19baade6009a67e6945f6502fe52f9e3356d264d956b9a80de787936675dcff2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Size

1.8MB
MD5

aaff51e8ad9a6d0808effc44dd050551
SHA1

de621b359873091436b61bf79c4f4e4349b84415
SHA256

19baade6009a67e6945f6502fe52f9e3356d264d956b9a80de787936675dcff2
SHA512

7d25edd0324e1d3bfc72c1f3aac87ae3e6ff804fe5479b3b6d76d95532b32a0be639e18b425f48cd4be2933bba4f5012b58fee8872d016498c17ceaf999c53a2
SSDEEP

49152:GEy9+ApwXk1QE1RzsEQPaxHN2Dmg27RnWGj:w93wXmoKeD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4036	alg.exe
2632	DiagnosticsHub.StandardCollector.Service.exe
4752	fxssvc.exe
3964	elevation_service.exe
4836	elevation_service.exe
4560	maintenanceservice.exe
4472	msdtc.exe
3824	OSE.EXE
4544	PerceptionSimulationService.exe
2144	perfhost.exe
2656	locator.exe
4420	SensorDataService.exe
4904	snmptrap.exe
4384	spectrum.exe
620	ssh-agent.exe
3448	TieringEngineService.exe
3724	AgentService.exe
2440	vds.exe
3644	vssvc.exe
5096	wbengine.exe
4460	WmiApSrv.exe
5000	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\65bc00914a48edc7.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{72342474-B513-4DE5-9360-4F37AA503DB7}\chrome_installer.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b539529c9199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b310c9d9199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094c8fe9b9199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059b7ad9b9199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de124b9c9199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f553ca9b9199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe

pid	process
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeAuditPrivilege	4752	fxssvc.exe
Token: SeRestorePrivilege	3448	TieringEngineService.exe
Token: SeManageVolumePrivilege	3448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3724	AgentService.exe
Token: SeBackupPrivilege	3644	vssvc.exe
Token: SeRestorePrivilege	3644	vssvc.exe
Token: SeAuditPrivilege	3644	vssvc.exe
Token: SeBackupPrivilege	5096	wbengine.exe
Token: SeRestorePrivilege	5096	wbengine.exe
Token: SeSecurityPrivilege	5096	wbengine.exe
Token: 33	5000	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5000	SearchIndexer.exe
Token: SeDebugPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeDebugPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeDebugPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeDebugPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeDebugPrivilege	2340	2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
Token: SeDebugPrivilege	4036	alg.exe
Token: SeDebugPrivilege	4036	alg.exe
Token: SeDebugPrivilege	4036	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5000 wrote to memory of 1672	5000	SearchIndexer.exe	SearchProtocolHost.exe
PID 5000 wrote to memory of 1672	5000	SearchIndexer.exe	SearchProtocolHost.exe
PID 5000 wrote to memory of 2428	5000	SearchIndexer.exe	SearchFilterHost.exe
PID 5000 wrote to memory of 2428	5000	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_aaff51e8ad9a6d0808effc44dd050551_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2992

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2656

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4420

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4384

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1672

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
9f9a1b59bbb5d432f8c79b65c6bac61f

SHA1
aa17045268badf4ce1d381c40093d88d89dc2ea6

SHA256
e10576c5226f9394f21182d009cb82368cbaf2ff940ea7f03108e3fdc2b9e0fb

SHA512
bbe5b651852c2b909567d70f22b8e9cdf2a288cf5d322dd5b70d8cf8571ad833f5a8c12c580c771c52d5927cf121ef3012971f1ec9158219ce5ce1da63350f26

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
97c88bb7e0a8763a0ccb8338828b7d0d

SHA1
fdd7f74df4e0322d4d353d672061794af265e103

SHA256
e238eb67cbe764c72da7631c3fdde2917cb2f97c9dda6dc46750782cc8c11570

SHA512
abcc391080b4c5e8aef5e93f23a22b84490b0f36dbfc33040405b27727fa6e20f902b8aeb8b4c9f534fb3cdfd3e57fd0d22e22a023f291050d5ddc93b12fdb6f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
263ed3613e16acc108d67f14841beb1f

