0377e98da82010ded070d6f20a0e0a2afcdb28de1c296dda3f18816598d875ee

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Size

1.8MB
MD5

e74808253e158caeeaefeff17e506191
SHA1

d7bfe11f3aaf4013c2cc46054eeb17b6d761053f
SHA256

0377e98da82010ded070d6f20a0e0a2afcdb28de1c296dda3f18816598d875ee
SHA512

f594dff01b6898d2ef91e3828ce17fecb02970ae8cb40308d24cb2d0d622156dc464017eb2387d7a0093952b4391f950fc4e9eb1fe1921257ce41627073e3a83
SSDEEP

49152:SE19+ApwXk1QE1RzsEQPaxHNY70jIpM3kiSBM29mhNq:393wXmoKQ70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3160	alg.exe
3960	DiagnosticsHub.StandardCollector.Service.exe
3664	fxssvc.exe
3720	elevation_service.exe
3656	elevation_service.exe
3492	maintenanceservice.exe
1364	msdtc.exe
4484	OSE.EXE
1120	PerceptionSimulationService.exe
3688	perfhost.exe
4996	locator.exe
3028	SensorDataService.exe
4528	snmptrap.exe
4848	spectrum.exe
1192	ssh-agent.exe
4492	TieringEngineService.exe
2288	AgentService.exe
4168	vds.exe
3288	vssvc.exe
2256	wbengine.exe
4632	WmiApSrv.exe
3904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ae97cebb293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exealg.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000367b1e35e8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000855f3e34e8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bbe7e34e8adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8c22134e8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a29b1a34e8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a19a3934e8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d96e8f34e8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe

pid	process
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeAuditPrivilege	3664	fxssvc.exe
Token: SeRestorePrivilege	4492	TieringEngineService.exe
Token: SeManageVolumePrivilege	4492	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2288	AgentService.exe
Token: SeBackupPrivilege	3288	vssvc.exe
Token: SeRestorePrivilege	3288	vssvc.exe
Token: SeAuditPrivilege	3288	vssvc.exe
Token: SeBackupPrivilege	2256	wbengine.exe
Token: SeRestorePrivilege	2256	wbengine.exe
Token: SeSecurityPrivilege	2256	wbengine.exe
Token: 33	3904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeDebugPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeDebugPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeDebugPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeDebugPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeDebugPrivilege	996	2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
Token: SeDebugPrivilege	3160	alg.exe
Token: SeDebugPrivilege	3160	alg.exe
Token: SeDebugPrivilege	3160	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3904 wrote to memory of 2944	3904	SearchIndexer.exe	SearchProtocolHost.exe
PID 3904 wrote to memory of 2944	3904	SearchIndexer.exe	SearchProtocolHost.exe
PID 3904 wrote to memory of 1856	3904	SearchIndexer.exe	SearchFilterHost.exe
PID 3904 wrote to memory of 1856	3904	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_e74808253e158caeeaefeff17e506191_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3188

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3028

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4848

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2944

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c09bce5ad6b0f55285bbeff1ed889efd

SHA1
2f3ad546497bb962bc4065c48987715f2e1b4e14

SHA256
d7f6770cff17bee5da6d2ada7a7faaf6978412841d28e8f060e510d64a14c267

SHA512
c6b5bb1a423bff8d71d197feb5d4da0096411fdab8b8ed6b061225c58a4d6cf9276f5b69ce69c1dcf5ba01eaab5b6cf9a5cf4967a3caab356d49c6fc474c5124

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
811327bb0db3bd66c60ab93d173c10a5

SHA1
98e1d3f62cdf74194b2ae3efe0a64b0a7135dd2e

SHA256
8006c81ab090b3d2347902b754e5bf64c5cc9dd76ea136c823b3f8c76bdcef07

SHA512
dbb1b5a53d88f0575a431518e9cf2a0d47181d0e6467e7608772606dc15b11b5149fa6532b99b67ba9c3ee1efd814d57a2fd733edc54d76d8b5672b929c89219

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
1d7aa18d8565350d4a1e1d6f3926e640

