94f78bc208bb3c0d0847062ff91c9684bc504cc63f96ea4f7398f345899338e4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Size

1.8MB
MD5

0f71b911d4fcdbe1502e2fb3d7d7eb0c
SHA1

f0460fc4a94f57cb7ee0b29686f1fb43b5fbb309
SHA256

94f78bc208bb3c0d0847062ff91c9684bc504cc63f96ea4f7398f345899338e4
SHA512

8da828209acd1ba7c878f83bc9c12e03232a0b4a4250237fe17a71f0bf5c088051a9db176f2c38642aa901515bca766c29c583e00d0ddfe0df23b4e244122297
SSDEEP

49152:gEo9+ApwXk1QE1RzsEQPaxHNW8FD5nb2LLPrFmRY:493wXmoKe8F1b6TwY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4624	alg.exe
2780	DiagnosticsHub.StandardCollector.Service.exe
3628	fxssvc.exe
4464	elevation_service.exe
1176	elevation_service.exe
4124	maintenanceservice.exe
4812	msdtc.exe
1504	OSE.EXE
3248	PerceptionSimulationService.exe
1540	perfhost.exe
3672	locator.exe
1568	SensorDataService.exe
3428	snmptrap.exe
2508	spectrum.exe
1920	ssh-agent.exe
4984	TieringEngineService.exe
3192	AgentService.exe
3852	vds.exe
4808	vssvc.exe
1832	wbengine.exe
220	WmiApSrv.exe
4028	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24e8ab63bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007513894695a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c35664595a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003458704795a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3e9bf4695a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a6164e95a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba5b6d4595a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f691e44595a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7944c4795a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a59514795a0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088f8e64d95a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeAuditPrivilege	3628	fxssvc.exe
Token: SeRestorePrivilege	4984	TieringEngineService.exe
Token: SeManageVolumePrivilege	4984	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3192	AgentService.exe
Token: SeBackupPrivilege	4808	vssvc.exe
Token: SeRestorePrivilege	4808	vssvc.exe
Token: SeAuditPrivilege	4808	vssvc.exe
Token: SeBackupPrivilege	1832	wbengine.exe
Token: SeRestorePrivilege	1832	wbengine.exe
Token: SeSecurityPrivilege	1832	wbengine.exe
Token: 33	4028	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4028	SearchIndexer.exe
Token: SeDebugPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeDebugPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeDebugPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeDebugPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeDebugPrivilege	1616	2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
Token: SeDebugPrivilege	4624	alg.exe
Token: SeDebugPrivilege	4624	alg.exe
Token: SeDebugPrivilege	4624	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 3292	4028	SearchIndexer.exe	114
PID 4028 wrote to memory of 3292	4028	SearchIndexer.exe	114
PID 4028 wrote to memory of 4408	4028	SearchIndexer.exe	115
PID 4028 wrote to memory of 4408	4028	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-07_0f71b911d4fcdbe1502e2fb3d7d7eb0c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3492

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1176

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1568

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2508

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4c12a53da8ec687b823d557cff6551da

SHA1
1a30c65df099b763a54e2cbd9f23c5e8a9da6dd9

SHA256
8a1632efd166d1fb4fe5e1a7a72cd508a3be4f39fe4f5cc5ad778246f20d7330

SHA512
a606c15d308bf46316eb9c12b4f26609dca4a1ee5b47e231db94d6dc9dbcf3cc5bb2c754691a34d44f75a696a15999e3fbbb67270da2d557d2edc6efacfd1884

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7c45c0762ea2ca45dba5b114813d3eab

SHA1
1d6d0576cb0200704d94b5e098a20650e86a4e56

SHA256
fec22244ca54bd50e2465034dfeb96c8b5b5d5077d0a7d02a8dac626295af519

SHA512
44b12d7fc671a4b28dcfd1abda56436661802510ebf01d9579eb6f473d2dc9a0e1fda34fbcb97ad298b9e0ffc9868f3afdb4d234645675c88fa66aca1498f5ff

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
565baa35ae62ed8dc406a4c0f6b850be

