fcdca87f20fb97d4e5402a973efc333b1d8ee6a8ec6e8383b45a8261efc97d5b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Size

1.6MB
MD5

654ff17f9c84bb57d64791e431e603a1
SHA1

19adbb94ba54fc36c535ab2bdab9722694a09522
SHA256

fcdca87f20fb97d4e5402a973efc333b1d8ee6a8ec6e8383b45a8261efc97d5b
SHA512

fcff22b059cc7ce983cbbb2ece54b94ca1511462dfd21c8d6a6ad5a7e1be2dd79b3eb1b42681c663950f297ae3cc29575a0871774cfa7dd949449291be71498d
SSDEEP

24576:N6Bc7ozX0j52pMkuLoiSJVlIL29mhNq6:oBZ70jIpM3kiSBM29mhNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
884	alg.exe
4628	DiagnosticsHub.StandardCollector.Service.exe
2668	fxssvc.exe
3048	elevation_service.exe
2328	elevation_service.exe
4956	maintenanceservice.exe
2776	msdtc.exe
1424	OSE.EXE
4808	PerceptionSimulationService.exe
5072	perfhost.exe
4836	locator.exe
3100	SensorDataService.exe
3852	snmptrap.exe
3764	spectrum.exe
4516	ssh-agent.exe
2108	TieringEngineService.exe
4480	AgentService.exe
920	vds.exe
4636	vssvc.exe
3132	wbengine.exe
3648	WmiApSrv.exe
4084	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f2223661bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003903dbededa5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc3b5de7eda5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4aa67e6eda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087cb82ededa5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049ad86eeeda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7857feeeda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d2c0ce7eda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ea202e7eda5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f70e89eeeda5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeAuditPrivilege	2668	fxssvc.exe
Token: SeRestorePrivilege	2108	TieringEngineService.exe
Token: SeManageVolumePrivilege	2108	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4480	AgentService.exe
Token: SeBackupPrivilege	4636	vssvc.exe
Token: SeRestorePrivilege	4636	vssvc.exe
Token: SeAuditPrivilege	4636	vssvc.exe
Token: SeBackupPrivilege	3132	wbengine.exe
Token: SeRestorePrivilege	3132	wbengine.exe
Token: SeSecurityPrivilege	3132	wbengine.exe
Token: 33	4084	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4084	SearchIndexer.exe
Token: SeDebugPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeDebugPrivilege	3628	2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
Token: SeDebugPrivilege	884	alg.exe
Token: SeDebugPrivilege	884	alg.exe
Token: SeDebugPrivilege	884	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 5116	4084	SearchIndexer.exe	111
PID 4084 wrote to memory of 5116	4084	SearchIndexer.exe	111
PID 4084 wrote to memory of 3176	4084	SearchIndexer.exe	114
PID 4084 wrote to memory of 3176	4084	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_654ff17f9c84bb57d64791e431e603a1_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2472

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2328

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4956

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2776

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2550823a85356a8f94dbbc0e97d791bd

SHA1
2efa71bd90ef81730725fa619a78a60a75882c59

SHA256
dd8239c3b02ccb172a2fe5bef629c192373bcf39d55d976af0e7ae245a2c68a3

SHA512
3491cafa8070ed58029c61e3ecabf57090bf41b3efc712547e743f97c14f45df14849e4e9627697198400cdbf7be8039b40206ada6e39f1d5f144400ba14169c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
ebb19ce274a2a35677a3de0519fe10a0

SHA1
90a7388256718965492e4315a6b8487cdb393f09

SHA256
db445b1a39cdf09b1a4e4ac90bef47ef650dc23e21e733999c4286e09fa46f33

SHA512
26a4a9b916a76a63e70ceb9a3b1270e96908dc334bf08616f9ed191e0939e8ae7808a5982aa2945a343920106a6d098a2fc49b99e29a49f7a6f702f85b30cc62

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
55fd611aea1e20e5399d0604be272391