SHA1
b8f65d1c9bef9316e38b0879c80ad34b9e3ca8fa

SHA256
a2e8916490cc059d831e71881e4f9fcf2f53be4af1a5d1dee29749344a10f100

SHA512
b43c7e2c1157af1a92fcef4e466e2ca21bbc52bb91659f796c257e4156e07bf50736268ef42717bb91a1c9a1885025e2b744801fc418e1993b1a758cfbe409f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4d8b0d94aaff13de9abab1ab6b4aef44

SHA1
74ca47230bb7b145fa2750a5ea55241b77f8b151

SHA256
0da2368092050faf430457cd9e58bebd431a9afb9ea87e818f193b5bc9877d8a

SHA512
b1a21ba5f5ded41e7e4c5e9e40d8170eb624c393443374f7dd6782de28570d4ac5a64a603741cc4280ef06a061932f19cff0949895c8cab3ea56ca5001b4f373

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
2a40b4c34b7ccdce289851c33c184456

SHA1
0a75c0d05071142c74570fdd4b2e165dcaa631ae

SHA256
66399e3dd4e383eea51e4a72e734b7c2043ac9665c0fedc95952d7cb87468040

SHA512
456000b6128e83cd968e84232899f1914127f4c986342862e684a8e58b7de96b77cb2f58480fe2390c314223edae5680aeb577ffc3bf8e2baff4442071d7ca1a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b77ea37c9160ec21278fe8685f00204e

SHA1
43af7ea67d7abdecd9973822160db2ebbab4f07f

SHA256
65e4d501e1f53ba17aeee1f807266076162fa70707d57f349b77c749bd52e277

SHA512
ee8a1538e5ee6f44896b13354d4f4a60cd92d4c148876d541e5a297f830e21290dce2570ca013056f7bbb4d1d9e12a800976278453f9750ffd821d77beda83c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
f3155b9b09718b98ef56e5093af7a92c

SHA1
4f8ca4b648aa75842878a9b043e7ff4ab7df31d0

SHA256
27e9f4e88d73701adc06c4f3095ae240473642d56e80590be6f612206b1a6cbd

SHA512
539fc91d2ea8c873624702646970202d9e1c1e65a65e1ffe239974623c59a13d036fe2cdc3f2eb5af3881bef92067e74344a4179c39a48e643d98983ff3d5c25

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
c2e740cf4105eb2971db1fd20ac9a47a

SHA1
16a27e0e8bef9229e6d4bf962a8406a4ab6e1c21

SHA256
40b18a10bb6c47f68071b1e433669e2c6bd584f1edd0da38a9351e7a802bde1f

SHA512
4d4a21b0cafd705e9da4bb27e7bcca4e08e4d5fc3fa920f57c25e32ffc2997e052600c2bc50df703115e44684691f566714f8f7b8e4d71933d36e5e1bff006af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
dd630e0bdbfa139586278eeba6ba332e

SHA1
22ea493f8b197b3001e5b0d58fe6cff746671b6a

SHA256
acdcf289ac3106f9f90e2f0f697f461847ebb9cbacd6753a4cb7d036463f6076

SHA512
bc45e59f57e836262c4b7adb9ab72895a3827d41826b526b91baa1f2c85b7c75a14c440be2748554d99f4d4bc2a10819226fcdbcb057be3612998184675ab858

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
860d68e0c51443dc2830fb8bef095f0e

SHA1
4bb54aa01d86da43cc6155bd6709ec00e4cd3dff

SHA256
bf1dc986ba911c8048db4b0b5987591103fa9adbb803a9348dfe47f24b415afd

SHA512
8ff73ef96d7ec63d3656a93160b882088d88633d51ac556069b985daf231c6bb7c29311c78e626bd3a707f848b4c100d57087e2e1cbda1b4b9b165314d1ecc82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
5caacdea238bc9d62dd54e97011f0d57

