d93ab8016174c6aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
11606feb17fa8c7ebed0dc1eddbd1bdd

SHA1
58dcec88879fec9f4f63f97be458e1525ca24553

SHA256
b0e8db10c1fa5af9503b0930858ed3276c38b0c9aac13017b78fbab70dd9c7c4

SHA512
4a3f570ead49e46c15969e7e0b940759a17bae7ae838d584c9938a0944b5f586010e92a14d9fa98164d98c8ef698bb50ba6ef314c603412adaff3d71a409551f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
acf6f542c7080336caf64202ccd93d56

SHA1
0717d494c5e543a361578e8dce8d573eceb240d8

SHA256
16682504288fd0b2080772d284ed9531233a73ef0c11262c46c314a159ed0724

SHA512
0800b686fa7b4bf8ddb13d05915a113e50f77d6b910c1fb3ba7544cae7bbfb098ef6b646ef06b26fafb4695b56b3e4f1d0af12e370337251fa27c177691a8f6e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
726f49620191d87352a5918e1bf0eca5

SHA1
cf390c3040d85b1c40a94c1b7d5e95ec9cd6e026

SHA256
9279d7a924b831e1ffeed08d6fbdc2e03fc809c6cdfd074e0bc1ababa9f3ccb8

SHA512
9dd27231fea5338a684ebe49b284471d001aa63ef4a4f0e8bdb3b5b89bc364f28181075cb6115e8f274dbfc237e73988f6d1ef29b94b77fe11777530a3e87170

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
aba7835cb5506378ecd7457b468e7759

SHA1
53b61464bbe010c57e0269fa65a10385319030dd

SHA256
6e589aa786c004da33a98d8c5637381c4ef3c086d0fd7e46a798b1c23dc09f65

SHA512
e6526387dc32bb21b52f004692d8e6ae9d0da13aa1dde7e5ebbd9eb4959f4104483767472ee830374930e7e581d4fae93f27b97d55644f8e15286c1ee289f2c3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1086a3be887ad086308f1be45fa32667

SHA1
0852b55f1cb6eb6d6a2e5520a6b595e9c95ff03e

SHA256
56044fce6dabe3444d136032fac2794f428fbce26b16f346733010f88ebdf93f

SHA512
5f4ebe4c22dee4cefe318986b44a3a997854ae60ea6194cf0cf2415035cd3eb5826ec8305f53a972a96d9a7befb55f031566540fd0dd446b46380559a682316d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b1612e0e0bc384267743448d90bce2f8

SHA1
8b654f6399d2823ac34a3f47fc00604eff489770

SHA256
a53951af0d3855aa9bf031eeef28a141e8260938581d502191e20a3ed052ce2c

SHA512
939632447c15505c981d0c2b15aca83c8d8c47ea883cb9c3aa2cd89d80e1dfd224018b484c438f70a8469b31413e8969b47f0f705019b48f1103f0fe676ddc96

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
b5af8c808f745dc36459bcf303adf08b

SHA1
effd94f5d0b8fcd479dab76146e932c58f2cb11c

SHA256
b1b738074aac5ac1a024f4a9eda85c0489b23d854aef236e2e4edf599c6d5d98

SHA512
8c3a26ea7302e8f4f2059c36b2a140195344823a53d20129114a7dd7d4f7e8cada01414eeec89efcbcfd817472fb6fa01eeb96d87116c523707e0f94288f3b94

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4c0e760e2a18513452732c0c7924bf6c

SHA1
a59153ed5161bf877ec68d4eef82803a1194cd0f

SHA256
8e356caf11d680edb7812a6e3eec9592019c02fb7585ffba52b3162715cd904e

SHA512
03cdb9796b87a849bc46417f780375f04e8f7b39520efe6e5e973165afce07af6216abfc510ef0062a82eb9cff5df02fb0c385752651c5dae1de41f9ed46c0ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
ec04cbd954353385fd0e0e8b5be0fb7e

SHA1
3b4f8fabeb6c03b87c8d587e6b4762f885424b40

SHA256
635204a3a3363e3653818c89497a965aa7d201a2bc852ac5c282db41102024ab

SHA512
e1c22963a9fa4f3cae48625afefde60bd2ffd1813f2ca221c9b847868662b3379897ce94c7e8079a045de7aefbdf0e331bc0f904ddac65dc16ab4fa70c854c21

