1be5ccb39776c73f5df6bcacc76ff5f6357922b8228c7179220f6c90ff7957e7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Size

712KB
MD5

cc51d98598e19213076b45c35ca9a810
SHA1

e5945b7ef2bd2d56bbd8c2f84ef184ca51d7148e
SHA256

1be5ccb39776c73f5df6bcacc76ff5f6357922b8228c7179220f6c90ff7957e7
SHA512

6ad3109346642266838a11cafd3a7c7114dd2f8adb29d5a76dca9454800409835de296423fdb5e2453aa78739d5d089012fc9a32eac974f7b725f100999c5b61
SSDEEP

12288:btOw6BaYYDeWyJnDawHnwyyE17GdybhWV0Um8CDY4fFYhn0ojkVT+48GdWQKIMS:p6BxYDfyJJHwyyU7QJm8yPtYhn0PTt3I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2344	alg.exe
2540	DiagnosticsHub.StandardCollector.Service.exe
1952	fxssvc.exe
396	elevation_service.exe
4132	elevation_service.exe
4548	maintenanceservice.exe
2240	msdtc.exe
1276	OSE.EXE
2224	PerceptionSimulationService.exe
1444	perfhost.exe
3280	locator.exe
1588	SensorDataService.exe
3212	snmptrap.exe
1660	spectrum.exe
4292	ssh-agent.exe
3196	TieringEngineService.exe
1164	AgentService.exe
1516	vds.exe
368	vssvc.exe
4332	wbengine.exe
1704	WmiApSrv.exe
2380	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4142d61b293b476c.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

fxssvc.exeSearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d9723d4fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f892dad2fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c36750d2fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a775a0d3fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d62acd3fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7f4dcd2fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe

pid	process
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeAuditPrivilege	1952	fxssvc.exe
Token: SeRestorePrivilege	3196	TieringEngineService.exe
Token: SeManageVolumePrivilege	3196	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1164	AgentService.exe
Token: SeBackupPrivilege	368	vssvc.exe
Token: SeRestorePrivilege	368	vssvc.exe
Token: SeAuditPrivilege	368	vssvc.exe
Token: SeBackupPrivilege	4332	wbengine.exe
Token: SeRestorePrivilege	4332	wbengine.exe
Token: SeSecurityPrivilege	4332	wbengine.exe
Token: 33	2380	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2380	SearchIndexer.exe
Token: SeDebugPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeDebugPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeDebugPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeDebugPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeDebugPrivilege	2280	2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
Token: SeDebugPrivilege	2344	alg.exe
Token: SeDebugPrivilege	2344	alg.exe
Token: SeDebugPrivilege	2344	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2380 wrote to memory of 3140	2380	SearchIndexer.exe	SearchProtocolHost.exe
PID 2380 wrote to memory of 3140	2380	SearchIndexer.exe	SearchProtocolHost.exe
PID 2380 wrote to memory of 3828	2380	SearchIndexer.exe	SearchFilterHost.exe
PID 2380 wrote to memory of 3828	2380	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_cc51d98598e19213076b45c35ca9a810_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1124

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2240

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1660

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3140

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f764245b2f4d6ea13869ff1a30c06110

SHA1
4553eb0195913c0a57d60d6e490693962441bbcf

SHA256
c05a8b63311b0e7426f1e6a9370b8d63e372a79326d76893c2710f50280f63ca

SHA512
d071db31cfa005ec2bb2fcd9cf0d3fb036d52f4e12057d1bcf6c228320ae146246e43db3d1c587c2a127449e197bfdec674e6ae4550dabc1bcf42f4180ccb5f3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
cc0d9b25dff008278dc8d11e381df8fa

SHA1
543a0e3e18e8097e3355a09e29dbe281a7213739

SHA256
c6d9fe2818d5450e2a4f80d57d96ad7a790bf24fe90ee6f47f294a35ea72eec8

SHA512
6acbefb9dbe6c8e3be265bb4e8b894a2658a17abbc614841c609bdfd7ad6ecd5e8129bf361ad4aacff3f751575fbf09ad8e61507eca5bbf6885e8fd4cf1560ca

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
12bb47919be1383f0fe435d6ec029207

SHA1
46e2bb7dc452a8ee077067d014be330b89316df4

SHA256
81b22c8b979986b7ac3d6314c4e0dd89704e6b3cfb696b64e506402dca870334

SHA512
c0454885cc7997f742e79eb17ace80f0e0a4d4134714f3099c3720cdbc64f6a63bae736d702dc7e1892b0193c8add43d1e2238ef4851f3263b136770e0768862

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
43127faea9cbe78d3a8bd90bacb09e23