SHA1
dc80c16d989f4713ba6d5ad5e1fdf6f3fceb79a8

SHA256
197fa4a664f89a10f22707233c7d851d1f0019d24a5522c05f3faf47be6ffe11

SHA512
be31ed2d69546a0e2d8f7e6498b2f30806d2e4ab3d3728ed32ea2a05bc2c4f84e0114b6a97b59da500e6f752cb83adcc47e10bb93528c9c3c4c471d81b4c158b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
eaa4725b8b7535fbebce3004fd2cccc8

SHA1
42fe756db5a8e0fa249f5da9e9d25aacdadaa38b

SHA256
9758681f80560ee7082194eb9c83e83d4361332d632a1229cdda895f4f38d2d8

SHA512
6f8885936786d75d290f1f2eccadb97c1d547e0280b551975d5edc5e9f1be57522715a6351eb016ef5e7006175fbf8aec3d3d178180592dd710db58b9ead1a27

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b8f38a98e1961a8c4279bf4b957d689e

SHA1
1c44fc694b0bc027bc4d9f4ca9437c1bcab8c0a3

SHA256
f2b107721b674c230bea3aaa0d4f37bdca4580f902ea2a5feabd04747b983e72

SHA512
206cf494147c82d3072c9dcb46d3153ab5d2bff94ccf806cfd0d6b0e19e4410134f7a3249d2e412f9b11c04a346e403c0c565c56c029745c4e6a895fc95b9cdc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
a8763f78d20e80ba761124396473cb51

SHA1
89ba5c3d6684a99e9596043dc45b11a1a1ab6333

SHA256
59d50d3c266a4d6e405050cb8df7fdf874f29a00dd6e5fc155fbba0d2a8f61ac

SHA512
212d38b657ae226c76e9bad51746acaf4f46e2e1c11abbb2878e92b74333d278f8c3c5d7cdad0f94b7c3193e7a5df19dd5ae2bc18b789442ae22b99c32155295

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9b2b0f6dc64d214fc3d8fc7bf791ff98

SHA1
1d95a509683782cb186b1994e853f85b7b2f6999

SHA256
14e89ebc0d1d4c867423447483c5bc31f2a3088c970322a9b127fc3c60bd02c7

SHA512
b0a54cd6f04bf71e3698419138f5299948572ac90fb60457e71cb320641d4991ddf857518943f7605231512d1311278acc571f8dbcede85aa209b2f4b999520f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
1e60f546ddd45539f78081b008e0aa38

SHA1
44f645c43869283cfebfe6700bde0d739830389f

SHA256
1bc05375c069f03d4a2ed55e24d9511cdbaa0421a24b527125a2ee5ffbb4c625

SHA512
9afda3969538e15030c1ddd126c2f74be5fc4079fd0c6f5f33e81d083d91a625a38587105f57e44aca8b0f4236cc061fd31042dae5f261dfaa1224d359b4409e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
a83e9c05b55b16bea12bcd04d569e7b9

SHA1
857dacb2a5482caf88cba47705ad42429e3f66d3

SHA256
709a3a75254919b81b121019c23869d8c6da335d1e8073e8a504c1e6f2179c21

SHA512
15eba6de308847fe9264ca68d751c476b2cc4d9f1c770ea4dbc304762783f94b2e3ac05dce78066eb8bb97fbf0a1298e26899917e3f57f0f13492d302db3bbbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
6b0f8a99241b8ddd5f127d9b3bf37b22

SHA1
97c9a70fa2be2fd8872816225fa8646ac788a752

SHA256
b8f4f38ad5ea6e7398aae779c7f19b670fb405eda1ae3418e0a54d37cd000744

SHA512
db57c219d761061b286a69f58526a1661803c926541934aacd57704153b3ee49d6060a2d0e8582e2d284201e83b16d21d93f663f4365470f4f2ad2726f4150d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
770ded5f36544535b077eb1199fed52f

SHA1
3a0cd7121519684ab54bd5c171fe45d87aa3ac94

SHA256
e0a0843177160e129659b8bd699d52068c73e41daf36541554cc0d7014096bcd

SHA512
69bf5c38dceaff2890791c39618bf8a4a922b27d478b89a7ad88e9c264e9286f27f803cc237c794d95255c870403757aa053ad2ce5e4940138994d17b68cbbb5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
083a2ca10efbf2b19a0758c19f412a00

