6b43b70d9255ff88c492e0d137238f38440f3dbd3a63e48d28b29447520cad8c

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Size

1.8MB
MD5

80400a897253fa53b7a844ac01191e91
SHA1

f245b7a536137d87a29a68761b393b980d27c672
SHA256

6b43b70d9255ff88c492e0d137238f38440f3dbd3a63e48d28b29447520cad8c
SHA512

b6f8d93fe025bc637af6de01a9bdcd91f7617529cc7fd54b090488254303c7279be0ad9d9b09e0573de906aca051f9ff73bd2c0ecc8b87ccccf2e815a889f88f
SSDEEP

49152:WE19+ApwXk1QE1RzsEQPaxHN0rfPOkhqvq:793wXmoKgOkf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3112	alg.exe
664	DiagnosticsHub.StandardCollector.Service.exe
4704	fxssvc.exe
3856	elevation_service.exe
4528	elevation_service.exe
4464	maintenanceservice.exe
1768	msdtc.exe
1128	OSE.EXE
2176	PerceptionSimulationService.exe
3536	perfhost.exe
1744	locator.exe
1648	SensorDataService.exe
4068	snmptrap.exe
4884	spectrum.exe
2924	ssh-agent.exe
408	TieringEngineService.exe
3720	AgentService.exe
1164	vds.exe
2892	vssvc.exe
1204	wbengine.exe
2340	WmiApSrv.exe
2828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fc63986c7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0C98199E-BC2E-4534-8EDF-DBB11EF8974F}\chrome_installer.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c85eab9e6499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000734ab79e6499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e13e099e6499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cba68f9d6499da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2e7b49e6499da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

pid	process
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeAuditPrivilege	4704	fxssvc.exe
Token: SeRestorePrivilege	408	TieringEngineService.exe
Token: SeManageVolumePrivilege	408	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3720	AgentService.exe
Token: SeBackupPrivilege	2892	vssvc.exe
Token: SeRestorePrivilege	2892	vssvc.exe
Token: SeAuditPrivilege	2892	vssvc.exe
Token: SeBackupPrivilege	1204	wbengine.exe
Token: SeRestorePrivilege	1204	wbengine.exe
Token: SeSecurityPrivilege	1204	wbengine.exe
Token: 33	2828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2828	SearchIndexer.exe
Token: SeDebugPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeDebugPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeDebugPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeDebugPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeDebugPrivilege	948	2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
Token: SeDebugPrivilege	3112	alg.exe
Token: SeDebugPrivilege	3112	alg.exe
Token: SeDebugPrivilege	3112	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2828 wrote to memory of 5012	2828	SearchIndexer.exe	SearchProtocolHost.exe
PID 2828 wrote to memory of 5012	2828	SearchIndexer.exe	SearchProtocolHost.exe
PID 2828 wrote to memory of 4420	2828	SearchIndexer.exe	SearchFilterHost.exe
PID 2828 wrote to memory of 4420	2828	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_80400a897253fa53b7a844ac01191e91_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1128

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3348

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5012

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2f29af5669dd3b1b25088fef04b110dd

SHA1
22452fc60b885b722555982660aea3cc2e2f5e83

SHA256
73baf82fd364da5c0a0d1488a257787e79003ff4efde5c266070a4acd6ca925e

SHA512
0ccea01cdef7e095a584ed9319e7b827ba1796611f86232d72042bfa094a03a6f02f9300abc4b729d5053fa1309ce1701fffb4b30ab0f8bace97ce8760a45bfc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
c9a3879c1c13297660b3db0203d68255

SHA1
6c1f72a821fa712bb4cb9758d66bd40829eafd12

SHA256
5df3d4366e8229a90fc0d613d0199e5f8a635c66711752645d0c6f22f114a906

SHA512
3994d56ae5db52db694028f09d0acba16815ea9afc827958b6c5db824ea3ebe14cf2f61e60e1cca1ca78f648c44344e43c339a861e9c628310e21a959295af83

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ab4deb610498ecd096214b56071d3b45