SHA1
307143e84ddba478f39d11dc7d27cbf5feafd29f

SHA256
6602ffa9412a9eaca07f7055e457cf21fd7491710ae4dc3a692d98cfdabec7a7

SHA512
e065ded15593da118bd7698e54ba52c2e4e53d233518112c4c668d640dc256fcb1a93d450eba6572ac188704e5b076c80f25e452cc2800c7331fc6a082792cb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
946858b47b3faae16795618e0b8e85f7

SHA1
c581b63de449742ff647d096b0bb7cac5c809a1d

SHA256
e34ca67ac10d68cebf9a8cf93e54a4be8d935bb45f4f2214b8121977cf2070f1

SHA512
ab03d3f078e300b6dab0db5d7f2f2ea9c1a1bca7274df92bc8001aee9224cb14a223cd4e48550cbf766a33ed37c0fde4697223e7fd4abf9246917810b79d4f60

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d86eaa0577e06964d379f9fae042d6c

SHA1
830185d6cdcc0b6d2bd9443361f50db53fb4f79c

SHA256
134528aa51476b32f0801349154bfa2fd658da140eaa236ab81cf80a5f723f1e

SHA512
fbe9524625ebc413269cc52e51f70bbc9e49335baa73d1d5d62b557db58ac96e2434664722a138509b7196d9bc596a8b31cd7de35ae5f1b8a337c06cf6520021

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f9fe21a5fe740006d47c64420f2d76c1

SHA1
cfe0966d31c78abf6776db644e5958ab58e403e0

SHA256
6bf0687409178c6af24b9ce98d61e8f1956e9e54f3ffdeaf488222b48a99af3d

SHA512
1256d0230bcbe8b3306b3d08e77cf3c2cbfc3ff079d290aeee7664e2bc07089247578503817409866e76dde4c4b06868bd9ee13135c8f5595e97354b5385f09c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5b5279d4a1de61d1820348555cf4bced

SHA1
cd2c8b4422d1cebb75f7da14c026818e26e8b142

SHA256
ca4a362404daa7c5bc8d62124ef4b0d4e1961146a6c352922661eb8864b9bed8

SHA512
f71bfa4a627a7b62a12e3af1d45fa291f8e114c8832b185121b805707a6507a0183cde47b7e2b20d2a3618f8b34913a69e8bb060a5fe9081e22e9141c8469469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5872426c3b05d525861fe147248f631d

SHA1
77f456094f3b82639fc327cad6e1501b54bd3aa6

SHA256
dd5b04f49df31c81a3406f36fe22edce7305dd65f2293f0b46358e08bf007499

SHA512
933db6a76b78b343b6b148d2aef5bea152ef168cb9a0de875181b2b2964eca22bcd72a4311c5ed7aff9be6d6c52fe32d635945157f9eb2a9cf771ed79d79a50e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d7985f96cfebb2f69ff0a065e2c02fe1

SHA1
32b486c65ce8cedb5b35eb7b22d4203adb652520

SHA256
056aca13e85d62e96d811c52f19b0a832106b50cfd861b0330070d184bfb4fed

SHA512
7fb61603f2aceb01210b327ca459d4a70a6094a9a72f201b385cc1ddd8ab1a26f77c968b2443f5f22a88d4dfea491834b9707ee6a742d5770e58e94451b83797

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ff72d6c8824950b60a47e3829d4a562b

SHA1
dc14f1b6c65e7457d82a83fd53e2e725aff4aba3

SHA256
8a3f569f0148e980918e3b5e582b04502880ef29c3bc27609ef216f123373dc8

SHA512
c2790751fb23133237869d502c5990a420118f927f64df8b39593af6a232ab2a157ae05bb1aeeff116f70c3990c8bb8c8c00cc036a4b12a9e549883541f2cb68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9d9b3c4dd3e4b6dfb0446107699281de