SHA1
ef1a8091d8d8374ed1a3fb8d8ed61ae676403863

SHA256
98357232a5f8f885bc2351b5fd3273b3ace60fee68599171be63efe61de1c4c5

SHA512
527c00d4c1d4b5f55fa1157fcf8aade769ff8c2a9472ded27dd16e017f05ebbdf7dd7be55fada724faa872bd0607972e24cd9640a81a879fb9436dde73d801b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
2b5e38efe070adf9f3972adbed9c49d2

SHA1
83b90df7c99fe29ef0f928141e31fea600b3b017

SHA256
bcf5c9cf62eb3cdbf7cf83582cf1c9d5c1b1d754e4a32d529d9c4ddf20f758cc

SHA512
4b706899d40f96ded6330569f87c4397b3e7403fb38c2ec812147df0e064dfd4280aa507f9d07485e3aa1ff598c8de5c4ad7a1272b5bd65fd27638a5b3cb87e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
f74e7df34749e12c58c891e14f378f15

SHA1
5944754705c0a5343b0ad667a4748bf4ed2b09cf

SHA256
428231a2bea38c00e3b0106d36f6b91b5a5e559e4acbd361d42cb41d974a82bb

SHA512
c066b745b55f3e28a8d83c073044700a2953751347c70e3c1c911671fc7f6536c9f724cc7e1b23c02ec53e852955e06e061ecccc21a735217886d4af7bc9d4cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
e93a2f5552813690fa1ff6996a266aec

SHA1
455a3b6ef9c60f6bd8227a7e132fa8c3f9ab1e04

SHA256
fca47709c64b122da9285fedf8f3593a7340a209faf6ff916b0dcb26012d2e47

SHA512
225b671f304aba5680af3147a0489cad58122e4f0b241e610f1ae25cb5fb2c00d6adfdd0f2fd93aefca490fa0872f4c2f2d1c7443e2a7d7c77a46b0fc4a57fde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
1488bd1e2410dbcaadc82fd4fe166983

SHA1
144c5fdd35d4d1d6677455756471a8ce997ebff5

SHA256
2b0cd97fa70721db99e0a97afb118a9096e117fc7a4a6a45e5300aa32499c9cd

SHA512
dc9486ba4695451c92ae7ec28f3fc7e956e104e6ae4358350c26ff1c0bb87a1e04a360ea25fd2ed04270529cb35bfafb5e6925fe9046b1955313557b14c69e1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
fc53a585a517ba2ffcb33e5b569a6e24

SHA1
34362022853a0580eb006b3f07f9f51a30442f9e

SHA256
e23070d17ef0a4da0994736071123d1bbe40ea4d80b0488ecdc19ce89ba0d703

SHA512
b9cecaeea0c1d7a39a1c557e580ef3b1c828a91e504232075ff9d5ba654f95fc2692ef49f7e1d3201ebf4a1fc69083a009a7a7308af12969a4969e2c0e693a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
204b7198f05d0f01af66251e487e59a4

SHA1
536d889f32c65773afa5ab63568994c0ad7459c9

SHA256
cd50ec65fd94a5f2bf2c3a7cf7c7d78d67b4fcd410ec236fb626592688f16803

SHA512
db370830487158ead0bd31f1b8692fd00c08178c5dd4d6419207d67fdd647809747d5b7805a03af54d41e61022194e268ef3c383dc82fafb0063947797deed54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
a60f90e75e3f26a036026356db2b5fb0

SHA1
8e02ee6b35bfd3738ccfdbe963c44fe7a276651e

SHA256
5e0438f36df2eed38cc1a0554c3bbced76bb15a47422ff362daef07d163db8a5

SHA512
8807a5a371d4dfed18cd2ecba7c53fff7adb0a7d58eb74a25dd7e871d4616300333ecc331fe498b4e0a7547eaa2bf712b1b769efe6b40f5b781fe2715f5c3582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
34e085fda1ba46ef5fae363bd675ff16