SHA1
688b0595e6717adf4d127cda96a1a2a419ccddf1

SHA256
4bbd04eb91887eb6e699c8956c7fec5bd2a5ca272fda681e3f33bd1404532ecf

SHA512
563bf734d5618a2bee66c808756e9f49e68e956dfe2addbbb45f091c172baaddb081da1fbcf0b411746efe521ca0d7abfa573be981f4157a3e6b0491c978dd63

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1c1b1915c616f18e4833438b31707cb9

SHA1
893d87843ea8c164bac668602a932fa8bcdc6420

SHA256
737a3c1bf2cf43c739e661628cc3e8ce8254bcfa613c9d62effc8caa3ccc4bb3

SHA512
70af50019d5c08138736c3f4975ce2010aa796766edb8cd8a4c7c132d676002998972342fb68539f5646afb6eae1e6badb9bf17352d4f989d0d5f4fb31ce5286

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9bb3a5d4fee6a4fca9a43eaed7e559a6

SHA1
f7b9de5a071d618f92f569ae6c423fa3516a3b61

SHA256
6a82122e1bc93c22a696b396382874fe11c6e99bd488dc9a971863cc4a2c2a54

SHA512
6e3acf6c31d5d0d9ba78c28c534eebd4a114439044c4bb751574ac73d0b1222a2a26ed854698014ea0af93a6ec551d4e325614673e07bcfac415cdd3215a576b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
5e2ba43a05ee79a46c8162739cf5b0fc

SHA1
252e495e16651ce648b22295be359d33a8bafc5b

SHA256
95ea0f1df3a15fea0945ad99ee28ab6b30e9378ed2b79519cd1b763662a3268f

SHA512
9fbc0fe4906318093d752c46d7365a3cdd2bfd44ed0ac2961f7bdf249cb415cd798abc07165f396fedb29369c8641e014153932dda1fdb31f43358cd698a0f5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7d7b1a508c2a5fa7fa31d74be0edcf86

SHA1
64f7fa571b4e075964d3efe0c55221f299c06d8e

SHA256
27a080c2bb0d72a0364cbd6b6868dec412508efa5ea847c5e5be154adee767f5

SHA512
d3adeb7b133d7c16cdb593eb340fdf33ce3b6381b5b331a15737e6356466208fadbbdaccded2d2227bd3c3a562e4fe3c458649a8681f3331a6c12ac9edfc8b4a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
085be8915743d016e9d68015898e3549

SHA1
859413f579eece3d29f45c7f4c2e56a37e946da6

SHA256
8d7b2701f678513c917aff74d1fa3cc108328d5b828967c8bef5a634a4ccb213

SHA512
f9bf536de5d69df4c1afcb58385be87a45b4bde69a88b0b138333af670ac910ba86dc5187417593bee07a0b885fd409631ab6d4247ee12bb644f7681d10c6a2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
95d3952855a5881d1da1a6fce4ffcd2d

SHA1
0e5188c982fe9df2919f65f649938549fa4541ba

SHA256
759a69812d8fcdf1cf20d2288483994e68010675de15a8b89c989273f5a14e2b

SHA512
ac9d185e3fc1e5dd7b9105ac06452a1018e3d33d6dedcc3c38ddd899534f963d2f5e8be729dd853dcb394cca7510add8cc65062c8a0ea1c8e04a4d984b407ae4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e5c7952860b9487a62a92c0935e0bfe3

SHA1
369cc4890b992a843e5c8d433b544d057686f31c

SHA256
23e3d7787a64578fc9f40f314d41bc9158fdd1f0e9c001d1ebb721d6c7c14b78

SHA512
3f98f830f97da6a6eee7ea8906394593aacc2357fecb511a697c7c0756f9a5d4b53d7175cb74f895713759262cd6f66d2c7bf85c0aa36538aa38a894167f8e9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
910b035fbcec1924edc2d2b90d57cd98

SHA1
898ee2e625263a0182a56394117f57ed34ef787c

SHA256
1d8061a3f94c3f82f6dafaef8962d01bbe173ae44e0b06564d849561d80e3825

SHA512
e75204a7c1f5042a1e0cf6a8aca2dc1a6498f63e714e84124e9ef6b8e3ca56921453460ae99b3acfd3dcd76b878ff03bf33679026255b81e2ff2a4cedd140d58