SHA1
a8685a34dcd99109b4ae00024692c107fc1531ca

SHA256
4a92e161b98bcc86ac9f3be40002c02f0f2e888f5d395029564160a0188b258c

SHA512
e8d819e8e7aef8d14cfbc9e3b837094667fc86d0dc4cbf7d405e7586edb0d4058b4a3ffe017158ede9d7bf6b2aa10bc45ffe0d3a4d0e7a2109dd6d51b163e3c5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e20a8c3f3d157a480ca397bcc650eddd

SHA1
0aaff9489e28b12e7fbb92eb69680356baec803f

SHA256
70dac9d9b831c0a532dfd163f3448c9b112c7ed775e831a46fb77c2b14cb8f39

SHA512
09359bb37a62e4b5fd4539361133203262d4a1852df71c0392cc141e4daa8454b93ab3b14794ba75717e5ea5ae458774f37e313adf596e7c3d9cbb17b95a766b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e7d204945ef723107aa32fa7727ebfbb

SHA1
0ab0a66f47890b02fa46cfad02f083be14cb7599

SHA256
6a8397438fbd9f47589ab7bcc65d3fa4d67b08d7f1127c524a680a3b12858bf3

SHA512
a73a7d07e92705cfade5b02eaf198dcda4975173026221d1b16fba750a24b7cb9c8e3a82ef5d7a5e3ec8af7dfdd25b965844c613bee90f205ec656d5c28f7c20

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8d24de244e7bc9c3f4e04fe38570b7e5

SHA1
a8f2cef5ef66054f9de0d5d90876b57a82a4c8d1

SHA256
53f2ebe9d1f88705bf641ab6709bb1d50458ae92d59d93ee4bb62a0d32edb3d5

SHA512
32b2b47010fce1bd32ea8675efb2852c57c95b045d7ba5fa0635ead31bfae478cbc7ed75e89421433512a629529e9dcedcc321c12c777a0ccb89528d49c881f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
43d41944a83f50ee8a5f1821f24adbdb

SHA1
9446ea9daca89604eeb4275aad312a762f869ff8

SHA256
f522b48a41a06cf62c9c85c6936b2dd8df919895a49a7eb74569a8a26287ed63

SHA512
1c76f72c93563416d90dd690eb6c6429dccd8b7b7ca3a86c641995ff807f6b4a94a6568324350b40799be78e4316a0a7bbea98df6af271277340f430f368740f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ca009909ad710835c9e69e20855c69b7

SHA1
3bee5baf50c6ae3313abb30231b63b79d5a4dc77

SHA256
f5b1d89b165ef9ce53838f267577c1fe3281c81cda316712097fb8cce089284d

SHA512
5acd19741c8eeefa117559ffea2e862d1fc30f70495aafc27a1800fdd3cd7656c95166714954dad966518bf96667a663ab97c0ab1eebdffeb125fbcccb68277b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
de5ee802f54b72faa1c37f385352765b

SHA1
224f46459efef17f04ee88413cc6ce7ef9c41629

SHA256
7421ec3b19e23b8faadb88e4f7c1c312c5419b187e654b6e767e6d4cf3c4edfe

SHA512
bd7863560c11903afdeb9e47094197967d42f6cdf4076315eccc887d6b2fa0d00d9c878c525a95abb2564f8fdb26ae7607b61698e4a590f4b6ce2822dcff1a5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eb5486b90a187423de36ed7257f3a61e

SHA1
a00d435d8b397efd3834f2f8727aad5147ef7d4f

SHA256
f0fd3faa38ab78c9a334dccc542141cf30983070de730c91df0611a748d9e802

SHA512
69f9c1c824692c62af7baf2a1411acdad525796548932a92a0152990e4ff27d19fd5a0bc06a80c751a2f7f3208f2065b8185d095fcfb55971405fb16d73373ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
026d4654abb97c85917fa04e0dd2ef7c

SHA1
6417a95d371e23fad41bb02cd0dd74f2fd1723f7

SHA256
40be75c1f64e5b0de1d936b4b665170b677f55d0569229760b15c9502a813e3b

SHA512
187db233c62946e7fc7f6c7a09413e10d00d9bacc1a7a2a2e66210dc9b8766d44e9344dc0eb06b6589c3eb76f6bf81e14e0ad1a704c2202fcd2092e6396f3741