SHA1
01437933605936541850bee0814db8196caf3c45

SHA256
b16eee3eef7a814c31154e5efcc497d35a6d9c77b0cf74d79d74c4409ef2c45f

SHA512
a51e7037249b9a086708f54a40e5d33437fd03a0f54c886fc3f89cce88e0f5ed4b37d44991abc0c48e6fd47ebcc1ccd097a75f9f4d56716f92d2b7769cfdba3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
251d17de858a72ecda21aaded23e0e04

SHA1
7b9e727fc040be61814db63e8cabf7655de6bdaf

SHA256
cd8478cda7a23fc2d3729e67c9f9e0cd02641033c0c6a5cce42d133af0737637

SHA512
64992a91334baa18ba0a45961fc25fa03af19f2744863864bd59fca191b42bc8e4cec160470993f093920acd2887eccebdb23139078aa0c85df67e99bb623f52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
adc658a76c5158c1de4a557e2f892e86

SHA1
264c0690fd895af21bf8a1b831e6b5269b072099

SHA256
85d405efd5fba7ca303b7b54bab606742c1ea258f45dd492adeb92bea4ffd133

SHA512
cf44c023a5688ff8d2b64177b60a24d2d5135e3081bc2c8e2a0668ba144eb37a9856ed25955599a2ab606ac3204872cf02b9684acddc7ee4a8bbdad1deb74805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
4e0744d3b3facf0cd518b94f43b66911

SHA1
098400d262574d920ba02fc0e5ad31c450183ba9

SHA256
2cd72af7af685f07516a0100988f8a5f90b81a491fed38473eea0a5aa5790b2e

SHA512
e3a4ac1623d59f202e4e04e8f5a39a1d8283c5017b87fa5a773afdbce9974079c74a0d91fb23181603422eaa0ab6aa1de2f8cc462d2ce9c5035182f25a7d7d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5b818022956ce4ae926b877770e76546

SHA1
9a5793008c1ce141a92f8cb826e518277604e5fd

SHA256
7e5556331798cc2bd1dd4ecf9786e7fb9c5fd4bfe7018fc427dbaefba291b361

SHA512
ab5059f4077258281fce367ede4e3d0d045aafa76499896cf0595cd23ce47598159725bfc6e01e745cade1ec406bb2719a0b78213a12d6e2425ea7cb413588e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
820655c2fe8890f8ad04f1dce9e311c0

SHA1
9b9db9d5c4fe173546308d347d5ae88f00ae594e

SHA256
6a96c14be5a312f05c3b986d89b3b47ad3e14f40fcbd85a70f9dae92bbd35474

SHA512
53821bb132a3d3cef75e08e83befb6f77b545eec800a6b6fb5458002ca7c8293be9ade849553b893ef3a0d57da1318fd8b0535d220fe3a4b050582de24cdac90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
b05b4b623965b946311d400269d48105

SHA1
8aa176acf5672759153d1f0b8d7befc25b1bc382

SHA256
cefdcbca6686685b0713e40846247d9cd2f1356624bb98e84dddeaed5be9f187

SHA512
28c25aa6021f0ddcfefecab1c0a90205771bf6b93456041d416c716362685b4be33095cb3ef061948d0cf42403b9e288cfb027ffe16febda783558ef76888cb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
90fe1751d5c70f4f745928f20128658a

SHA1
acb7ad8ec779c5911d475f1986c6fe347ec70462

SHA256
899c201fc6b211474c2ede7cb71e95b36575ab157d73dec3366a9beb5d6b1eb6

SHA512
5e08970efb9aab36d4588d09ebbec693ee82fd21aaa663811defdb311075602485e567392cf73d2be4377c59e66cc52ff4bd7822cdaaca5227c82ed2ee7f438e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
ea333ede12b9a37813a6452dae6cfd43

SHA1
fe767cee1b13c3bbfba1ee3360844640684f56ab

SHA256
e19a97da078ddeb36827db996c2f54f7bda9e4a8ff6413c37a7d5f13bea68827

SHA512
445734df6f058e128b40ae9cd75ab73fa7b89f0e7a302aaaa47508a68c243461599968dad6f0647c8c5ececbad4fe726e8ac28335a664d7a37ff78762e9ed9f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
4b40a7f817a3cb9c18b5cf7f0181b711