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c914e7bf1ac9ce8bf8cbe8a1af80583b

SHA1
4cb421a7d04a1216e1c4a7dd061da4b5f8fc4962

SHA256
8a49e8446f7c5039768bb32ccc769ca7b3ecb57072200d97b5e1b94457ac9fd7

SHA512
5d9ed61aff9950a973e2c9c69bd968e1c9f94cfa64cbd6586a1d16e8e8269e17362f856197bca198b60dca00deced19074bd12a5389892b52a389251c277cd10

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1ad1389ab000a965d0c0e8a1bc958fa4

SHA1
0d9158b8423ef62705083117ec74713164961f77

SHA256
c8f4e903be3d853e022031de9ab024e5e72c3bee0a97b76a1c0db4a385a5671a

SHA512
58767d9d5a521bf794d2dbe1b0f235036f4e1fe8f6b40f281f0779f493bf419a3abc57440bf9fdf53d5f3738c498fecff9198baf5b476330dfc8473ad8e49228

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
fe36ddac9a5be2a9c3acad1c4f2f46be

SHA1
7a61e7f651c135aa14bb1e4a37319e452c435c2d

SHA256
e273ada8df662535e8fd46d4663db5a6a115aa67b99d097235746fc6208b8f08

SHA512
92e95ad4deaf71ed6937a7e7e8382f50180b7b431e37b73904e4fb99902d7eb9f8535a6b726791ba8249e8daed5ad9390c57e7e3bf12a89940b11acba9c42802

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1019019f97680a5dbdf5dbc5721a3f6c

SHA1
93aef36bc1025197c3053feb6f977b8cfd2f2f0e

SHA256
b989db870f3a1f228b8225e5f387fe299490a2433e9f00f05c5633037fbc332b

SHA512
7903867dcfca1d25bb6d41ba2ffb7ae7291151d9b107ceef5591278e91728ffec92bfd44ed2ddf6cc4fb12873bf75532706cb55c4ac877f82a42d3db0fb66f46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c730a776f2c20f97223018972cd3a4b5

SHA1
cb0567c9f6e8a3827b07dc3e17884de7b3f87d20

SHA256
0c5f13ae9b5cee489ef3fa9a881f8395a4bb89f2589baa1df67299aa8da26350

SHA512
4998a04644415b44c679763ada577eed6cbed29d9f424b8f54d84e5e6d90b4d9aec5b26651143621f4d7fe24ad0e1b38c130079ef13a9199c611c6f464d3659a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fb77f6cb586baa9492f363a34a3535f5

SHA1
7bca746a0514f7c8a1faed672be5f5a63eb14534

SHA256
9df431e66b120ceb4d2500cab4c03dd28d69d97d851d3eb15f8f5b42d23ffdcc

SHA512
39fc66b4bfcd44fa14678750e783bc6dcee11c8b1fdbdfd78e3ce3aeeddfb1bc7dffc7e9eca8d4b096a2ee47be18e479fdf62962e915862481fa2d6d0d99579b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ea6b087973f72dc0b7725f36a5d53fe7

SHA1
67041b747079ea3cd438b3efe72b6672684a2e25

SHA256
7147f764dd232e29f67763664a8347879090d845fcecf7296f4a5ca3a4768a0c

SHA512
bcf1860fe0ad5ab9697cf9196f3209d3d55511cf24560b8acc838e756170a46e7e2c8fbaaef09bd4e594827a9769af1b45c8ef94b4e221de9db14f61f2940de4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
09e429aa12f1ccddbfd78c4e4dd7d6b5

SHA1
ccbd7608dabf5dc54b1b1f94eac9001aa2af1e2b

SHA256
71a0eff66fe8c8d0a70bdadaa245dea0f6e968f07eb378292064165bca5c0cf0

SHA512
a9406911d71e009cdaed8e0517e8858958df99da3e95e25cefcb1bd6eaf71fc059d2573cd5d69101fe535a4257e0c58d4c4bae9a1a41ab912a9f5f4dbbc421a2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7d9bf8baed281bc839c4149ed74912f1