SHA1
b2ae51ce075e97d9dc8c7cd43e7ce887bd50d51d

SHA256
3c92c13ce04c58b62336c077eb5e6df9086374e101e4d6fff6f7f74e8910b1de

SHA512
75125e5c3e9803b715962b58a7ffcc136a259544b2220d4c5f53cbdeaf58e64ebf41ce9e7e8511def47f5dcbc44969d4caa3fecf83b6bc471ddb64350e00bda1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0a6de6f26874fdc36455ae73151cf2cf

SHA1
8991e787e18d390f1f160e26b5f93a35078ff58d

SHA256
e6c08350764cfda920571860b56112f674c118a6f475094a2e760c2bfcc04967

SHA512
f095718eb51a4e31f0bfaae84a4e16efdef814de2a5315bc92e30ed7505b8b7e8e54eb9eee40fc631ae6151fa729eabd7ad3f821e9641a6f8e5163e17ecea314

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
42714577271ec0273e48ed7b63b208f3

SHA1
032a718e839e4f804cfc57117081ede42682f4c6

SHA256
d43992592d8534f7272de4ed6e1ff8cd27deb85cc1f85d0d372d6bff7a9f3934

SHA512
d4551dfe66ba18dc8d574b7f9923948b14cffdcd9e4a0a7b5eadeffc56eac91eb5211e9cd330c2e76dd96a199a8ff8a94c36e7ec3fd1fffeafac1f75a236c7a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0b58f2488d7d56e7199a470e81ee344d

SHA1
326ca5746e10f31187edcf221020edb1ccb433f7

SHA256
97e3efa0cd51c94faec882f9c8737cea3335ffecb18bf3f180dfaf4923f08da0

SHA512
6aa4084d8089c62d8cb4e595e25e65e1c3e5551422740ebfe45d453839ae4ab1c588f0eaead7850e61b2d50a4119d87ce44d114c964a0ec3d4a8e7fc353c0c5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
93a16e6b4b6126a14a794e796f5d13f8

SHA1
50d1041ee1447a497e7efd866c6d2403e94a46dc

SHA256
d98b48d628431808145528b2d22c8159fb24a816d6d96d2114919542aab041cc

SHA512
09c465c24e500f0855e18a469f97c10e45a66813008cacd7b77e66f0ed13be2f9b929f1ecaa4246d61f26b517c0907bf7a62785c7acee3af0541b7ac9f37034b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bd36db8a380f50c5430873df3fc1404c

SHA1
0815be2f2a528720a1f26f0292c6829db9186222

SHA256
1cf1142e926bb00f0bf099148e2f72c87093401d9d3f32c7cf2b11a222c6f3df

SHA512
53be475c5230e8fdfea883c35b6f0d578e9ded72cffc2cd01f86436f69d07b8a846c89d2e38290f04daa477a3ea8a6137915834f70a1dca1845aad5486771042

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
367144dc1918eaa630958d6bce4c6c53

SHA1
f80f605cc28d46b43bcfe31243bec60c932a9966

SHA256
1e20ccb20a63c2e2e096ac5d955e2bb02442e30d91de81ea558f7937291da2c0

SHA512
09d3228c8c6325a16a2d0e3afde8b8eaf2aec9f48e74cb23f264bfbcbb1207faa47ae1d8db32c47204bdcaf80d9ce21d535595729ba0a48798714248c188603a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ddafb985c56f1e64222f5aafe98b420b

SHA1
8eddc8b33eb215cc27379baffcf12c1f510ee376

SHA256
c8d35b180ac568d7c6f487e1e52e8895cac380ec56698e38a3e35b0321a11e10

SHA512
d4a3eb6805d367ca0afd2e4fc39dbe6b16234bdda4a1bb06ee0d2b18ddc5f40db8ebe735418ff3190298d6d53e56e56b404c1595fbf3e1b987d7f842a7d9df78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aa72a3b8bf2c4ee431cfa9abfd6931ce