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
8198c60ab5c18d01b06e116449ffae9b

SHA1
3a6f2d312be85a5388ce197678370abca7370cbd

SHA256
f3f181faaeae0b9bb8312849ae5396893320e52f61099ec32936721b02e7ba47

SHA512
6630932852c963566eda74083a0f640b0e2b56b14b84e18b559ebb4e561814135f6771f4785f9c0ccc44a53016442b035e591598aca5a99df1122c7df0dd5a58

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4b13647d4d6b8d75376fad6c49fff261

SHA1
1315664e350fe3c02ba5885b753b7b72dab2b0ff

SHA256
689256877602d86560995967b0481140e071c0a8fae661aedbd7dfd8e03c8ba2

SHA512
d49127c0ec995b17acc956ab3d7cd549d9c3b23e5e7f56d88f1bcd737e7ca9effa4cf145a7101f5721133abc9abd0a521eac007222851a8ac5d392512d34fe50

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fcafb8fa9c3492fbd0d4fb0dcb344798

SHA1
859a1d8a0af4caa8687adc08dc6ed84f0c63811e

SHA256
c3c9b810ce75034cb1afcfac5b79b8a751760cb560573f0ce804a9cc565bcf80

SHA512
30f3de604b85a9b3a3c3221a532bb571e21ab5f59bbb28215dcb23902a5438779fe65e40f5b8eff7876c7ec3129eb871aebd57ddd4dd4a5d5bcf0aa7cabf9ef5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9fc8d05350beb7731f46bb1e0b23be9d

SHA1
3466af66ee603d12e094d4c3770d46c186fdd927

SHA256
7009f2bd426891645dfbd84c71906948205d34db87c7abc80b3539159a6d167b

SHA512
b82bf11e7e20dcf2051731f5f7bb97181313da5792885dafc0f26614dfe39b3e69cf3d295f1080cf616a8e0f86c9427cd7977c88856a9f32b68b04c80146d847

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bf724bec5f9a92f7dc6ceffa67afea4e

SHA1
e47d5232cf3e3f2b5245f50c1abb2d974ede48b8

SHA256
a06785227ad7f14e5253c44b7d6449bf2b9065e1927bd882a85da6ccbfcd4604

SHA512
c7669dc729752d46c4e4e32d8e92f2fd502c3d35da38b5f95e5f9adb3d49ef18d5488ee8a706596438a41bafe0e16e72057ef141f46f0cc39d7223ed02915a55

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
9ccb886602249a1ff4809df66043880c

SHA1
0fa248c116f300d5f954b6ce0ea3a2a28d347d51

SHA256
2d5661aaedafffdae0729540443ce37f2f625f4f132cf0073038437fb81844e3

SHA512
0927bcd3d9c4c2c68ed806efda56290cf61c1323573cf27c941b0e1c33f87a93e45ce476bbfaa93529bfe6971355b94e79a582b9e600d1c48b8f18c52e5eb224

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b206cea0ae994a21474a7f2c055058af

SHA1
9aa27db2bb83f8a2008a1961d904936050a8fc11

SHA256
2aaf609dde084c1323a4681081276c29e3c7b250479753f87e41ff90e9a9e117

SHA512
7aef1e572172f0295b935ebf37181489cbd93961c6e77bfbf51c8d5a801a3dcfa928413a009d49983056c2843429bbba5cc8aaeb8a7efb23c0612ec6b63f7313

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
057b8db40da8f11e2f92745b8e1be41e

SHA1
df30e8d3806d16dede7079fcc8280474eab10536

SHA256
5b54d1612a54c0242140b01a75330d9d8a3a3681fc3fb2806559b653ff345cd0

SHA512
ef4de57fcf1514e5661cc114eb73bc8b767162b5be584a029fa3e073ce429f572c1927a3c2aab10fe25266c0b2305cd8ded7908b937368a56976faede715963e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d7d5f9b86ebfb5a5d5442dc878cc3c7b

SHA1
1f17aa5df8a828ed3a311f61dfd538fe00d58068

SHA256
0405b63bfed840557e7e2d2c29ebe38bd9fbe2424bf258aeec46ed211ced3f3a

SHA512
1dbbdf4e8449ebeeb68ae5f20aa628ebb800a5f696749dc43fabd26a6cb9d7d0bbb453109ae5b9fbdaaf12e58d2d07d49abfa5209469cb1665d562cb9b6a008f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
eeed8b5a153683b9f2037ed0816b167d