SHA1
1b6db378dfcde386e52d2af6ca1293f8c076d7b7

SHA256
50d1a3560036533ae0ceb98c57b3ce6c0cce0164dfa45a8162641f1d1c2c88f2

SHA512
7b1053cf93da520acf9554bef8b38056a71a4b50bc587fec93817eac34ad36b4d904b0a22675db2ee5ecf903a479890160c6e3b8b528b54cd7b3d75151dec88c

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
aaca551ef55390d03b5ef34978dc25b4

SHA1
b9f66c586e78ce1a57c2fb73efa31d56b0931072

SHA256
c128e9cd7d1c1535e76fa6e8b638f68f8051099d83096cc719ae978fbca24e5a

SHA512
0946d513921a66b22d8006287f643448dade301aa2ab322bc966a1af411dfefb3486290c3fd366a33efc4ed47e36ad69d6b91a9d32477657a65a86313be85a44

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f84104a269026ba9166acac076bc698f

SHA1
47268c477e1bdbd32dcec49adf29718c6b79df85

SHA256
cd47d4d9aa6d4974b9aa0fbb559e294ff14791198ba2e26477df94e09438cbae

SHA512
955f4e880e60539404ec9b73e1c56878c22ba785b5d6502e7b74c3895ecf17d9a070b76a2303d14d835198c953dc74d2fec34afacdb83d58d4e2a4ef6490cd30

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b65681813893171100f835b84045e1ca

SHA1
682b9b09d2d58e7fc966f5fdadad958a58c89722

SHA256
b74a2bf9e02e0d8fdeaf8a6d73ee674363bc13292aba221f0dfd0596c8f87bb0

SHA512
3a23a3e0fad4b0deddb592686f32d3a0bc6c70744d08246b7a45161b1b8d5e96da9df05c21e2e306b3c63e4efa870000fe698793fddc972a2d17810c1e40529d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
68df0fbc77222794821df4a24fb92493

SHA1
55b75c9630190d17ede1f76c9cbd8a00587b5f4f

SHA256
7360ed0df01b24fd547897895363c89fb066fa5a17cbf5568afa4dc7f37e26c5

SHA512
539bd959c0d8830ec4579409a444a36debd7eef076c583a06623f9073d3a3dc37a0fedb994eea826609f8458b997afc15537459749f9983895663788cf0df5ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f3aa3d263d2783357855a939caa4ce2a

SHA1
8a62e14b2e28062fd55910b2deeda0e0fba358c1

SHA256
477dae6260c6596f9a83a93d5a7a162854193541511df18ed6508cecc9fc8ba6

SHA512
6b36d884b4654b986b294dc3ad937c875aaae0e4cb4b3bca23c9cda52871c428aeaf7a8e98e0f2996144b3f675f9f5196be2890edf65d844bad03bcf7688aa9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
c29af3ee3d4e13bd64fb46a98f46dbce

SHA1
86ecb662b963515eb00aaef052605f8a8cd65054

SHA256
f5711ee755f149862e2a27b1c2a99d2ed713864a143dd62a2452ccc70a68a3fc

SHA512
f2361223c18e5077e3a8d55962dd08b8f55a3108e28e80b864a0afc9688dabfb91b2cb7a53163da36380677019927eb77b00ea50b3ef4b009f734c52dc2dd934

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
75088c2a3615203955176321b945ba36

SHA1
a0865dd02363abb2dfe862cf13c73b4458c088b8

SHA256
bb216d594d1003619a85890ecacdbdf65086baba872662ad7fd113d97a95ca1d

SHA512
2b4960e6b1b23bc45b9a128f9c862311be4d3fe6350c1ea655ae5d99ba21e5f8e3215f97d4d9a189df8e8cdee52104a6a936e5eb4b98c37c5159d3c26636865a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
e134529f835aed8e28fcc38ecf5fd16d