SHA1
f1b55c75dd19fa3c1a6cea03d425cf1e9c18bf32

SHA256
b5322dac160c43e908a4c746667a582e1ff201416c9301c68ba2a27346b2c9d7

SHA512
c060f0ea8754693d0353d643502d33a5238c47e918acdc6ceac94188b631dc15dd35977b1f7df7b24e9ed5a79c4a3d5a54669fca63bc5c0ba3f54b775ef6998e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e2dca90bc4adf0e9f8027e61518190c6

SHA1
86a6841f7cb668095494a7aa7f24a607ab1d4315

SHA256
e741ccdfba129d6def313f1d97cc0d10577f6a84cd8444eba97948d525a02a3a

SHA512
3d8408026840db34c6321229917b1501c0c7c5bc92f6e1f49581dbf9c94aa27526cc007b483cebf6cdb4e25ffca4a76a3bcf3b98cc997b61ed18c3a8ae2dbca2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
61914a8468c3959682b24ab0fe1d0e36

SHA1
7706acbe92dfa0f516d3ada8094f0ebe53d30608

SHA256
19a5f7f1bdebad6bc1b04b6e594082e7d4683f56f29f35070ec9500e0ec3c9bf

SHA512
7dcedf31a1a72f587b160d66adbed304da5c6f49c2ecfc9a71dd57fb284a51dc970a8b48d8486856a93aa15b1bc697b7dfc428d9dfd2b488c61a2c9875e07c62

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1a5dff5b671b74969664d08a79bdb51c

SHA1
c8edc306c9b516e5829367fcb5421417943e8ce7

SHA256
cd0c9e7cbc7642a5bc91f2bf2dd2ac4c83a785e630fbff6be66487c5e6adec45

SHA512
c1f2126d0b09d6640a763a9dae856eae4bf2334835d4aa7c854066ada275761eb8a97592d6ce3cfa648ca1b0665edf9f6de9e635cf724da8cbc9cd2652a26b1a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
62576ba304460d6e40ba26b9e3edab28

SHA1
d24dfc9a03736d148a3a7285f0b11a23037e0708

SHA256
16d297e57e0ca24577b8fb29c3d757b6ff8d10c5f1474c2556fc7459c195ba26

SHA512
fee900e0514768def90d9f253330a6d7476771d0527b09a47b0416192041868f491c7734d3040d7cc41ba03c9bfc8e8766032d175916b06b712d25bc2295888a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
9b03e4e46a90c66abb1b6dddb10dffa4

SHA1
a9a36ab4b0226880c0c03b77f081e6780902ffcd

SHA256
678e79ceb5e87d74b14fbeb4392f0b8d2fb16a3b9f4df0785a142514dbe9c4b5

SHA512
b9004b0e44cfb4ac8c9301bae4fa9b3bef7939d316bdb5d3c1b43240799b2f1d34a2d0bbe374907d1098f2b365bef19bd7ed05ab9e81b2f59c68ac4957066626

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
99513d7c768b1fbcea07cc36a969e895

SHA1
29fafe092800e724d23648b2b45ec7f31db7fb52

SHA256
8854c215fedf6f5977adfb6a6fc6856a0bbf303037c76f35b2384995a87d44a1

SHA512
ea36252b237315a308a0b963fe3e6f1246718c2a59eb4a48ab5f1cb58174fa4455dff0a96cb8a4eb91abc6a517e93ff5974afb007ed6d261c29295968d415f17

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ad9530751f03fc5d14dcbaca7343212c

SHA1
bf55d24f76725a84652a5f787280a5d23e3cf5da

SHA256
b8b2ea316766358540acfd9f17880a547261277e4010a499bdce672075bdce8d

SHA512
961e60fd13e407eb45735d5ca7fb6fdfdc91f92086ad2f63e38dde68ba182fcc863133439c33e43f6193a7e27eadc0b2e6df84fd5ec57d54de2de132fc0f834b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8a5d049e7b16c860a199ee88b197e0c9