SHA1
201f6c6e7322412d9894dac119a4c1664ce1198a

SHA256
1e645adc18a494b989810ce7b0b6ae6acbe1fe20f7186c52d2db39e76ba74fb3

SHA512
c0cc6d3450f5f8f53942e7181b136979de6784a33ff98124b17c6f53fa499c9b53516c884cdd10634ac4d750b8d40ed44b8fbee86f85dae37b501334c43a7614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
4362e25666a652bf62c10c429a09b46d

SHA1
311d0b128e308fe78a5b2571166c20350cde92b6

SHA256
e1acd1b97d594821bc55a119c27b464ae04ab2217cb52f74b0c83d9607115d5f

SHA512
b41907a2f3e4a8cabb4bd1079a13b1627d2c0494875250a7336c1f7ce1ee6f99c468f7113ed2e1681efe0e5286fabdacad620d5f0b268f3b7f3da77bf56f7047

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
0af1d2468e6e743229329d06524f9da3

SHA1
e3ba3fcd0a312a561eac397230b8155ea83194fb

SHA256
9a10c3fa981d26d29a8867b7299a645e17cb80d3f1b494ac888ee41519e2c491

SHA512
11e4934e35ceb9c858d04ad8f96258eb4cf2720a96b3adfa14baf6da74fb66db23266b4738df156015049969b1fd1f4fb04d6774e792922aa342eca5b3e62fe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c0a05919271a6366be512b93207eed5a

SHA1
69b7fa87fbd3ef55074bec9a75cbeb70a0e00a4f

SHA256
0e91f81bc902b49b919cd4323bc2c1d04757229d07e723b21cb2c48fe2c39608

SHA512
a0e02b793dffc3fd5d15cf6f047e073e5188ab9fdce789d27adce3042e2e27c1ab22e38c61e2e6f3fbc6fae4447b90f0bab82f5fb220a90cb8f0f608cd055ea5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
434614d5e587aa77e4302c0f1780ef86

SHA1
797269332adc1d245f06dc0f634c4d15d5d3b8df

SHA256
8c3aeef904e7e4fedb6ac4f32d409e45298c9afd984f7ea174bc8a00c42d758b

SHA512
5738f64c5db8a4299e921780790511cf69fd30ca425678ad671a3ea948eab02d05c40ca8cd05c7d9aec859713bce4e79335fd800cc5e0bb9a54e4e085767e23d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
b2715c62d8ff7bcadd472079c7f0701b

SHA1
81bada5159c00372c31c9c4039837b693657c58f

SHA256
9b447f316f6d224de80e67892c42d03136820a7855547486606e57148c92a92f

SHA512
bc73db51561a7f8d6aa64361974e29a75639519c704edca3113854b03fdcea63eb8e30a1fe20d513ac90ad99fc67c9629e472f8c46941d7d4b15ce1e8c720590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
afb7c7c9bf66f7707083d3f8d97401a6

SHA1
be859fd087ed8fe78ebccc9694ea7b81a89cb7a2

SHA256
76e8a14383153525c109c034e892b7e05d50e5d68cc5121c16095b0d4e62c055

SHA512
88e21b4e9d211074d33ac72d9907351d8f08770ac9734dcf4c23b6f4e1e6cea93b424c909b8a964743910cd4864fc9f5745d337174112722ffcb61c02c5d05e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
2a956ed407b5af40a0f83be63245ae8e

SHA1
4eb396d6c47465efecaba458627dd8c4f11751bb

SHA256
b2109c212480a3077e2c28e0e15089b812a11b659a8a24c9c663cdbc07e23f45

SHA512
914f9018b6bace1f2aa672681c0ae05f637dc94ce7fd213345f29d4eaaa6c8019b0bb936181ec3dfd442e6100684296f4f743cc3772839d7b7b7c0ddca60f95f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
d96489a27a68f69a7becd74081744c61