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5e0f3ae43e9fa377deaed12ddb3fdff3

SHA1
76a27f850ef596566bc91f34a5c28e7ca41e74dc

SHA256
cf28359e86a92bf3d1da916552b465ea955abf57e109cbda9dd0dba317cdb1f1

SHA512
143b8ff2c686be7e80d3572fd2369c305334429b374ec666eeb5b552a492df3887c6c2feb08fe5a4ebe63349d51db7337bf733b94686125a552d3f806eb7b925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3d56f1f23be59c504922cc135f0bd728

SHA1
1dace3161e14d068ddb99f680dd8862e35187823

SHA256
55df5316c71efda306638076d8033f43c427357a5d096e3df2cc871eebb8443d

SHA512
778bd802ee9eba9a18bc8054e35f9221c38ac316cfca1bffdc4463f915b75859e0bab2d0e4edc8fa055db73e0def625ba00c238fed8fd1507af15ff8ff5dcce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fef8ae24a3cf1e6dbf9eace091caa3f8

SHA1
9901d8f9c8b398803a9d32a44821af197c52eecb

SHA256
3388e3baf1ed114f2c02a22c79002604f6f8838f4773ab175c83a8507fe1642f

SHA512
249702a9e4e7c8c4888cf5412d3e35e428a9e7d8b30dac75bcdb7fb75d52435c61cb05f70b91f3490c0a6dae92c26d424b4a69a8d8db97a8b3b4d9f8b61dfe3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d4c2be384aea840829b6621650c7a4c9

SHA1
3d9e88d91f985643df58245a1e2fc6bc293dc407

SHA256
1b9a4c6f52dca9ce02a2ab829ae3c6a100f385b75c720d9d16907221331bf7be

SHA512
3d13529cdb4f09394342454fedaab5fe5952d2f328df9f97a974ca73439143fa15011e40950c83c657275ccb6d4b4a3ad37bc6382c4a3dc680fb2af5f3d18fe4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
05b436783fd2b0a366d8dfd339746d31

SHA1
04ecd1347795312b3957ec379e2829b4b3a39ccd

SHA256
516288e50193e2d637468ef27553da0d900fb6980453eb561a17cf428fc6fdb1

SHA512
4a404284d6a250bbf4163bd8be83ba9d62892640c07a8b77cab4577436edda9b37c3a4dc067c96024905a7da590f6e429281af5afd1a60ed3058feeb463ba2a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
159fdae97942c3c1283c8d6b720e8510

SHA1
f290af76f423cf96f778ec87a2904141e61f43ed

SHA256
898020d58b3ac5c4ca5b89dd48260472d6a7092529521c39250f5f1cdad9630e

SHA512
9f3bc58ac5bcabceb85856da8a0ad085f1400da6eadb765a4c8b41f97050be71fb4b8a67a177225548a4b70f53a6704a8d436958ad47bf0839e15fcfe3ea9624

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7e719e0b0361e8f3558c18a483f97589

SHA1
cc0e9d76f74041d08d542d9375d9243ce8f043fc

SHA256
10a09326ef5a2ae32fb568cec8326a03faaac93cc670af5fc3901c7458f9392d

SHA512
b642cd06b632494612424c241ea18827e16c08bd66ec0eb603b599127b29eb7afe0f9cc89284d8a084adc55b8f99dbdf642f43374212ad7668148b357dd8388d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e78040064fd5310973c75f5763948dc4

SHA1
aeedd3d446f8b136431cd2f04901034186a84686

SHA256
faa987c96be0f4982563cc7dca8407c55e327a34c2326e9fb553fa4ba3f149e9

SHA512
b4c3cdd999af24aee6373571c3e419437fa91e9daa55830c425bcb767afb54928c82c6b2c1354c4f891480a054ad0f06d5f9be069672f914a74f5595e287f922

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8db84dead0183bbbbc8b48ecafdb80b9