SHA1
67773c30c5e5fdc5db2450e45a46c4b1f02d13e4

SHA256
f2127f7945ad74c480ab7fff4c29075dceec4cc55a8c161e8a7e8029aa4d865c

SHA512
b7598d4ba9ab6853db0a0012a85e987efacf5b0d54f9be11f3baf0faed3249163c351f94cea38447b48de9f69fbbd9ba0a3b92a7e3c6973a5d29f00fec1978c5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0669e13256be8bd00e4b0354ac2a52dd

SHA1
24c984a89137af8043ea3642d88754b430d4ecc6

SHA256
2d5ac398ef63c221b34e254ee5570cd8d4a1f9d47ef9a86e994378a5183d31a5

SHA512
8e751684a21e9324d10286cea9c3825bd8bf0bef1771fc174f7147a9cf97d77e5c7f49747077110314cf128c5836f982c6716a736bfde4a1b060036613079d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f939434b4717569cf1f48a8e35b3db58

SHA1
851635f2accf63d552b4be9c73281c00c0394f90

SHA256
173043f521290597510578d1cb564ab1d9b4652011d8c17c78da1e670157c070

SHA512
ad81fde385a1eca3032e3782f909ae8ebb78c62e77e31a3df5a77ef09b28910e8401124707cb07610358e702b08eeae9f1186d3e01621d6dbac90280c7282d99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5f49b22b45d0c02bd57fbb7677c4de6a

SHA1
414c312bbe4fc0148d69ce6a754603eb91510c07

SHA256
0d6cc770bb5a61545dc10f751403ed709c32948d90e4b94c1586bd76babe4dd9

SHA512
899099e200ad2228da9c2a5c2a95d803fa62401ca3bf3b697b266f4490fea6aec2f172db7b4c62d9c0afb446435c929c09e871a7b980c4733fa358acc5e9ac3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2e902bbef64385e465544dd2ec7a9ef8

SHA1
6ef94ee5136ca88005d506554e9c21e3e442fee9

SHA256
629a63ce26916e1cc5351c35b7d062ace912584e960b6308cd02c45fe92ce54f

SHA512
74bfbf210141345fffbf6b59ee89c5d964956b52fe56278c25226ba91cccfaef6ee232abb692388b8ccaf33a6ef1fc771e66a177adac4c27208cf0d2ec62563f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1f574245455983ecd5e1ee796a57808c

SHA1
beccf8f9000a3e9ff09258bd57190fd65d47714d

SHA256
f061a5c53ea5be8e0186eceb82a1d505b9dc9c5a885a3f2c985a5578dca90199

SHA512
f9392360578261b96663bdde723ea2880a54db96dc48a61a93e54740d469a214507093ad42dabd908c51e184cf8067949d2f0ac2331a3ebe6f6da3b864ecb482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4f1a88460ebec4f565da0182239799f0

SHA1
d25cc9016c69191771daf2d8976a536b01b44d10

SHA256
bc6fffc55cb010979d69608b1b9dcda952819a62ee32e02b6c7c7ed71abd7262

SHA512
30a7052fbc1ed528fccf8e86934f6d4efa10527538f17de6d43471929b3826e417cb62328d0703f5e4807bfc0af4b19d67296333a9c8a61ed143abdd416e1c95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9d1bad2be6ffc3e2d24b9d4b3b160743

SHA1
72d21d138b2e33952f6a81177c7d7a7292fd0013

SHA256
bff8dd5fc6d68d874da314b399a30449abcb4ba38d4deeed6b1e0a65e77c5d88

SHA512
adc000b557ef3c4b9094a94e0bd98cdc05230bf1c107f8734ed0f799352d22daa0d6ebede730e7c566dad6b340227c13013d89c74ac820dfd18dd672dc211381

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bc64686848306cffa9025f92d5d077f3

SHA1
fa443cb6858f3c84a6c2b297ca3cce6beb1e53dc

SHA256
a197ebb376d95eff20531ded1b08a88219bb170fc6a560dd546a4df95691a4b2

SHA512
0f2b01caa7459dca08611d6333584d26afa270dfa0b49bf9bd75b01592df86457266958e16d48964b2a82755026787995023966377e8035b63dc610ac220b7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
698075ff549690e62525fdc4a8aa71ae