SHA1
8d6366ff70652391a756ebeaa41630fc7eef2825

SHA256
b3f53dddc2b4ea2da05c2b463c4867fa8268da4c6ed11bf1f70157c750d4e876

SHA512
f8a4f20af5612001760676970ea5d7656780a5abd0f659b409a939d0c542ac0df8d1a2f1a2f15795399f22643dc6d30f473d36c54a85a57b8bcfaca1194ed736

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
7c9890716bb5af23bab35fcdfc1d14e5

SHA1
1db79709731bb6edbdf69b2c8657180fe8d5c914

SHA256
67e30df98ed37fc00a15a7038dda4c19f32c5d542d21d34f5ab990580a474b02

SHA512
249d930f88ef87c9b91f78bc23774524e640795ae9ad08bb43156866367389e808956275f8d20e019b14f62895a39ea8e5dd463558b50839f45b1ac2545ccd96

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
0ce094a7f97413d713ad0f5a94ba8b86

SHA1
ec9f402d661aa340f8f385b40a3e4d37938ca38e

SHA256
a72ea26d29ebccf977b3508c83d003d1cb7a104b587e566f392f7e919d06b249

SHA512
76b53592aaf1bec85eaf81347a8557220cf66f914be501fe7cc75df4f0ea583ca295664c5d58fa32cea7433146c261a6f9a3f6f7a1da669059f9ac9c8fccf214

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
f7b9b234ff683a51607ce9f510dbd07f

SHA1
9d637945d6041ad5c145636e80865908cac6296a

SHA256
dd70a98ad1780d3b18c1c319d62ba600b62b85683a484ddf13c19e1d422e0400

SHA512
1600dcab9898360f545793563283a1bfdfd660fcf4c4c466302cf56027577fc7b50324d3d919654bb0f5d81d5117a4a60be8dbc910d390b1a072f066fefa9602

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
a585c7116537943a3aad43d0635066b4

SHA1
8760048223ac74ef8e73b2275d7ff72d780697c3

SHA256
474677cbc111f3fc220dac25817ff4565c4c3a37b60a93c16fcbb33cf0322c7e

SHA512
5ab5529f966373c6caf2729b4f27310a53b974714815df9778cb335950535852aa8aea29a2a66b78300d5419c836275cafdd58ca96b2f38ba1e2ab015fbc8521

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
13433ec493b694a8fee6ceb7d2baeb86

SHA1
ab44eb98d6505a061ac3b1af06ae54d290747aa8

SHA256
0bf482df57a67591f9d093d74d846f092b5c874ef8c23de8a139924824533574

SHA512
56e09870b5f1fd4179b3cc5e90d25307efd7e45adf739f9d3bbf4459c52a6cbe99354422f01ceb0fee1502b54ea10748b4e019e9d244990c77309333433520da

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c3a4858b1f52e73b0089b147a12ccd3e

SHA1
09c615e9e88e1399b69e767c2b53f92631650c42

SHA256
97cd0f06deab4f3bed2d747c8466a1189f4086326a99fb356ebc4adccde43938

SHA512
2b025cd47e4601ff9be4a795aeb96863e2fa4a0e1a47fff86c7a0f5fa74613d98ce23c125bcb4109502cde0441c62decb625f292480819ebc876d18c53eb212c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
bca7a29cfd2b6e5488d4368583ad407f

SHA1
f52b9dc04cb34046819ba7eb0bed42fc23d28f22

SHA256
96991116d6e3e2f54d30169e705f068c92ad0421019cd1c0e6516789d78feaa2

SHA512
bfbf0b7ef3d2b52ec0b4a1c01b523a9bb8ee6f2890669d7d61785ad42104ebd8ae661083ed2fb8d90aacf85c2f3d693b8c3d21205c2cf03df70dae8148d3113b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
a60244f28d041846e7a4f5fcca28e426

SHA1
54278a59d255345870365fb9ac8a07518601b444

SHA256
114161321a39005b1291909c0c8e4a96350700e4ee9ab265c66db3d02a06fa2d

SHA512
5b00d7aaaa9e97acc20d266961129fe5e6070f872031e12ba03d72cdb1db1aa36fce204ce42753dfcda9a4bca86878da2829db79d9caef388862f0e10df6e379