SHA1
bcb0905b35b605adbc2ed608b7195feee1f76498

SHA256
bc30fef4c65dd72b776bfb3b30a55c21d827e16259fabe126952ae438f5d48a6

SHA512
227970b5ffd8a2ed919a89d749abcd9fa186351a654ed1715e1f93ef38a2938ce4a129708fdac2e6407b71783b564e26ec42034b26853f2c997ffd0be578f391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
11c25d8bae9ebf932e232024f966b369

SHA1
c12c658f0e6e5170033620f824d0d45b061e50fa

SHA256
d25ab517aa21c26e130ed2ff64f3d9af5065fa294e958e241b42b7b812c31bbb

SHA512
4af690a49ba5e10fdc09b1963d67802dce9ed31cb6eb16986eef60371f7ffb859dd0422650b30da4d7ff78547654e3f5aa9182e458e25223ceb88ccd8ee450d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8ba35e76e1622e9ac89a84fdc5e186b8

SHA1
c1ff6c112e25a98c3c8fd514aa199005f233634a

SHA256
f6e6c3dab8b128fd1a37a8fefa68bda43901a83e1d26d1fcace57e8b2e7695dc

SHA512
6159970e4653476b7c4b989d4e08204ff0c4f13f077258d6d89d127837f7d54ebb122a04b8f41e7423a10c129167f753d24701a531afbe58bc07165843a30593

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d850ea32f6ab1f52006c972cdbbbbec5

SHA1
0c755f1df3e8ddbbe261bcd93b7b9e9be2a8144a

SHA256
78c1fa3e3cb03a2fa54071189326c2b43719f0375484335d7ce45cf035ef1256

SHA512
d5d3770620774c0616b3a9fe370c671f1b8966f85e1ca97d1df81eab74b4f86c290736254da21ae5018b09719c33bf3ab0ab621ca9b2ea2c02c08dfa0deafbf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
167121b42de036733c6a4b8f4f80fc36

SHA1
3a8047489b878c9884a8d8320f9238647a41c627

SHA256
864201ba88a031f6058935800f68071f699866e17cae98c4ddb53cea89b79fcf

SHA512
31db9f1144213e2392d3251d821f7cf2c0bc548c1cf52aa0ce3204731a98921c798e54d7f818c9473d061449a3b04dc5be0f483a3840e99985f09cab00953f4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
331762ae0ecd7352dbf5bb88d35c1406

SHA1
8293597b5ab347f0c2e744515e930517f5f5cb38

SHA256
6500c9562f931e9bff89d7e876541abe3b9282731ef17296d1a6518f83c4c1f0

SHA512
23c8d1a0f3ff427e120a2e020bf1e46cbd6e3e0074ed6153b2b7ca400e95b023c13fe4e73b951d15a4f0704369d8d4a425c1f896bd480c55a2aba38155220c9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
129c9252eeba36e46d9eb88fc6e11759

SHA1
b59844589c69e187305a72e7f8b73ec58725dbfa

SHA256
75f71d2d9b59936014ce40ba982eec64d8b08cda8f79adc268842a93fd0ea057

SHA512
a28b4f6571e6aedbccb2ad4885bbdca0bf1ea49517dae5a384d7585445ceee45ac7d12d553f96ec775d552d155efe40fb95909491f09b95c025580c735093548

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
8b97a72e73bde2aef9a6abc1887af54e

SHA1
256e1cec47d128a69d23e59bf4a1f982d3556b25

SHA256
0c0a812b64761e0823cd30258f1cd023b13794e0ff5df10c0ef21d468b43cbe4

SHA512
00da12236a3313746047865abfc43a25861069b0ebd76dc644397de646ce282c18d897ab4026d7dfdf3861eff6597480aac2f7e01929f69a93d74bc381783fda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
9e6bc715b59052a424e7aea823ad1fec