SHA1
ee48d80c263d1db2b179e12c98053f020f7a29ac

SHA256
e1a18af775eb2d093770134c8b3fdbbf1b9d79827a3857e4d6c37baceb5b0515

SHA512
4094d9b88eebd0bcf593ab9d707c85a6fb22e153b4689dd7844262c2cc87b4eca569192e0c5758e1719b08dfdaaca918d8d5146c4e65369500e8e1a9e8c4b945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f78be5a61bd2d8f7a536d9c964c28e0a

SHA1
125d49ce91aa310f5f0dea3dd25bb65a019818d6

SHA256
a8d2b4e9d16ab76e3a5f7c1b89415fc69755dd5925a739c58cec36fe4c80b9e7

SHA512
947c4f7d8e04981efccdbbcca1d2fdc3caa7018423896f0d6aa5daa10c96341e6c3dc3620807acc593ee8278859736b8fbe8a670dfb50ceb85f5220b6a5d0c34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bf7aee2c6b16cef39e4bdeb1393cb64e

SHA1
3af93889b7eeb25a3a7c3eff15d087a8359a1d12

SHA256
7a25ab79872caba6689d418fd96f7765f660d05f42b91c48a06f92ce1b4ebd2c

SHA512
0306e898d2ad921ad621060e49e42987a3bbc08fbc10fe0af30af188fb29151560fcf4807ac289a5522cfc7d071942639b7effa71f347bcff8c6fe3977404224

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
460c3cb268579db7d8bdd13fc14dbaf0

SHA1
0b146d339088331268293ed45b00c08c68cc71d9

SHA256
a44993fbf1ca127cbc8cee0403fb490827b05fcac752d62f696670a51f3f879a

SHA512
3ae8af66d7421928e80b5ff6819b16d95ad257fbc0fe4c16aec376316a48c9f305940d36c5ca263c602cda89b13ec603f51136cc4b0c7ecf0ea76e2985a09988

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
64481c37b22566c5d88cdd1e7e556c13

SHA1
8eb7c6a0935727c8d59ccac43a5edddeb86915e8

SHA256
22d692529c906d298fae03abb2f7718ad563f3b81f15dd42c4c13138291489a3

SHA512
90d746b45b600fd2dac543d3e2920ad34e5aa16e306afc31025194c2b48dfb8d286b5a16b7f92ebc13aa057e6b196cad2e9d91b761c8ef9bc2ccb255380c6117

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2ee0c7b65cf861b369786b8ef674ad4c

SHA1
06d5c922de99039fc1d97c4566a658f81d431144

SHA256
6063c669b24ef56e9a777caf9226ddd49834e6a199aa749c27e6d30588b003fb

SHA512
b4c11777e79696ac853855dd68ebff2814973117b205b4feb8d8800ad054deaee9bc189210d88a8f490ca5b4c9af25aa20741d671771d56c56ae85cc4653b2a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7b4d8596998a16484c9774f2493e293c

SHA1
e0c4bfc20649309bb7467ae093134346a5e4f374

SHA256
e3601470077f6adce84f2ba0815a381827d82e3cd35efbacbea41145fd7ae31c

SHA512
0176380015a34d95de33ab5fe8a5e09268f604a98f62596b00ee7c81589b09f4a8102997d10b1cbc5ce3c259866812d761b2f78c18cc67d5971ffa77b1b3db7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
16c49bdd549e8bf9d5868b6f1406643f

SHA1
0fbbc929981f9ff65b4d851f581143e34978d97a

SHA256
efbaf5f4ab4f8b86cecf57c45e232ba1911eefacc264f27123a5e6f39cab0aa7

SHA512
887e0117e063baa26acaca897d7f1979b9d93425204f908772b1f8f75ab63adf3594fbb0965f9b567769a973be4a75dc5a3a10ca79567e92229cb213fd85f46d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
03924d213dc778cd091d1a8beeed400f