SHA1
97ec35e17b6503d50f44daf4066e730312635549

SHA256
e366108ae7569d8597638996275a775b1872964cc7817ac9f169e4bb804ce216

SHA512
01c48e85f88a74e6448a751cc04df101d5f3c201a8e0a46b775505d3942157c466a4858013ad0048690540e5e4c6164b170d461f2c307a112386e471d324e2ab

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
d0bf86b7fe881444e052c359c65a43ea

SHA1
f926816055b47db1f2b0c9ed5f386b12534a1fb7

SHA256
8e1b45a545bd5e80b5595c82e5034bd5a203d9403c3407d55ae4ff17e9c447f2

SHA512
e812c0a67ee00b0a9b8257ab75c9788f6e32282bdb44d1363202177b402b1348561566ce4e4d85675a7d944767f4318a8cadbf2b052b39333840e64505d362d6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
b8849068e17f78e9d79b676380c8daf7

SHA1
d2389ed2fd00f60e0fa255de38d4b2d0ae557050

SHA256
0abab2a06887c009f6c8b84d17332f27df3fe83b5d1a6d8022bea7bd52c710a0

SHA512
64e6e6caa92d936159b7463e32e2cf7ef48db8bb391fd348c8d87b0aa79c9bcedd4ccd430d28566e8a0b0ae586a5350c40b16b343fc30d9c0939ec238d67a718

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
97d6850c1ddf597042a10568f6d2429c

SHA1
f2e2b3153ba898c1871bd0b232a027974fdbe6ab

SHA256
cb802c344493767d453e9a8259f9d53650a7140532e9a7d9dd5ab619967125f4

SHA512
628fb1e02ff830b2e46b9d918341e2e365a17d83e5bdb852b59b56ad0ed53e6ef243242aa6392806c1f373e7a95db161c0707667dbcc399e1b4a09ff2c994483

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d650d50acc37532510c3ea237015fea1

SHA1
5a71242968e24fc878edc31193bc5ddcbb0c706b

SHA256
1e39c8b2127c6467ae6037e66ec6b765f9821c46f76c10d78cb27b5e4803ef86

SHA512
25f4d69748757d4fcf2bf74b31e28c1c79404700ecc13361a81cd88ee7c963bdd472a3e8253495325bc6e593a29fe9e34fd9d56b1b298daabb21bf436050ea04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
b9f4b0ece709c27d2c73af1fa118c5f7

SHA1
63f1ccbce0fc30c04809519d14f15f1a8113be20

SHA256
bbeab2151d1dc894c5abb7447dba7fedb90f3d94c0cc3768120a8a414df7b42f

SHA512
c6e0696d1c3f36c0bf5b2a8123205a78ad94a69cd1b09d3e23e247aadf6d45ca3a1d6c562a65a7ba4a4a962f3517f9109694950c03d4b67229b36b97eb244ce9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
b7b7dbfb0c64efaa37122f25f90ca929

SHA1
7581fa3dd113e37dedf3115479639ac02c44eac6

SHA256
16df3c503c2b3a78168a6c6e9840b64ebeef2911023a13b4c300d8984f02c729

SHA512
6126a26e0d3ae00601cb7fe3f2c893627524afa8e200741e660f65cd761c6604a3205cb24a0fea3777de1c31afbb37fc45e2b02281a07b4d8d49dd4c18582a31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
f02dab71a63cfb4a428c1cab6caec530

SHA1
2ced99efabd0eb0bb68112059ec765ba02a784ac

SHA256
b3eadb38fb588d5b4a5ab819e8dbc00b3e87b8218bc68fbf3fac0be593f8633d

SHA512
61825566102b6023b103ef8838fda39636f8b30f629aa939976f1fdf85c5fc56ea099495413ac0764d4273f32048914417fa532bbc3e2b69843d4a8ef2c79542

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
aaa07bed5d72698be2fbd61bab42199b

SHA1
0a865909d2655d9ae486e621026105c58da3f6b2

SHA256
1be1a19574f4a0726e26f7e2192b1d4398ecfc053d1e56876e5fa09fd2591f12

SHA512
7c4299f28ed204ff3dfb4d741b6666e13ee7ae1c62bcf8c2a1c0baadca5b28aa354188d37dec0f4f867401d9582f558a7a7a1d9c3a214dd4a143deecc5da1194

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
eef0178704d50ede8a9acb95540e373a

SHA1
5adb13bc6b2182e86d3812cd6d69026f26a76c4f

SHA256
29982915688fbfbe038c7881c4fadd0c39193b58b2447cd86df53e4fbeb330ba

SHA512
76a982ade05efbd549e01d54eb90eb22a8d969381595f1f27710412ccbb9498313a4db241071675f8762be17085cf29adf04c9ef44e6b2e070fe810bd881f97f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
e9537f3c04db307544f2c5c8f61d0a21