SHA1
621327c7a363a9c68231f94918eb94731ced022f

SHA256
124fa323a88a2e4e83277717dbf9f34a1464830cd99754abf4d299aed9b1c0ac

SHA512
ef31e80ee3456ec0dd1bd1b4c49adaaa55375d2243db9b0e83a13e71a08121913f4a129bcf6ab969fb1b606b0b8d4a0187c7dcb6f1f5818ecbb88a6d85e42c1b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1a27f26cd49a8d9ecfcc96b4a91f63df

SHA1
2bf5da781914ac6756d74bf5d2d763098385bc48

SHA256
8c3b6a5cc9a12d7454c4c590e5dcc298cd170ea43a7c0723ac9c97d3212894cc

SHA512
ddea36858bd7aac366b3894627aa99a548bd81c7716d3caaf5a213de061714f4c7aeab701c84794ad85be21d3fca1bed651315e0cbf5bb5d5763ac45852db838

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e9759e2648b8a02ec8bf720fea43c89b

SHA1
2d73b1135a721c1d17ac50e4b5ce46ea8123f1c7

SHA256
6464173be53782ba59dce9035d618ade5f2c4f8479bdd4640a49e3e688f54326

SHA512
83f4d488daf0eab9d4c5bf9b0ad3371426b05cc45169ddcd1d028433c2605645718fc648f1212e4642453751953608f7b1c3ebc13506773d0c7cfbedc3173fa0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b0426fc3da2bbc165fee08c5b5ffe374

SHA1
560bb970147de8efa1a64909787e5922fbe7cd06

SHA256
86f8170a17e4344759aebfc5090ad0399f9c8b95b74e0fb3f984bd8eda5a5d9a

SHA512
0d4855c1d355a6fecb1fcc7caface5c7392bfb01f506a33c34cf852b7f79a20f53fbc85a2be1dfccb73e2fdc16cd52c13dc6db65339c2936efbd281ed149b971

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
739ad79224b4d9e18e390f1dde52797e

SHA1
1099626d7a09c83c973896e39d5631bacb478af0

SHA256
4977bf1841ef3ee0dd5f1c9674a95c87ae9d533008f168bb1d6faa3c863166e9

SHA512
cc3f81f0933178f8cb48e46938b585d7f21a4f2805331dbcc4f25398f1523562e32c7af12f9f2b065fa3f393657a53e733a428c8e8416d9f6633c711d7a940a7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
04cff16252ed742685cc6ad4a47f518d

SHA1
5ae1e0c5bf14d3131dc19fa12ed4ebd9ba5606d9

SHA256
45a373eaf82232f7b4412fb508ac4e7ec2beb42a910ec342a40056c18c89fbfb

SHA512
2b56705b5503b8f420d9b19208852b9e0034e4659d80fcb8806f346f6ec6b089658bfe4aa95eb8ce2b74797ef875bd6f143668093ab220406782b9341423d554

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b41e15a3a40457b4b8d66e35bf066ba1

SHA1
1d35c3f03c77d065f53a54b35d32da8c72178b76

SHA256
dfbc65bb34d7fee6269d9b5d25c860d7dc9678ccb27a40dde0e2e0843cebb702

SHA512
a0e25d68de02a60361cd4ad0665d38e348963efd326989ec174bb7bfcf4fa73b8e2c34ff3e572b2ea94f0da072d47b8c48641b8623cdfef292a5ab1c9897403c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
76b7b71663f85fa72b6315ad1a0e75a9

SHA1
91c027bdd30415093d3a681f60ce4760d1f80933

SHA256
9566af00fd5ef9d44efd707e79746053a6daba6f645579f21f4f9fa481e43598

SHA512
86b43cf59725d502802f3146fd61d1fefc7e92a23f74924130907c9ac6770fd746265ecd70d3723049f96807e63f02492045cfcdb7c3cd75751476700cf7bb50

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ae311823ed13cd86cb64a6816261da9d

SHA1
c4aa705c99a576b68f545f72a2d47d0375b65385

SHA256
79b028bbce8092e27fa8c9b5d2fd123f5216b8c8569c8c58545d4966abed4506

SHA512
4d281d1c8f359b2d4c5814a334117ece25921777e553c52029c7c243fcd4d1ea449b0add109b104b0ace59c4b7699a14789e1334b625cf85a6b5a483ceefb588