SHA1
ecbc1d2e989519d9b70700f623be3b426610794c

SHA256
52b2ee988b283d0bc581fa7db74d8d19ec4676a5c343c7f4330421258a5cb8d1

SHA512
5edb31c0fa3dcd7315af9b5249ad076932e2e3caf9907e7d22f9e139536e787102fcb5a7457fe3c7ea4c5a3ed12044d247ad452dd7a2007104757eb73c015932

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
cbb03c3cf76840c1d23cee95ae65477f

SHA1
c87b7d0af5ced756324930fd10705b5d46787012

SHA256
90579060645de4cced64ef1a0e6559b5f2ae19519442428bb47a024f622f5639

SHA512
2cac8f81741ae69f42c92038fbce921f7c26d5800a95932f50e1d059c9041a1321384c25e2d42d3e89bf739968832d814684c462ca61400c3ff767ad82113c51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b05c1410bac607f4cde2fd18ee221fb1

SHA1
0e3f38f31639f98c5abcd8b0e58814369d3c7ea1

SHA256
e5a983d03c4fa3a07db4e5cba5d36378f0b622acbd5c430fc456beacc2904696

SHA512
b3987cb5a2cf0f23891133b63cf253f0da82ab4827791672e6378beecf0ebacf78c26f43b1489c0bf30d0a8d358049a163b343fb2243f0dc6a9a2d22e782fccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9537ecee39b574aaa9de7c8cf55475a6

SHA1
eecfc51a4f29236fa55a50f7d8bc6de13ba84bc4

SHA256
ccaf1b9ea40a9b1c8042b32b2599005ec2221cd361c62de0ae6dc43df20db451

SHA512
f7a2fcaa29f3ad46c89157bc379515eb2e8e7c06be5899426155af3f71a6d768f0409062e652394b2c2fa2b58a8a5d4729a30505cabab06954ddfeeb547d36a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f8bb9fc127a1fad2d0f3c07127b27929

SHA1
3b506af3c825b4e26d8f3d6518b18476ca345c3d

SHA256
2be9ea3651933346e397e5e7b21c80151655c6d8797e30d25a0eddc0c2e7dd27

SHA512
e2497300cd61b6c9f47b463279a268fae9e12190d9cfebbffad0891d98b9022687e5b6aa1fead9ae112677f4257b98d37a83e75cb62ed4af4e57f87ebd597443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
2828657233aea20f7157c197df934f89

SHA1
351ccf2fe8b65b3da48513fb7c00a085395d2f37

SHA256
3f389cfecd40a617b9a311861920ec374e10f9e2288e276675f6c58d25106a18

SHA512
f4c7c7fcbbff8e04297f1d0bd580a22948f41adf92c0df76d83f8de593c8f0e7ad43068d34dc1b2e810b3222efc3563edc3edeaee6a74ea1160d0a4cfb9ab07f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
433e03d07b9b21a920765d306ad028fc

SHA1
e7ac0c57827d3c88c705537928de017f9660eaa3

SHA256
7bd6efd2f1159b3f9df74b78cebbf145bb774f59539aa20689f9a7f8092a1b85

SHA512
b211c8e250cc340ffa6e0d79fc36f107480d5940fcb556dd05e3172d40a6dfb991ed9b948e3d1c0374938e3122f63d0233e7e815730f56878e02b6780844ac81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
30acb3e94ca35da9a18fe3a47c2ef417

SHA1
3513c8afeb1a399f5ae8f6850eebce7dbcbd1186

SHA256
6b2e04d847fc3416aa73d16d3628910055fe19eff71482d2464985da678122f2

SHA512
287e66f853b1fd75ecb3dab5a500ef69807a0c31a00af40485d5600f5615201526830d1eee2fcb186a414ea094c3916d3dccc5c787d0556a2c2a91044a7d979a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
e522b32a11cdbc3060e09c45ba031c7e