SHA1
69900ab05f46fa29895cf563dae250f0a4f44cec

SHA256
ab7716776c798ca276faaa72a5f0b99506fe585176a766d02906be79129b4eb3

SHA512
3cdce1e15d3c42f0bb48f82c6d29b2fa1ce880b3ec861b57c05ac86bf46e7140a05e00335805b06d0de643eccc9b78fe22ce40010902f90e9c17ca4d9b2309e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
41e9f6e8e09492f37d699c3d424e346f

SHA1
7793856ec379443b4a567c070f4e4fa114cdaee7

SHA256
32fe3cf0bf226cdddee0d6af2830ef4db13e009b1ba9b1f4a089552bc7222239

SHA512
44c05af76bc10b83d1e24a072486c27f776d64a7449fefe7120e1a12dbef6a9f2b0cf4a8629db8ae4ba078032a260167b4f66185a634bf98ed593623a323d908

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ca9cd19a0252a7f1ec753105e4c6dabc

SHA1
d98b2ea79e2ded6e57ea847e515bcf6cca04784a

SHA256
2539059b4cd924ad029d011790da5fa9abd52289f6cbbbfb87c775f5f7b62e83

SHA512
7d736fce43435c808c571e7d524721bf93966dd4bb1472d0528332be104baa5f8c822894577ec917548bc984c2e62015ea4646b6f69d6ed56411709e4b80fc0c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c1722946b920d572188828e01b8d264b

SHA1
1a9bb7a3d606091cb1600b76992cc4dd8af25f0b

SHA256
0bfb79c57a9468e8fd18fcf3d1fc2706aa71a7dee8d28f1d33e1b6f5ef58e041

SHA512
6e4b9904160688eaee2b458941e08aaffcfe4498d28ae5e6ca424ab0458a4d710238b73217fcf33cdb442bd019eb23188ec3d78086d6c81404fa2098fb5a2081

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3a01029048ba441ddfd53e1fe8b48c22

SHA1
8004bb8cea56bf0998b46a52b9ecdff849e7ef63

SHA256
dd8c2b7f9aa12230a42cb991048c5c9f58a4ac180cc81e9cfe3da4e07315ff43

SHA512
1ade5a38864b27229ca583df4b307d6e93c65bc751b48d5ec23a52fe687abfa88ae67424c047053d225e6f9e51df11d965fb8be47468c2decb10639110e5055e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
7006f1151b3d7541890e12eaa63302d9

SHA1
3624a44d84d8937f426d18fdb233757a4526c800

SHA256
23e718e30dae799e4554165e720ee5315a88af57495e69afa52200b512e4c56e

SHA512
8d0f7dd6b55c434d9943f228be78c0eaee7dbe86653a97da589088fcf30557f4b8c561d90024fc31442d5d989f2e0e37293c5e9ca4bf9b1dd55b7b2ee5183336

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3fb9634d2bb0258548cfe1af2685bf25

SHA1
2e060ede1b56db068307b8fc408ad45b69986644

SHA256
066614eec1dd42a9dd771e2aefd5a0faa242b5cf6a0e713fc9b523aee0f6a44d

SHA512
48a561aa910421e8a98be88f8a43ea64b06608abf0d75fb48a5fb85f75cc77ac530fef7bae509e270b67ae986993236683269572a5e33880b1c5a890e4c54082

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ae4a70451da8acbaa81e02692cdb93bd

SHA1
ed76626eabc3853d4f8042adc62c0854477b499c

SHA256
3c98a69c25bd8667bb32e363a922d2649d8f33e85a32ed8b0c6eea5da89e2825

SHA512
036a2b43f8c1f67a69b41e90280557a82cffe242d7f33fd3e46b017c797fb8146de6b50fe35637020d343992daf2a42d5ecfb1cc6cc9a5b105d02842359bd7fc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6ea1753cedbaaa5717d97766202526a6

SHA1
876c48570a7cd2d1ee7b6447645b0e9ada736790

SHA256
f7b3013b0d544231c2b9653ee42e4e5eeda502c0cd0542d6f69cbfb0f4aa2259

SHA512
c2a53f59694e05155f125283cff44998c99f34b03c4d45c700b2a7d4a3e6a629be853b453499f4f1167ded588a5a191548803cd96938d42bb10924c12addca58