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
f453f334d18093fb7bcb94de105737a2

SHA1
83da31c748c753fdb724ba4ce9dc77839bbbb169

SHA256
4644a6aaa2dff41eb9af4c48e777ed1e7abaa1073443bff8c8c4ffa93f91979b

SHA512
4432773dd4fa6676e740e11848fb1688498ac766678e9e08cee90e70c66db654dfd6e7a7db2ccfe83cb876c98eee5af622237e0ba8456849e0c4c2a09730ebcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
4041bffd02add77ac09aaffd313faf8b

SHA1
ba7894310bb3c8ed090d8bd1c847c44f3f113844

SHA256
ee2ad60578fecc9775ae38d347b7e59d782d31adea5ce928eecf74ad2a387607

SHA512
f592afbf4132822de0541796d2835a3fa17c5f82984bb279fb94b0553e93681c0221bcbee7367656d9c5a2066f413f1f4351ac446a89bccba8b426bd8488d83d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
84468f30aa384c53dd9c254b3c82c014

SHA1
13681431b6bb7d37438579feeae289ddbd6b7d96

SHA256
2ee3c7c78c99ce33e796648822183d49d00d5bb1740274e28e6e9245e40826ff

SHA512
9133155cb1837d871ec50563f40c69bcbf70694e626e10c4087613306ee3f051d8c59e6712a76667e805742487813d1548758422589aae9eb227e085850b6687

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
177938a27062a4b82c51bd62b3f83ac4

SHA1
f908c2cf3c59744bc348b67a3a52b238dc97e0b1

SHA256
a2b28676afd7de6847d5b70bb0b1fe20115fd273115d12867acbf79a8316ff57

SHA512
020ff85780f5474840781c7e1394512fb1400009e2c114dae77b39f423e4f954dc819db3bf200659051060144d2d61d380c737dfbe5a3a561148e86edc4e1f27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
aa6f4769257aca0287a3a994199ef1ed

SHA1
2b77705762151e38bc91d094dbaaa9f86f613736

SHA256
499474723abb05cd03933891f736e6f964cdc27fcec0e63e4f96ad0f8a6de8fc

SHA512
e3f4e27b31e883eb9a479f4f4d9b540c99791089df83ccaa36fc4ab7198843bc4b20794944f16434d2efb1c4cd6e8f6c7c12564adb4798311cb779c6821fef8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
084b37c3bc41726a57c859dd6233af56

SHA1
5de42c764cf3ee2facdee7fbca42c20124117a3f

SHA256
30aa110cc6efabdb80814b15ede0cd2dceb5cd69adb2f089e5900585d0b1d1d7

SHA512
822e740119dd02baeeb39680ae6c28bbfd4e9ad62c5df8e50543c39221197921cad788c89bb6c55903907be310612471c565f50f50fb60f9052655e98516347f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
be6b1921688b47fbbfb3c1f8e08c9625

SHA1
9693ffc3b0332467c1238f2d64090fff52fc9518

SHA256
59a257f539ee75c1c593ba4d4330453511ce5bb2ceda18358f30ce1fb074bf57

SHA512
c32087008a4d8f4faca7195e84d6d5cbf1f4874d965ae89bf52ecdbcdd1477a5851ae84328d88976466c83eb2bb5ab55aea3403de142e6f81caaf2673d27ba42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
0864f72bd50f84cbe772543ccbe04195

SHA1
c0c51347f41d9309745694540ba0c441666bc624

SHA256
a2964078c7e0526bb03a3959820a6db5d546a1fa219a515867295efd90955824

SHA512
ecbf6e0599fe03640d9f165292af658d13c6ed21ab5d692ee4af631dc7b0d955fcd316f897a140b014bd312c5deebec142513ef52d8ca143b68db51a151991f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
c1d9cb5b5f2ad18ae06cd3d0cc19a17e