SHA1
7c06b1bdbf24e81f76b62cfc17149f3ba4af174b

SHA256
03f30fa82e4d0c8c18e77147c74d1afdc3fae5a4718531a1e9c58e0859b65dc4

SHA512
9a71a9d5a95bdc39b6d183431ccde170286fed9132e9d3275f241b852690235456e1fd9f559673f28a21763f27f1aa7134cea6231de6f568a0e585ac7413e2e4

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
a6b02c7d94294a0f772b4b96d2644988

SHA1
eabd25070974110a75ec4c0f8a8cfb30cadcaf73

SHA256
121d91b9463d8b686a333f23a1ea3ec1d4915f33e250ea35fb8276aad3c7fc26

SHA512
2cd3607415bdceb82aa2d52707e7264bc2cc0ac7e5e48940ca938814199120ae35ab56290475187cb855504f987740d8a7bf5fcddd9972d71d7656346c85eecb

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
2c992fa1292b1b6876f16c5a75adda0e

SHA1
18e0de1611491c5c8b0fa95c498c7b161bdbd839

SHA256
edf6bc5f8bcd33ac5b61a4117a03aecb225d3c5a81a3e3ba2a486abf4897317b

SHA512
57426010163de3f2e17cb521e8e3ce506d8f43261c7a459930b5423a2c56c1ac44eb24a9a97420c3270d59cc46524a52d82e0214af459779ff0836353bb7d930

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
6ce8b7545211b22c1a6c4dab8aaa5584

SHA1
330a05813af682929af62a9c597a4b9c00befb85

SHA256
15ed718bdac13985ea9c2e087f28eeba0ec4521f1a214d7402201829502c7e1c

SHA512
3f621515705bc8f13e878af236edc068343148863f298ad9bf245aae5a5a94ce2e6b5c0f102f8fdc36bc87f7ffc8b10ef81ddff60d19b6fa58a1ca545dcd70e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
1e28b219d71344a5c90f22cf8712ae59

SHA1
928db278fe2b7b5799ecb8de6e1ce41958eb9077

SHA256
01dee1311014c0eb1f57cdcbaa2cd0b23897d59f485c36cfd64a105daff88f94

SHA512
255869d91590a74728e9f649262b8678b63afc23d2d7d62d2f0bb77e5172f3a469e159ccba60b2e5edd38d3c145d91cfba8c2f2766939f9c839c61fe8890f8c9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c0925433a9411d2ed119af6223a13726

SHA1
1b7245c257a502d755e613caccc6c1e62214cea8

SHA256
417c3e3c16fff45c76ba8a904a61650357ea60929b15bf1d1f668e527433966e

SHA512
7388097da1a160728e1b816b09553d550cff65f63c82b42bc55f1954b5903e3bde1283f9926d7a94531aa3211bfb1c8bf631472bafd7b0c96d0f6a647ae4eedc

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
344f05969008e8d8e1630890e52859cb

SHA1
fd7c222c4f5faa6f5816f1b66958ee95d6861491

SHA256
de9aa6b96ae9690778fb8ba84935120f751379960a83f5c3cfd8ffc0f2fb05ed

SHA512
bb7d2df57759c55fe8eecf76d996b60e89aa4de32b6806d62cc07d9654f6328457893209a5977709c8b5bc0e58f4084eb5c28b1612a1d25cb604c9b39e448eb5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
7f845e6784baa11d3610fa67b26410ad

SHA1
5e265835c2a938f43222bf77d850df657db23c83

SHA256
3767a9c996e5ef30cc57283e66b3087798a01c3f0855fc9c424bb1d55aec8b56

SHA512
f20007e55630b65ac6a3c1660f9f9535e93cbfec75be6761976cfce5a6dbae9ab6744aad37c48e421da59207c49516f2413edc104552c10030606412758557bc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
e9265d6ce809ef872cc3188888f40efd