SHA1
fb490cf2867bf69ffe647df430021314969c45d5

SHA256
efc07b2d781a38750214212aacefdb4377718170b330b8f36b813554af8a8a95

SHA512
d72725e553e774c7be5884d98c89d94576e0bf1141c9e9f6bf22daed9580fa90aaff055ce82cba8a636876f0c3fdb8e04997dc8af71bfe4e8a32c74b59b5c248

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
816584cc379b679316c9eb0fc596b5ff

SHA1
9ec1261b3b29aea056d7f83b6b01c0656376b506

SHA256
002ea50ca73e81f9c2e6a483a5edff252a81d6e7d0ab148bc277775435d17382

SHA512
86fbc21bdc96e5c0c84a9f0abab99b77668ff654403f80bb58a2b9dcd2020350d985e3f48834ea00071a1bce99e1987504c7098bfc2846a1584d5aeadb94cee9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
90e3cf821d6221cb39bc7c05423c0c0d

SHA1
d87894d98f545b5c5ac62651d08bb8c7d5da876c

SHA256
66e601020f38f61efb0753686ad41a7b06f9289749356418d30597b9f7e67984

SHA512
f9f476d349beb057a092cf5eec7fe3ab647877c65a6ad15565dacd35590b1123548d820f1f3e19f729795b7b1b41fc6411db4136f2cdc147a504737def6bfc8e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
16784413d40a9b1a201d26e5f3fefbab

SHA1
76d6deeb0dbb973d838144f982e653dc83fe016f

SHA256
ecf55d34ce0241dea4824e54e67c436093045822fb5c2c78be4bfc5a2430df02

SHA512
f0d7c57de30624d22a0994162e28cb9991f9085d956ffce1a89059558370d1288d2b27eb98474ae6e479bda71d4f598b4b06381cd5aaf59f36ec2cdff9b87643

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
050ade690b31674e08564d757c0f2912

SHA1
efa6c1a9d705989a23e998ae1508837298fb027f

SHA256
0e367124780b75fed0fdacb7271539d61681d23a8c2b368effb9fdea7669fa31

SHA512
8e431e44bd6ac8edb9f87fd86fd9863b516c5f96b78f67e35cff2b473b0b7484d1b76eaa90a8e5ef44df7e16d11990fbc546c04dbc269675689d0b652c200ca8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
d2bcfab9ecd7b8fdc411421d9fce6362

SHA1
c296b861c21d7df3b2b63c6a49113199e673f60d

SHA256
830348d701e60b4c4ef90c4ed6277fbc9d1b921c13b744aa470a439c4ca1c3a4

SHA512
f14e345d0f1b11f66992678ca3ed2a978a6d4f63eafbb45625f0a0055b598aacd8ff5fea621568fa861b1e6d12063af08f7d2980e051ce4da3817342384605d5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b38290e14fcf8cba47d9523f713a39ab

SHA1
26f58f299e1a95502da788bcb621f66137ea0e5a

SHA256
591fb16a4ebaab64d44ff9fdff9f2914c1e8fd9e90ecff5a5f42a05d8b2dd3e0

SHA512
f5325b81cd24712290529b127cc2011bfe764f3fc72046f34ea99938f8112a8352baecf24fe514926daf307bc7a02d214dc49955f7eae33c07a6326d2ef0b6d7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b53d036ee520b1b610c855040d958cdf

SHA1
74b8fae828ca709ef61f61db7967ffd3ead478bd

SHA256
08ece37851c4808e41a421e5d158db431ac8adce9f3273b934746f0a3a24d548

SHA512
884299a0b936858a6c74d92c55299733da86a42e10e1a03326cc70001d174938c0106a9a1991f5ab8d053376a6131ea25dd8acb3ba143cbbae729e61b9be5412

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ffcd9f923668582bd2d3699e1ddf909e

SHA1
2c288bd0a0984733352ef116cf9144be4f0aa9c9

SHA256
f21f1d9a14c165c07c7be9d5f36c31ab357261270898d091208a71b0d1641b35

SHA512
8c1247a36d1d73bc76f7b0423e83abf49c7301d6e23c27496734690d1aae516c8dcf4bd4f0e8790044790822f273f412b391c77cd8f6e313cc4b35db3e94212f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
e3b4b8b465936ac2b500e92b605cfd7c