SHA1
98fff137505583aa75ed8dec7eff6f21dad2a7c2

SHA256
85b314ff6a5bd91ef0fbb6ba1da7551753760e1911dcabf7f3cc9638a0f5e92c

SHA512
3343b30b602e1953a600ca7889222d95fca8460450219b7114c82df1d3a12c1533b060803b01212cfa85f48bf031084e9a2a4f49238e6f44220512c78bf91b1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
7f996708537146c2340a317bc10d834a

SHA1
8ba67e8d13b34844b4e7a13741b1ed6f0251180a

SHA256
7c351c5ed408e3e76f0a7a1448f6ecbeac8593b642f74418a05f0959c1fb6826

SHA512
88536531a629e709d60ceb72f2cfd793166fc717f64878ff35cd9aaabd82155c5e3f4d5d6238a796c2cd053f0ca5bed49e7952e1b70cfe7190929672cd4be244

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
a3ed065138547ff16e456e2d139faedc

SHA1
f59a306f48688d1ceb4c087575b508937455496b

SHA256
dee79bc68094ef8c7b37aeff570c9c1b7d3b572e82b73090687565c2646306e5

SHA512
946f3dc46a9732bd959c6724b2acca692d103cc7a3773cd2c0cc5bdcf8fa0e4d402cc2aa8b4315865821383efc0dec1f2034d4c98c3748c5ba62e20291f9902e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
3b1e593b6e77f701d81f6eac6611a900

SHA1
fccc6dcc75ae87880aeec155cc4540221aa93076

SHA256
77d4ff97ec426ddf9563f9620f56575c87a69e1001a8afda152e8ad2cbd55126

SHA512
d3ef8b1fb179d48cd014b39954580d78a4bb75ee129df15a0f51961dcd11f2feac13cb8fc5ee28d74b7fe5a55ecc248885d2a4d6f94e5559043282b919e17082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
96231398acf00219c3b505e1deda10ce

SHA1
eddc9fb9b4061effc03e4eb7f34c989d0618e787

SHA256
cfcf06f4c952b94415863b69ede30d56bf762ff5d6e5ec68c314064d8fa5e909

SHA512
10c0c3879322771fcec0819b6132eea8f1ed5afc714112bd439047ceded3bd1f837c57a65c9d1582420c4c0594d4f36908785510d0875b2031e1e6486295d24c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
0322b9f93bf02150fcda33bfb057dabc

SHA1
1ba0040b73d590a2e8fd35a51be6951a6a436712

SHA256
0189cdb4c2816456609e56e1e2af168764845225c67edfe42a714781534ac5c2

SHA512
61d1f7da23cd6588deab92b12f36c5bbc739b87cd288fb05da252fae927ea1fa45c78a512181cc3749feb0c6102dcfdb25ad39ca132d28f970663230d822bdae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
999fdc979c8053e8952052e0945b750a

SHA1
201ddd8010a9ebafef4e631b68948010261796ff

SHA256
d895cc8e4210475c343595a853dbd76bba0a8aa7d02fe401fa3423acf696f479

SHA512
3a069349962b844a48d9713e6c80a6aa399ffc5d5a55e6c836d83efd98eba8486972ad848bdd0a86f291b1bf18a34e0edb1e28980210096998cf1677295b8119

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
3c9b9a968021694543227722b9188e08

SHA1
b8c593fa03fc1404b60641696e08f08e89ef5053

SHA256
2ad008fb477ddd98d1bbbd8c0501b67e5aaacadb4bc1bf46e109a32481aa54c4

SHA512
8781414b419598777a739dcae286ee6c300ed6d7792c70a3e138dd236cdaa9ccf923c49775d9d7cf1d151ade80fb973de2e9be8319744b55f1b5110e85bd3d98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
bdce3f4ab4c7bd49e0a7b9b21e8e94c2

SHA1
95ed5cacdae9075dbbfcde0cf861c6c5fdb96125

SHA256
21215d16077774dde400aaede28a2dfc242193fbed1d95f360d354917f3448ab

SHA512
2f68c4e0db0c4822a0d21db6fb261abe6803d9f700d9464a3b8bf7ea462f6455df9374c1667655be76499ff75805cfa93a85d4b508c6ad98ca68e964a149d34c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
60cd28405945cad44881702b3e7e5810