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
22e27c742fcbee4de550b7a8c6869b76

SHA1
8643469ca27dbdc06761dbc3dbcbb204de67067c

SHA256
6fa8c2461ed508002ccc1857bec9cca8a58e40f1df3bd74333d368fa79eee486

SHA512
7469aca35b0f0fc4799e495e828279034fd065a5e85b26fec16abb1e2557c46914cab3132c279cfcfab2808ec3b9f834ebea72f3f93d20851a8b9cf71002de49

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fe1dea78e14d13bbe97121cd4ee1f76f

SHA1
b9fa3ed5bb29128ce403c005ff565e68d655949d

SHA256
01edb5a01d4bc8e0979f77e6c6f58569a79c7a53468714c8b61328972506c03b

SHA512
1fe3768453c318fc7676b83928dfa186cb85edd7cbab079fea9c53c8746462a2e934ae93ef34f704dff08b1fb0411558e16c470341443eb5b6b811355003f0b3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
23b2aa0fd27f67c9c0d8ce46ed1969e7

SHA1
75141c81bd90ec37f14f9c5458f9ce81fe12d341

SHA256
62c039c7098c2706106123e7a87112d1bf6753c4bfd1f3d77f2bac0500219f40

SHA512
505bb648d0c81a26a0645129baf99f9ac493de0a4d87ea46012eb833b21b0cbef77547a188c5408ac999f60e796ef73e62926bbc00d88095fa3c4817d117bf94

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
380ade7b107335e45d515b6aeee55142

SHA1
34f01374d6fba929dafaf8e8d68f865efe142d75

SHA256
5466ab472259e60959c4f00025b36014c6cf6ce5ea8d1f6b04a8afd948c96de5

SHA512
4c017692983f95cb2c8ffb1e64b2dc90ca1d7a429c8fb6f4adbde9e3116a2bd636433b5747bc771ad2976c1140df4a89bbdd521e1cd508696818a4b25083c9e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e7fb48f3f50ee5b01ad6681db6df561d

SHA1
b2c423f0d68b4e4b6256b83f7543d34eb33b324c

SHA256
4bade9ce3e82ff41b561fe0ff0f770430e7bfd36b46eff9bd8b89ae90edac26d

SHA512
98c8cbf00407006db9e0c811303414dac2bc9055d7674a62064c0abe2e9db06fdaf8980e6cd6b4abb18d7fadfedfc4041c45d3e3c15555b210fe9d123fc3614d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
502fdd132d01767321c45122855250e8

SHA1
671a915fbb583d9aef16bde6c831263315120ee5

SHA256
ff788de03a2447beb3430de56158a8d1d9e25cb204091d16d3c669bbeec6123d

SHA512
8130ad5aee0743aa1020b1eff5424859e5aabe5805825dbdfec20d34aafaa377d863a9cf97e21aab7e5913a3b85cc8595662090ce74c7a7b2bcd9403edc72b20

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
05ceb7f10048bb388a67655b992584b5

SHA1
2bed49f2ab9b8208f21560bbd4b28742e3c01046

SHA256
7e7cd1a5e15f4b5eaad2e51c250972705822416102818931e68853ea7650ee29

SHA512
2c1c680e118eba766b77b7d93a421e0bb5deaa73268c1c64377074f8b0fbf238ce913883afee892715c5a13b81a5e9ccc0926d828d02746a761273e43921a01b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b8066e6417f2155bc594bd2ac9e3c7f2

SHA1
7c74b65f8835fef6a5ba7e6d35950f3e04c5b571

SHA256
1e203788ad2d1bc43da9aef1e17fbb49616ba970123f3489f078cfa39ff06278

SHA512
c21583b1a3bb5539bb57a8698c459a9536fb8d2b524d44a6cab2371c2497a0d06f77c65ff4224eb01e1f7e6f0a839d36ed4ac21b699289c7564d850d66d17e43