SHA1
3427653c7a528072e0b9ca21a0e91b1856943407

SHA256
b537896393756cb78985dcbb658203f2eebd782184ace4cc9ba139af28add76a

SHA512
cc26b2116a4e8996ebfc2ba99875964f589648d1a74baf1b2dd0c7d830fbd8dd4430d267204a2dc33ecbf34dd906c164019f84785c8ef255f65b6e6d74d744b7

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c65956894ba66d9d0b0bce0ac421953c

SHA1
74d8daa7e58dcf6c217fb71d65aae48699ca0f86

SHA256
85ad67cba9df16546bba4a80c336f4c39c3e84de0a6410c6bd339c50ecc92aa6

SHA512
59375a50687e5ad967e73ace213d888be99c9aed4220e931a3fd1d74db55b6b52282d913d22b0fce1a14533b6ee69b5f5f14696eedf00559ff140a6cb730c31d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1d8a41a12cefccace2a6239b051913ea

SHA1
01709ba09facf6c19b35eb77bb9b9a2ed119e972

SHA256
cfdea8e31af21c3de7deb4a3c5d20173180c538e32c7b15743d4d13a06cae005

SHA512
0e5b6c726e46f9cdefb1b5fe0b2559ccf6199488d76f8ab635c94f55d42d5c8f6e72c7f045ece1ee0e50c1cfe7952134e2b5490924a48394827da0e2fd2b057c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2eb9ca62582e4d49797b99c2aba5d9ba

SHA1
e48808ad1843a52987a30d0d3e48de7b42db679a

SHA256
3952e06704e110340e1345c1b85433bc277d95208b8040429893eba3724d8e33

SHA512
f424a52f910f599ca761089fc6268d02a4e0c57b6a45cf2b5a842c9c2c3f919b3317b1965dc52bd7a4ed5e5960b8eb0ca2aabe6bbba47e5148d03fd7e811bf39

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
dac29947a7bbe5e8a1a59b12ae1de753

SHA1
130582bccd7386951ffb1bf893742f1dca421960

SHA256
3fb011eec6aa3b9b26638a2b5203b63cf895d96a688426812f7dc725ad4fc5b3

SHA512
e162c57be8fdeb920a939db26b4b40e03a1549b2ac84e47d1e5c1658d220fce6a7818f6077c97179f4189d3ad8c67cafb8617d0285ed42a176520505bb058125

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
63ac76bf205b1907ad9d6550e9be935b

SHA1
15c21ef1faa50a3a21540992d2522550bd7d43d5

SHA256
db824fae8ddc79b808a3b3989264b41208214d3e94ca41b22d68cabe7cab4968

SHA512
e96deac8b4a30f461e37574d1522cd8ad714ca8ecd191ba44747f57e9c84fbbdbc590edbd3933b9902c5067ef45b02e87ec60608d2c969ac61e1dadc010e0968

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
b4b6f54d83fe9f1ae725fe88ab3f7987

SHA1
29400c70eb9d603f4c94036fdfa51091aa5a818f

SHA256
851b1c9e7237faaa613a4e3b431197717fbfedb0aeadc87d50a4dd5ee43ed0fd

SHA512
0b8975359bb18ead7d3bcdb4273d676a082c69112c509e3e52cde596b5c7de33ad34475319dfb2cf676789fd20b8078b8f9c0cba034f00184edcee79f05498fe

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
7b1198a42fcf0ea132bfeb97a9144992

SHA1
12747f9c3f5eccee1b87fd98619ce30a16f3605d

SHA256
bc43762ac2a26ae93aa52af1ab80963c32dfa6e525ed0c3fc015a7ee93bf2ca6

SHA512
cfaf5cd068a3766f8d264b66bf8c9cd8a6229a224ad01741b2a3a7544327e36291e37662abbd2f3418dcb29204651682857f714b33c5a245046744e84dc6a1a0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
22858dc618556a903631e7e9c632126d