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cd37fa9a91352a703ab70f6a3bc0df16

SHA1
da6e73512e127395211c344a65d9c330f163409f

SHA256
ba56a7174c6b6ef5595f91d4090a38ebf49978a67712f578ad7ccd755f93cff7

SHA512
3a5c2d77760d3cecbee944b231845a6bf65119bb11fedd56e31b9bba439bd32f26d229bb7968a65c5e24e936ed0211561fb9f0f5811f6e5d59f58dc5b866dc50

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8728695384ea61aa1f9cf44c08744c19

SHA1
ea04f335c3dacbda9849e3bcc9ff6f9c318da2c8

SHA256
55791b37ce1ee46b8159172685c1602bc8ab90a0ba013bbb3f4f32123342cbda

SHA512
6ebb053d9e161c91e054ae04c1fdecdf9904d9f37425145ccd59dd93516fc89d4f26a7883bab0aa45d9b0ae6829f1359178ecf7e51398fdcdb9f9a0c45748e43

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b41fd87e4ea4674937eac601aec3e932

SHA1
2b22f090b8ca38232a5ee24cef24c8c3c0d8a117

SHA256
6fa5e9e136338f7e63bb4db57577ec69b22c242253979ee87b4423806ba82c91

SHA512
3c882262ad117f3259b318c3c4b4367e56e8899fbc8a8149c2449587cfcbc6a4e373fcbf2afd8e7fd67d3c07809e6d30b985143243e26d305d01c9325e7cba4b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4a766479c0752742409b32935d9cd61f

SHA1
fc85a24298478adf2065aff729ca972ecf198b22

SHA256
bbe07850b279c6918c6270edfc6d1090b5a512023d9e3371e6a4e2fd1ffed88e

SHA512
2c3ff2e73caad22979e5c6653e70d566142815d8dd364072f9fdcbcdaf016018982f4345f0536b793515518e94f7c66413bfff8e8a2005a40e2ec05c101b011b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
566245a6e4818775bbafc1038f282ec7

SHA1
5492bcebec24bd1e1910c43c36cd1e53d3478d5d

SHA256
a2c68898fa8b01cb4e669f93b226b46028cd0593a74a573711ac48455597e221

SHA512
f1d1fc7b66fc3d3b74f989894ec34e42a471e89acd4c4eefbd3a29b5617ad8b95196865373e8cc7b52dbc30db824778f6cd484f71d7551db15d87dc313a83a7a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49ebfdea1baef40a6057209eec73cd35

SHA1
b689c141568add5082b08d0f5d4e1b747f3aacbe

SHA256
fd881a37b6ba425f2db627610af1f66a67ca126670d7346a0b51886aeeded6b4

SHA512
a217d967878950c75829a1e54801148911605d53182fee7d3e77b593788a99945c82aa9e3d2b21bc8d74560a7b4302e092d55552087e35213190f215feeeb977

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e4e44766d4d8b3f734424681417b0687

SHA1
9ed10ae4660e4216806b27a6a424525898d2ef0c

SHA256
ab7947b00eff717240ed89beb205bdb09aed683e2316297740f85fd5ff1781ef

SHA512
e5fafddbcf589bda875c5622dcc77e7aad1a9191ec9637a6d6e2541764c7404701327d94c293ded387fa48bb7038e1e93a55f0ea12aec6d926cf7d990e994be2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
846d5a5b954c13c4e5019520488a904e

SHA1
f3d1e7ca94e3c73f7600285b8dad9b9c56c385ce

SHA256
f501f40bcf5d6708aafb1d8b8165e5c06d876b1feeb649b97ce8335679846f96

SHA512
4f4f7fa12c466d7baa448261265f227db4288c7b872b2960cc21db0539db2c50f7cf1dcd1a709634169e383a27905f75ee72a178af58412f358067cf0361f6cc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
89372ba1a2283f822ebfb92e3ee93c45