SHA1
d9d74022ea59526675c80ca8999666296ab5bf9a

SHA256
b0a91785cace909ffa777dcb544beeceff1f18825b27833819dd63afa4648914

SHA512
d852a6f2e280cd77b967c42cd1678636b1754ea782eb16d45f6ced6a40c5488f59ba6e347ae9b390c770d3d854d9df29fe8698fffeabde25a13672d7f8f5a1ca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d7b8347f8d7df421ea14c54717aaa98

SHA1
ae8f6d03534b9a6edf09995b8fb5d0307c8399e8

SHA256
df5186eb2fecc972e285638a6a8a0382369e2566611d39ece8c1fb15132bfb8a

SHA512
89e7ac6ee10e08c45ccae27be59d42cd0a2425553d1d3bc5204100d37b7379aa3b601d9f923c6c639d5908d9946aa668284f73e91db24ffee83212ee1318f169

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5ee933f5e3ded4d57c8173c19371e719

SHA1
1d047ace5dfd3b90a99d437087471e4faa93c555

SHA256
03c67cdbe56f18790763a0a57ef43cc634ed0bfbfff8ceca3846e35cdcf50435

SHA512
12f6dc67fc4d73170f1370bfedb681af8ee583398f233096ca2eaa3b2165df010b4c231ecada3c2d5ecf9d62593c0ee3032eabcda3436f78ed788b1a6899b8a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee41b385688e326a5683fd43b7ca057b

SHA1
3252e2c6769a63192ac59d305c78c96575ecf6b5

SHA256
1e6a5e1d5954f6eae7e0688d734635c373d9f34055ffcf88454c7ef18ffd4ac4

SHA512
4c936d381e786566917f31016149438e415326b6ccd8166b0190430ec40012afa19f097e16b91d7b825ec040c2584028f32647e90903c4ee41448ae8889ab86a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e3056a19b59ca26e63fe6b69ca6f50ae

SHA1
02147c748cebe32d9f8dd58d1d1c515818c743a0

SHA256
b4d233a1c0c92c0b2d92ad7a310805d287861d0df7f8f0e4a4a5dabb9f20dd44

SHA512
12ba68ebf122392b0189cd1b9493e69ef96c0d1c627462945b2f4242550192b7fa01626e708285f3ac271efe1f0fd001f340eaff175f7186a187aed7ee4cafd7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4c551fea68f5bd46d88e691185498abd

SHA1
baffb5aad95191414c9b7ea7e062d2c3146a145a

SHA256
b43b6d24d2d3a2e66d43348c303a023daf65da6613e96cea215a2a4c6a8a525f

SHA512
cc4015eb904a2fb81ec229ad400e6c61fdea0218952e64b5da6c5af08f23776d52250cab0fd2c843fc29b165cdd93327273bd45689b37a5011ec947c81917fe5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
918fb14a2b2fd210a618b98dcb4562aa

SHA1
08bbee1c90fa62f620c44131c21777ef6fd9b2d5

SHA256
02038e2222f676dabacc33cb6fa50fb5393c06778df46e6a7df56ae947221b43

SHA512
3893bb1e240a30bfe54caae2c636cec186e35d764d478bb8de5c8aa10ccc2c867d65da50b4a0ca6254b057f97e9484fef12ad36d79d9c20b269596a42dcbc442

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
2ad1a41bdd8abbd798abd957d6f7032d

SHA1
eb17ce51de9949d5e0527340f6b66c8954036ddf

SHA256
ac45c03e732d035ece81c05805cef05135dc2abf1962c4eb7525be111384b785

SHA512
134e22d9ce2a39c113d990ccbd77eed30e3285cbdbb4d29db49bbb5262d6844808e9937bc99aae35385d25d9de2270d59265242b799550864ee02587f65180d9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
d792c47c0dfd90655ff0f53c93173e3e