SHA1
71965e05b95825418d152a23623758212fedfdbb

SHA256
bc0c3618eef9fb66d290abfd784731ea0c3856a0afb354a962aa73ef429c0175

SHA512
0a4f57dd61eba53aab24fafbe758977ef00071960e536b57f9805d35ccf25bf50cf3519544ecac86c2d1efc8e4026ed3240a12364a977fd838d0e3d6944c0bbd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
1379a8321d3e09115ea29539b3ad6725

SHA1
f077dc53344107c2dd295eed47132554bd412bdc

SHA256
4608b2826260eaf662f0fdd18805d1fa53532059c529cc18a10f0869df88a06a

SHA512
1051bae2e0d7b4ca55f6285c7e5f9fd39ed19d5fb5fc594daaebf64865ce8487d17df2beafcea6e2aefe49f98f34039d698a0c8ba16ccbde38dd027bb6a2091c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
caead8d085eea33667c8a54edc40a8ac

SHA1
cb21c9528f1333cf45b1517cc38e69b04d00642a

SHA256
b4132b88c7128a054f4b9687c2203fbaf0bde3e5721244d4a78ebd9f6b79d586

SHA512
943e9d58ee69b7ca728b004c1fb5202358ac907f25cd9d61c6227c645c4c7c6e4c86345d5db39246cd91cde37885abe2d80cef0902fb54270fb85353c2ad9762

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
1b1084e58a7b3c8d473a50221b69b590

SHA1
2bb93c81faa32ea2d8eda87f62b9d62fe10c292f

SHA256
04f0337dea81560c008be5b8dbb24bc5257a38856bb42e694b2234aada2f4743

SHA512
eb535fd5553384b45443787ececf265bcfbc2302eed7c84b2f73ef85a2d141efc39b42e1b8910873b04cf1b45d4e7c04dba0698e39d355d63a96f68fd59fbfa8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
d65f05f7fb8295b8878b5b29d90ebf81

SHA1
cc9fc7cc8e1723b334a0d0ba0d0ae5f6fd0f6e2b

SHA256
ecc9541e8d4dea4d092a6db39aec09ba2acb9448f28dda1afbc250ef84f4afdc

SHA512
3ac6f5ea51267f75e4ba0ba50ab3d89b07356e0cb4f0dc4904111b3ad72b4d0a5cdfa22f26166ac92387a5242aba8ff70ae23b0e7b9052ce6314546aba3e3c50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
01d4829e925ee356e03a2726ede0e2d9

SHA1
851ec97a184af7a4413f5fb69f729176a395aa75

SHA256
98d6d0ce88b9a5c11a44ab540961193bb1f160e6a7919dd72fe51e6283bd1476

SHA512
02945c447c6064df81d3229873545161adb0c417fcab90c5b5ce706f8fb516191a7b60e64378ea2088841214923c66ff6c6d600ee6d038ba318cadb0fbb284e7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
4e3763cf547bd1ed5902102578197904

SHA1
72adf59cbcee63ec53152bef509c0658bfbef853

SHA256
d65ba27db2165c776aae6830d2e329dcaabc0b5f9a8be84c3c1f88f24dd0df26

SHA512
1a17a988de414e21d3d66e903461471fd1ca7342412bd3a330a71ce9356fc8e613bdcec191f00e36f041b17e7fd74bdf13a20a7dbc2bc9e9d9a0cd3cc69dcad9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
5442ac871afc952d2bda6deaf3dc93be

SHA1
53758764a6f4a3014a49002f1b276ea9357fda84

SHA256
44b2b71bbe5f3d1a14138a6368ba0646f0a4bbc339e1786b94fd64b2b2c5d38e

SHA512
2c8d9bc688f915fcbe4fc6b608a4215a1b57b0e2c57405ca3236252eebe32957941de2eb594c7e3e835e335b7a5f69d862d3307f48d0d64943f741a448036e28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
b47aa40533725da198b858d843b3c605

SHA1
f26a71562501715bdc2ec13db6bd510f008790fe

SHA256
34d08a288dfb63dc21af53de0243c6f3d50aa72df75eb06427f628756310660d

SHA512
9793caabaef43f1bb59e371f64bf5d88da80c3f52e9eb4f7df55e0e2429fa0e831e7b577ae21d38f9cc83b982919582f565a603202f12c8b1649198052da229a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
fd22975aac48494a5f7236ce25e04aed

SHA1
ac490db9f4e710cbdfe09d7deb658cd3817a4b73

SHA256
12fe9897d479e36d3bc1a5a50a564dde9a60a2a1c71f1dd7962338b7f0abd3d6

SHA512
eb1b0be1500669708ac0dab0c09c6dd87509e16a26f9b9d201d6494026811d7d332dbfe554898f4836517d970e51108e5d74ea15e3c9e4cb5d4c1edfdf6f8f77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
11f9ae599b167625dab7e1be92990c1d