SHA1
5bc2ebfe6c711bdffd66ecab734e278b114f4915

SHA256
dd065b5e367fd92cad051ed8947dd0d7dbd371404b5605205f6552fa20fb1cf2

SHA512
fac19c0eccc5ab0d01e39e375f8dd2343813c04ad223ea625b32aeb0fde17d8863ee4cdc32a034e3dce14f3dfc84768caa8404f05a9588a76d53e32580e43f14

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
f2c5a280674127911566c032c28b0937

SHA1
e03837a13fa2f481aca6349ebb253bcb25f9b49f

SHA256
a9c253a49379d6494a947a1932845938ed4152b7246664f1be4509ee6a28e027

SHA512
ae41031e447f8fb55c53852d9a61f3567f933888b071dd4e9349ebd933e294318913da9ca07b76af1aa0d7eafc93b49ea8b1f2225936db5acf4e4ba42f5ee301

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
2c5c6e85e626828a9a2afbf83a4d212d

SHA1
f532fc688f3c0382aacc7ba83884826150d29e92

SHA256
a47920d63faffdb61b328c5b93a47deed13903647d1129d6efcca3839aeb0011

SHA512
be5eba4b864e0180dc1072fc60e51e830515c9f40895b604bd28bf83ff7e0ffb248792d6a6554c61087b3325bb4a902b337ac99accb810ad437215c555e0e536

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2776854589ba30e8019ff35a873ab2b1

SHA1
763f695bb97e3cd1474b2859191d00dfd1c68f62

SHA256
06d7970287316523a5c094cb89a3edcbde997f9944f69f0875fc513705d3ae20

SHA512
6d709d7a35bd5338c4c331e00003fbe9cdc7b2e42a920cbb82005120e3a2355c77a3dabf134f1fb391020425084fe27dbf133c54d3a5a9e4d0a59ed8404a14a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
e5b5d21144cc9fccdb9ce1884e07f246

SHA1
de75b16a4520affe3912ba717c25c004aa3d8d07

SHA256
91cdebc6ed5b2b18cdaad0b4b1cd6f6e0838362ec9d3e8636f2b0ea9d218d36e

SHA512
31d59e1f3f2fe29137fee34763f55117dcf84aab58fbd7e2adb6bb3e8f962836ba285510d0cb0fd5f06f123713bdd8e0c14f07f657fbbb39a4b763d98256921b

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b03899ec51dc0316e436c228e214357a

SHA1
1026208413c47262463d9856956b8f7ff424b641

SHA256
2f27ff2710d2e6ca8013f39d4f41f7a49d98c2549394cf2b81ae16a5a2c83def

SHA512
463a69957f1e48c6b78bdaf63bf9de0d5cb9fc3822d639a67c00b245139aead7c40fc95d94e5c4c0a5fcdc0b7508084ee69cc9bd93dd2d3a1301419f186da4e9

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
f3cea66ce89da20ba2a923bf36b9ddc5

SHA1
50803b87f5e2c17a734093c90b44fb68674c71b4

SHA256
d0110a2a61966fc03187866ab98631ab9d723fda6d51016d936e6e2fcf6568ed

SHA512
13463609448114eeffae1314527eac26d5f0f877b38d49f04c8ddfb4dd4a7235efd7aff91e4ef2465f1ca3378c488d95cf94a9969cbc33f647d5fa198ed155f0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
4897dcf0bd1403dbf4613e44f641059b

SHA1
91b40d4a49738444d338d0fba272221067c19818

SHA256
caa1ff4c40a0fd5f08d7ba426497617f8c3cc00dabf1f53af9f30ff594df8b61

SHA512
945efa05808015b21d54cdd74e7786c50e043c1b38e28c91f0e99f96c9d19a3232f4e90353c990de16fc1be025a1064251bb14184884b0662d94408af56c91d6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
94fe6f9a24e82900535c79bcb64e9b83