SHA1
ea84fcea9dcfa28a1e44d4ed87ed3dd829b2f2b6

SHA256
f33787638c74fc16edb2103f6b520c732c0b910043b74e813b795fd7dd8e5ff0

SHA512
03da85605b662c3c18af73eb74e1aa3d8061e734ce72e556f52e3713050019dbbb1ca896774f89baad1adc89897ba3bad0fa5f7bb5bc8b79dc8d9944dc26dd19

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
8b5365dbacbaf7d711fe12626716c922

SHA1
8e563d29c739f6154c3218a1bfeeba817ed82bc4

SHA256
10076c236af23c0a700e177245368e0dfb8f32b800c13a51e4e1bba919da041c

SHA512
0b11a88590605ddcc4998b7f78b6e2037be9e9a135da1dd6744e867d520de109085f177489abe388b775e6d453fe3bdd7d76e671d93f0a7b329a770493452eb1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
a8560d6d8b6d353e30ad24942ff3749e

SHA1
ab66dfa62c087901b04d2cc1330b1780b202f27c

SHA256
64702bd13502e9ce46045b8b7e17d4701014168914d917c21e96552670f0d168

SHA512
7d56eb030f2d826d40a9bf4c26c2a7ef6128ef3e0b536ee283be72c925ac17e5a36b399f668c15c60e285987e9661b8a0a462dc359df817a6718dfd240dbbad4

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
3014f0e525b3819ec19f6826efadfa78

SHA1
d20af1928e77ea4d994ba3b64420c0850a5dff7d

SHA256
39638638dffce62b8d15a43979681bad64284a3a2e58397dd19775f1a605698d

SHA512
4e5f76cb2f828cb94f0558845538ba285eb1aa9afa4f90475972f163c201eaf3932f05d81c3432f4fde220f4a8df85dcb0bfa3811368f7bc39a61d60320147ab

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2aae9ebf8ea764c6dcb7f43ea787c913

SHA1
eca3897dbad1e495d6cee75dc435a9b495930326

SHA256
1800c60bf4dc95e57d9f17519a05ac444e2e442e01d26383237a2b40a572b4c1

SHA512
046d0eb06e273fbee132231e1df64f4e63dcc8db2515edd96215df4f9657f13ef27166a69bd0ebb1ce210e453ecaa359f6fd6221ee29f6ef3c052ea63ea5d467

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
7debf7c1daacd0b70f5dbc07d88a4633

SHA1
3998da2f3885d9d408b8752e901d8d652df2e5aa

SHA256
f9e337f840c8c343c4dc0810c32542faba5a6bed1f7bcf234a0d44b43f4be7cd

SHA512
c0b9958a6cebaa1ad62f75f17253b2c31323753cf7dbe10444275a25533a79f9f9fbf799726b37c9bfcdfdedcf20d49addbd35db80e9cf19018ed0a711e99f06

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
2fd6e4b1b2315bfcc20a9e1ebc2b8494

SHA1
abfb6f99225be41b7e2e2a89a2b0ddf86a447767

SHA256
fbddd6890f7e4a0ac559a5209f4cbc2624774a871595df2a0186354c117129b2

SHA512
93f222704b27391aed7fcdf18e9ba0334352a4f982cf1f2bd4e06854d9ffbdec2cc422b1afd43ddb3f65f1de23569f1ba24399ead19fa49fbac74e78beb96be4

Download Submit
memory/996-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/996-1-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/996-6-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/996-190-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1120-193-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1192-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1364-191-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1364-89-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1364-83-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2256-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2256-518-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2288-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-478-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3160-220-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3160-18-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3160-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3160-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3288-515-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3288-221-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3492-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3492-78-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3492-72-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/3492-207-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3656-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3656-60-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3656-511-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3664-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-57-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/3664-36-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/3664-42-0x0000000000EF0000-0x0000000000F50000-memory.dmp

Filesize
384KB

Download
memory/3664-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3688-194-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3720-47-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3720-459-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3720-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3720-53-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3904-520-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-256-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3960-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3960-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3960-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3960-33-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4168-514-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4168-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4484-192-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4528-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4632-246-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4632-519-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4848-201-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4996-195-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download