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2a387db3c775f4368aff261e3ee9f334

SHA1
00b9cf435ba2605383ae31d52c955c927d5e0f5e

SHA256
546c9c90dc718160a838f70c1e254244b4513d4dd125bbd869fa34e045adaba0

SHA512
87ad3307b59cbf8e58298b89a6e329b6ca3163c2ff9cc727755330de6cbacce136eba6283a551636c6dc44054847c10b10eec425a70d15a171db92c1e82ad888

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5c4ecb5ea337d4f50919c4ebe65cddfc

SHA1
1783b5373b5e61ab87bf6d5118402c3069b13c1a

SHA256
1c38f985b50b8cf2556a249d43ff67233e50d6d3e549814f8a2c8330d17c4149

SHA512
ec585d9a7fca8dc5e67d262462e9c7c937c76417dbde900fd1b649edb7cf3c38ce2a54c4d1de90282d017a8cbd694a4d9b39fd590be6cb312edcf70ca03cf7f9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
59db3772f505ec6fb085b0f87e0c690c

SHA1
ffcbef780392f892b4109a0ec3857f0dfa10d01a

SHA256
f4cddfff6675deb365b275ac637ace28e5d1970823fa28f7f37c9ccabfd2ae1e

SHA512
50d011c7a5769b6a308768a0ec53ca9c01d1f5eceb0a787bb60ea209e844d254351d2b0bf159d6519340aa4ee38e20cd0405ee1343d92a337e2f5596ad680005

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ff71683e96016875b131ac7d4a6abc77

SHA1
b8d715eb431cc549ac9eb81d9e6c14ad8120053b

SHA256
dc1cfdf0a9c17e54c53277a896e1c7b8e3eeb71be7b9720f7f9d308b5c13b42c

SHA512
1bd718d7999bde45029587b2d99373476edb24d533f40d215c571f6a5bab0318bc01576967cc6c65fedecd70467754343278a5b3032afeefd9c73cf6764e43f2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7d512bd8c2bd357799417d351eabc606

SHA1
aef85e8e371a6aac42862f8babc2649cad4f3387

SHA256
627acd121f4538b745b5eb12600f659d24027cae8ab8a3117041c351cdc7cad0

SHA512
cc7d1aba421deed304d22307b3190d090ccb739f77643e1784b8efb4443c561c9e820deccda66f46625b7a38887ae6cab19474eacf62539015d47f3a0692daaf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
68ea89c5f5795801a59c3b844775c955

SHA1
b044fabd4031ad11cb7b7a7bbf3fc902c93be814

SHA256
95ab6edb45b32b1be6ecf88aee0084349756c9cdcf66649a39d165e5e0d1d7bc

SHA512
fc2d1850677df3652e62086506ab7317d70881f044b3adaa976335528ea952f860fcd5555b5ded040048711f25aa9a6c49c98739bc0708b43d7e2e3975267322

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d6911ea287e3a314041533d48326e86a

SHA1
954dcd1bc729be4e83346de1788aae6c17a7fc42

SHA256
51f9c6d195f14b344d77bd2879848e91deba611d42232589e7440086d3fcf863

SHA512
39410d96fda7c90543aef24231fd0df3d0fe366fd00a285e8a617bd10c1517cbb26f45f2623169c4abf2eecf00cbaf6a630bc13459866fe73d0abe29d4ab8f8f

Download Submit
memory/408-259-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/664-282-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/664-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/664-29-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/664-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/948-101-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/948-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/948-8-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/948-1-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1128-250-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1164-260-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1204-279-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1648-254-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1648-471-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1744-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1768-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1768-102-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2176-251-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2340-509-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2340-280-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2828-510-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2828-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2892-278-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2892-508-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2924-258-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3112-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3112-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3112-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3112-281-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3536-252-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3720-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3856-56-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3856-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3856-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3856-472-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4068-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4464-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4464-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4464-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4464-87-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4464-76-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4528-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-473-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4704-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4704-47-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4704-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4704-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4704-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4704-63-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4884-257-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download