SHA1
cb81de27967bac5ea27cabd23c3f0447cde7bdc1

SHA256
9acca83897198a087fec0a9d276d49e061b282e2dcd8d3cfa22b3736cb371808

SHA512
1c65754c909e7f0ba6d3869ece114a19727e9d7c7415e563594d7962e9f7b8fa8a483fc6f27c3d213f1b674eb4405cd4b5d347f0ea158dc176f02649e5b22962

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
716fe9bc2645d2288dbcbb2462bff4be

SHA1
420bcd05857490371753fccb9246b26e73364ed2

SHA256
c0f8a4ad55856e563f8fc12c6e04a7358a54a455f1cf5c5b3b5cce8af14a5b5d

SHA512
488d962da976f3bd4c7b124602e98350826dc348dcf05f10b1a5ba2316b3417837215a0b151b398e58fff74492841e9e0fb05ea4526e8f7166b3acfec7058a9b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
20de0ad584720aa253a34f07608c9692

SHA1
cb1d15b0fffeb8ad7c98ef48e7462688e7a64059

SHA256
1a082ea872f096cbd48c54c840089121481cc607a82101e9947737ecf795ef70

SHA512
27e9cfcfa128d65b775d6f8ac9a2e6970cb0ef045fe5c61732b92a8225ff27216c90bb90db4e2ad28e6ef1a4417ee0b3aec6ba5b5b6d2af06537d8c6663171bc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
74c72e4fbf2af8fab814180808a83f80

SHA1
7287850cc2987c4a47db48feb137d636f3088c8e

SHA256
a45d8d349f629bf6712aaabafbe7daf342b4cab89228e196ce7d5e1dfc124b2d

SHA512
e6ade359a1672c870db468cca57e71c451969a0b1fb4d630381a0aaa7dd3bbb43300ab34596e43e0f15d03a63d68e434b7538c8fc37bdc464b751d8062de3636

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
94ec49ae7ee841f873b051a5e8a5d65d

SHA1
06a9468bbe77b3ab2c2036ce8770eee3ba7da318

SHA256
e6f1fc7545712fb7e0139e3bae7101dc4b3908f526af976e591c3e23518a157e

SHA512
ce17d4951711dde3c525ee2333765c06b679e482a18f326be281a23f273b7cda8d27c29902a6f8165b8f8acd91538499aa86801abc2a7cff27de63b4a14deb1b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b9ce9909b243416d876d7ba5b105d1f5

SHA1
ff5431732e45f183252ecc9b7a9ba74b05f63f5e

SHA256
5aedc5e5aadc9cf5f6f0cdee7c75d8fe9b7ad7e105f5efcaacac4a478e316b76

SHA512
976b4c489b28e4b82b18d649e62f9e4c266682f61f0bd01a24a37ae19748bc24996d1c9692c0cf1eb40677762ce8fde4d231b59708b2efe3d2b8f4cf71633720

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2952746a1dac61f55f959aa827403461

SHA1
70ab4f06da86874d9078b533bb26d261f0b804fc

SHA256
414e0ed20a82e1134ecc946661c60669e84d81a67ac21bf5b05b639eb7880533

SHA512
e84cc46cf33a09765654e01ad7bb1fd0eb5517b945a49c1a1be9bde1265333f775ba3ddb5e133b3c21f1eebd18f2f582734137fceb20595b2d657182b0c23c28

Download Submit
memory/220-580-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/220-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1176-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1176-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1176-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1176-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1504-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1504-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1540-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1540-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1568-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1568-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1568-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1616-72-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1616-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1616-1-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1616-6-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/1832-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1832-578-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1920-499-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1920-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2508-479-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2508-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2780-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2780-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2780-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2780-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3192-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3192-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3248-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3248-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3428-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3428-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3628-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-49-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3628-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3628-46-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3672-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3852-505-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3852-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4028-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4028-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4124-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4124-87-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4124-77-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4124-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4124-83-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/4464-59-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4464-53-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4464-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4464-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4624-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4624-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4624-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4624-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4808-570-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4808-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4812-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4984-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4984-503-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download