SHA1
f257e6898649dc1f392b1519bfaf3893662e8293

SHA256
938cd2ca1ef05a247038f63b4fa295bfe212fbf4400e32f2db2f53fb3b804a4f

SHA512
d5fbda8f6d45ef4e0501887a811f75ad57d230be5d1b77e176366667380b079d486ede9d7140c47f15e6d6a52c043cf7188351edde20ec40a4ca150f454436a3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
aff57258df146cbb910d5f96186aa363

SHA1
0f5d81b9bc329c7a47342a6074c14b87fa9916db

SHA256
c38bf5dda4c7a69fdc7ca5b1a6e8047f2484c56ebd50df656d08fb8862bde472

SHA512
e6879b6ff5e07563337c83c880d8701fd2067d9f03f162f02b8468a5291ac63ef529fe2e981693a4839e8d3c637306c4d05e8ef744e056df363aba9ecb8615b9

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
cef73505230436251d8017f51c0ac706

SHA1
706c65ac7b2fb2aa881fcf985846dc33fe7663d5

SHA256
0cef1e28e0def2fb41e98b9f9ce6092a97104a35ee42800e4c80e81ebd16ed70

SHA512
6f845164ae8e76b24cc83d6b22b0a7be5bc906ecd922dec6a8ad80700f97af19a65b681f57b998fb20b6f8e1ad4048d25f6768d573c67c415e3f1e03c5dafe79

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
62e357e97dccf96cc5bb69a0be5b9939

SHA1
11e2bacd722212903b6048cebb808d983dacd708

SHA256
b8910b3911ec1137ace391e21397bbef7e34a220dd37fcf3769628935a517ac3

SHA512
ed39de9b834e220ca1b682a9b5fac9dd8adf22f791f05872f3f715b43f91fbb245a47ba85c2d0e6efe0b4cbedcd05d42bd7761480c0eae9c60baaa45b6b14228

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
fdd3aa96463dfd1b9f71edeebc56c3cb

SHA1
c221f8baa955a22778ae03b85315405e152bc878

SHA256
f8f999ad12e31f7880edd66d20d092edd2ce9c60a69cddc89cc672b4ef9f368d

SHA512
e2e4ecb6cde27ce1dd2dae5875f91b15fbed368489d5b5b6257f66b9ee44ecaf49e962e871e73a5d2554ec81f965641b89e570cdfedfe8d3581ec8f45d902d8a

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
ac95ab84205019670b5233b0e74a1243

SHA1
ddb5fdf12aa30f318442d313de8c4686decfa53e

SHA256
ce9da8c1bfae7f58f5ab8ac30c67da7a483f8678ac0615bee840f2cdd1943519

SHA512
b6fde21ff337e87504f97e467ee1ccc66974723dc2c32b033a0e6b2c43fe7a4feb3363914b4a7a1aa34e80f56267fdbccbeac4065f9e37002aee61e7672b76ec

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
1b6a63b1f3080c0ee6a397db17abc2bc

SHA1
93739a16bde1533d9d0c640420dd0740e1b492bb

SHA256
8a46126d8bd14f20314230ea46bafb044fdd1fbbba2bb7eb9423117d6644329b

SHA512
cbfbcf2a92161a15faa323fa93df315f4ea8876a46d6f2aa8230fa7cecd29a20b475b5a2cdaceea5422b00a1f8a76930bdbeae483718792575eca878756bd6d3

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
823ed22869d250f7add7025d10a74ea9

SHA1
4cdb8a3ff0d8d2daf3b3922e28260f4f5c5f5746

SHA256
be7f36184d0c955a10f580bf30522f8896f64b572292faa21b61f484e14633bb

SHA512
a543fd546a5b51b5e74eea358c58b690d3c6bcad6ec550bdd2fb564771ad2c902ec7f1682a450140a6bf88a17c2f495a22a3d609abf295fd1c7185e7ed9bb45e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
5942c3e113ce6dd08a275d4ef3ebe80a