SHA1
7ae6e488121425164a8b7fa27b6a79c0ff104750

SHA256
7f1de5ddc9b2f81abbcedeae7dc52f10b9a028c4f3109da518cdf64db9992379

SHA512
a95fc8ea3b7d44da815e7ceb9890290eccefee5e2407a88c7965f2d7d18faac3dc19e7f9aea0bfb11be03be160f308c6722025e194fe01835474f13dff0446e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cd6eb5967e29394991ded40be2488b5f

SHA1
3c26cd686c5af3e23470afab0ed382cf7db55189

SHA256
ab223e1d492f235b4127bf0e99b70c7c0053a1505292e30b0875211a49bb9d9e

SHA512
614f151c994d55bfbad5915fe0bcbe78848a95d2c7b1c122ca13ebad3748e003dc56a4bf52bb2c14701b0235f221d30801051609e9b1bbf12fce57b049ec0aa0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
5e003ecc737070448bd33365ad96f4c7

SHA1
b39dc41b2fdf1d77c1c7e81e86e1bdd112dd3851

SHA256
32cba854cf0502c8c84c0f824922a0f793d737993ea307733d25c1195ac04892

SHA512
042b12f1fc0ba1c35b7acc61899cb19aeae9c321fdb3e363071d78d6567b41966671cfb024e1fd1a4b0f09385dcaa5c45fdea31f6f2b7963a3866b0ae1575321

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dec444cad3231a91f8e2a9755330389a

SHA1
06e040d14243da50d361ec600662b77463dd9cb4

SHA256
cdde5ff457b25ac397559a0df31f303f6204bd235c814cd4bdd970256a348690

SHA512
f51e8376f5fa5c52bd56a8c3e2ad0018ef846dc820120b5c5fe33dabc2cef65766309e591592d0970122e6e92e2f0a91f2e8e74903a0f1ae3416348384c30129

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d4b94f3aea85a37e38019829f48a9630

SHA1
493a0f099e749201b174bda7dfc5f06bd4ed6ce7

SHA256
520f740c3cb2c29e62b16afbbf34693d0778b29357cd65914d1b52593ec3d76b

SHA512
52d4e8d00689c3ff2f4d5a7eab9e9f31ef6fb2087b92e3be1ce9c05c51e90b49ab427e7b6ef4b4c3471bc7589e2bd6c715f3089ceb860b4fc411a620137544c0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ce3606277b7c25c7f9b081eca223a756

SHA1
6d36882d287df95d26a781d5e9e89d6d972f0f74

SHA256
080381ac533a299344af4ca6274609b03c90572bc569ba8f1ebadc7a607b4f9d

SHA512
b8a4c8720893d849ea7241839e2c65df7c3b97784de3d33db62407623fb9d9391988d8883e2a1fa7328549d97ce2662f58b3f437fe4e9099860d626ad6418e9d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
3c22f7bff370338996c7bb5d930c1688

SHA1
3bfc6b4c7c0644f8c795dff4f1aa3ee3c9a24372

SHA256
7943ef6cd1b28b4fd9c377082398ef6624412ff567295cee4fa6a9a4d3d09c26

SHA512
acd0c69295716724e955ef9016985a74f4b61879f06798f5f68dd04940686b620e996c576f09bd24bbc8646c081e5f1e7234fca947a938512eb0afcb4b0821ee

Download Submit
memory/1048-242-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1048-124-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1252-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1252-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1436-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-43-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1436-37-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1436-58-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1856-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1856-260-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1856-139-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1924-576-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1924-248-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2012-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2012-440-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2108-119-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2132-391-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2132-161-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2760-571-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2760-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3016-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3016-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3144-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3144-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3176-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3176-475-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3864-222-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3864-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3932-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3932-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3932-159-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3932-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4252-73-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/4252-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4252-79-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/4252-83-0x0000000001860000-0x00000000018C0000-memory.dmp

Filesize
384KB

Download
memory/4372-573-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4372-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4380-137-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4616-136-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4616-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4616-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/4616-2-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4852-196-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4852-474-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4920-87-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4920-107-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4936-49-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4936-55-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4936-48-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4936-195-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5028-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5028-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5028-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5028-198-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5036-175-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5036-469-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download