SHA1
51ab314eda104347678d8f79d9684b12951baa03

SHA256
b626cb769a8ede7b728c31f40b1bffaac611f30f35a00ad31c505844d052ee8d

SHA512
750acdc9b4ee57e00559e068251d214f3f23fd9a93b1f56bcd6c2759904a5d3f65ea337852009a306d203368c02a6125292f118aa8fa094e474a502b1227d76a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
92b66ac5487e5648b4c8b6c9bf0a4edc

SHA1
83cb8c10d6c75d65b04f0d3a73b45724f2247567

SHA256
efe0ae536b3a65c74d267875734e504456769161ed7193f4730f1fcf3898a9ad

SHA512
fbfbab0714215e8d9c7ad7a7ab8bc14aa27a88579c69dffcfe1a5f62c49d1d041bcc897cf771be4b35dca865d94fed1f20b6a14a8c26a60e32ceebf639a9e12d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fa989d9c77ceac6720ff2ad750a8f5bd

SHA1
91e76eb8cfc9da29674d62142f6822434581d679

SHA256
c3847188a95affa4c1c6ffc2ef48887bd621020a63d166611036e7fa1c5f00d2

SHA512
b5541a96a7e9954b6de5bfc1a9f030da8947220c504b015943a859c09c5a96d72d4a893099ffbce5f7e2d74e5668873d12d40d927a69372a9e55263a29baf418

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c842b2f51ff12bb315ef4be824020966

SHA1
59d4427662fa24f72b1b01bd8616c65af8dc7021

SHA256
fa815376f575781f9618cae6085e173bc0daa7bf7ab8aea25445d0581feb9f5f

SHA512
44d990dd51da357b6bda7d5a93d00c9911a4308e1c690dae46e5c3190e9082a50325154e49d82ec7c431f2fe37acfe733bccdd0d8cbdfe21dec00fbcc02f195d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cbd79521ae3f56b158552099e0fcff44

SHA1
1d1c40433fd1af8b84155fa9ef61fa7b23d6a507

SHA256
e958ddd508ad54593a1ced6b112cd9f024e8f991e9afb467b73306c118f4bc03

SHA512
adb65553ec97210c730fd4ae887d19331bf04df01421c4bca431bd7802f42978bda4954021b07a50af15f0f6f32df393e9fc45d513cb4f1cfbd224830c9edc7b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
43b6b791847a6dbd67a10e432db2b6fa

SHA1
559e1d61b74440bcb4535b16fa2be2f2cca71615

SHA256
792af0500822673e308d227382d87c5000378a4acd7e6c37edc58b0495d2c26e

SHA512
68d59215d2a1ce8842d2b0c7c759818d76cf91ac05a02d1a0528d3efe7ae159e831e2e0e98aea41d0d9507c578341c211a8b30e159eda5f5dd16347794d28d49

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d904121bdb85594e5877e10270eaac8f

SHA1
5270e48df3cc7d35dcd0bc751390d1357cd356bc

SHA256
cd2a7a42f8292525d0c97047848b26a3cf4c5aecdcd625c2e8e9ba39805e3d9b

SHA512
a7daf570d068da68f1b436f9ceee3c63e8bc03ba16ba32db29de6c93c65a6c026388582a2ea9421f37f71ad9d7477b6904a9c632e53d07825c55503999e8e0d0

Download Submit
memory/884-12-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/884-21-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/884-20-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/884-101-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/920-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/920-511-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-224-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1424-113-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/2108-510-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2108-197-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/2328-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2328-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2328-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2328-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2668-47-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2668-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2668-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2668-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2776-208-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/2776-89-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/2776-90-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3048-51-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3048-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3048-172-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3048-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3100-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3100-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3100-141-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3132-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3628-88-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3628-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/3628-1-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/3628-8-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/3648-570-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3648-252-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/3764-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3764-445-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3852-398-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3852-153-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4084-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4084-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4480-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4516-505-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4516-178-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4628-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4628-35-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4628-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4636-544-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4636-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4808-122-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4808-227-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4836-130-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4836-251-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4956-81-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4956-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4956-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4956-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4956-85-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/5072-239-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/5072-127-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download