SHA1
cd6e4547cd2d1169ccb30178f5d0fe625c5ac149

SHA256
9daa717c0af5acb33a5a93b171fc941c4b416664ecdec08e604e49c2cf53a79b

SHA512
74314c937e008919d4988767abe7785f7db81d831681c0fa4dd87878f2984e023e3438005db14dd528fabd6dbc79f56202c4cea668a5ad64516c64f6168f50ce

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8422a2f1d9a8b6ae5efb1b71c8853e86

SHA1
0afdb122e974cb260819c4f47b79109da3742def

SHA256
9f09550e12058cc4fc8b9038127b4c1f4b403ec0df45c1fe35f3a9b0a3454cbb

SHA512
1ccd3d6ab8383890b23867a3d91342c025ff6218ccc68d827c5bfb634c23e4962f681d41118565e3442118c4fde54b76ca626d0e17418872ee845d642ea4205f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
563665646b5227ebc9539ca2aab6d7bd

SHA1
7fa274f8bac3bf1679c8a4328d9d11d3d2f7db74

SHA256
9bdaad067098e6b4ba96435314aafb4795cdf0cbd534a76055d1c22dcbd0f5bc

SHA512
674cd61966122c89852d61c93139035a7811ffbaf28e68ca69aee1130a817e3b6e5ff0304c65d65050316eb8ca4978b8d5ad4d39a459ee322e06f36e8bd89a3b

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3fb45a371a89c1a14b9bc16da7fc69a7

SHA1
7367a44801e4a69be799707c6eb5f058406f3ad0

SHA256
694cd9e03a25cdcaf0236470951e5622c54c8476622b4c3e0f8022024edf4aa3

SHA512
3e1644dd1b7fa8cbc711fbfad8ca4f9046c20b177931c27f5a329dd7c679dab9e70025470d4235b12a022b22dcd9eed9e97a6f6ef6aa487c1844a3986cf2f696

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9824d81a8e0b68eb12d62a45725d1db0

SHA1
be0ca2c939def40a8aac59a3dea310697db5b7f0

SHA256
6dd61db3b84219589849d525900d53bea7b28cad44bc53be7e4170c76b975acc

SHA512
24b86eb2a40e755988ad3340684ba684229bf4b4f7857ec12156b10d132d16a95f95c79c8c7b8589cfe468ecf49150937b6a868ed532dae1fcf3cfbeea4fbdaa

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
a14168a5987003d46c322d91cb8aef8b

SHA1
af3195d8462e09eb15c662e912b04a8493a7bd5d

SHA256
ebf9d47676158c86a200297afefe1a21ffe166fb8d7e55d4848bf6a336f136eb

SHA512
b4fc8c4b2981efa90f957716589eaebcd61608e30cc4002ae12e3afacf9369649796d31aba710c9a63a298e881fecbeaa024e3c88ec8658616a56acd443c4c2e

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
c61d1d79facaf848eba68c68d9931e74

SHA1
c6b5b1d5f807107de86031e0ef32b046eaf1ac21

SHA256
b3dc63b7d60b702e196b9d07b33eb3c347e886a389cd0b8df8137b509497552d

SHA512
99bc6e500c065407680bed9499692974641222eff17af96f44901a1ff7a64f43f1945c19124a28c715e42be784868228b653cab89c14c7b36f3792bac9d99a5b

Download Submit
memory/620-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/620-520-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2144-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2144-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2340-1-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/2340-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2340-73-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2340-6-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/2440-525-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2440-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2632-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2632-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2632-116-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2632-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2656-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2656-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3448-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3448-524-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3644-526-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3644-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3724-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3824-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3824-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3964-54-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3964-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3964-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3964-48-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4036-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4036-98-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4036-11-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4036-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4384-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-483-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4420-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4420-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4420-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4460-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4460-530-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4472-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4472-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4544-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4544-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4560-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4560-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4560-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4560-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4560-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4752-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4752-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4752-58-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4752-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4752-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4836-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4904-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4904-429-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5000-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-531-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5096-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5096-529-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download