SHA1
0a09dd9519d7bb7ca6e5c73b534d904522af07e9

SHA256
bee291c6ebd0caa92170c7b7d725b960771ce1130e99a399613e740fd52c28cc

SHA512
b76307dd47f0df62917b8cb5a2194d397464c7a9e354251200b305b23c8c2d9ee599a86b666d09b68263ceb2be54c50f6938e78d4dc572e6fcfd86563de83c80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
e90e0c5f7336810b5f925742e9426953

SHA1
9ad959335440daa361c15c54178a1bb4614fe211

SHA256
783c344c11e994bf0b7120d28d12e86481f0cb9daf1753ab9a75e6e9ced60aee

SHA512
cc1c98bfcc8dd0e885427e6f1104610c246e36079324d7d3c2ba53d0c54c51c3271dda624b62d8f86830151ba00e4aa4fcbd28602a7b475ebea6755450d090c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
5c28c0b515f81ab308ff9978f668c751

SHA1
aafafb89fc520d8c5e3e86ecfe467daa11181456

SHA256
da85a18f3c855f29c740b25d43510efc7514a078e63fa744f9a324dc082d465a

SHA512
ef3052da2956083a0e19172b5686d4a4de214492cf84c7736922410d6e111a8d0ab4328d28e06182c7e1135fa7da0e713e399ba8893f55406b197fa841a319ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c5cb359b07c3b8702308b4b55ea21a97

SHA1
edc343178406be7e0896f2f8f62e7517ef8e83c0

SHA256
e66f92ecbbfff42cb1793127a2f6997634d476dcae297bb57677631e3a544982

SHA512
f5c9bdb92092a8f1ccdff7b6a2ab75bd4c1495465ff97c1fbf0990e02da0d4f2b2d543498f6ab6d6d4775128827a4209e09913dae4f1887cb34d29fb50d74bde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
5cb0f3ba73fbdbc17f2a10ba4b9a04d4

SHA1
5f551413366fc1de5f9d84538e84690c9171532c

SHA256
2948df16267f70f78f766765a6ffac2e4d5964f365cbe1fcccb6df1dee530bcd

SHA512
b81810fb7539f75f32793b51ad6417116123842f852a8afe94c54fb1b30ef52841754412488c59bb5e2d034e1676d2ac3e411bf3bf3479a88e899ac86e6763b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
e92416d2b027063d49ad9d78e9cf4457

SHA1
f01a0b920c9960928c005a975e261d3e15eaca95

SHA256
9ba51e4076ce0388265c2fa14ea42f116f45f9be695a9b47c9787cffcf5bca5f

SHA512
80e7b9c362f9ede0867b3c77cbe3fdb73b667a24d4e34e12b9911ca81faad8528822535797136ead4d8ae6deb55dc87fda2554e4cdfc46283e891fa093780cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
124e39983b1eb6d218f82293f3978150

SHA1
223e536e76e18321955e3a2158edfc5f85ce60e8

SHA256
340cf63843721bb2847314d7abeae756c202790f5ec40b10368982088e64896b

SHA512
b55866e35e8027a1dac3e824c729bd9069f062bb184d436d0e52951aa5361d1e27179666eac2e64159caa351e180e5d918b6e84434028703c3d3531dfdc07835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
5c39da04d9a602e60ebbb33bf860118c

SHA1
708f5912a5a680c0e0812d7fd0aa73ac256142be

SHA256
aa0d00eb16aed1bc0612c122c177231db58a96189cd15a39a9501ed826e8af09

SHA512
c9fa4fc0c0bea5cbec307b31fbd8cd35494384f5955c3d8f31574030a53a7564be50f7c6c2c16cc3b8e04da6971488a8694044401a34fe85607b7083655e014f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
8aa50d61a84b3adfb3dc71248b1253ca

SHA1
4dcf023df43ffe096f3ccb1f577e950238afe0e3

SHA256
7ce29286c087315eb730e03ec92da696d60b0c61e52dfef1eedad77a5f84714c

SHA512
1ac214dad36764d67063f596cc1d7f2a2e466e7c5ce949973c5a82d1572534d0a41a7a11c625ee00921e846831162031a7a54e29df7daea25910d469b2521bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
1f0db299ab4299c78c59564dff58e1ff

SHA1
8897abfba1dd0deffb37180629e97f5b9b2d6125

SHA256
78911070e243d265b1f2d5bb5b89f528e1a3ad193f9f6e88d49719ade3bff854

SHA512
e6555b4eaa565b293a7a9c0d0ea50bbe1d8ed25f7bbfef9dadffaec5ba657978f490a6963fee2c5bedb59cf5b8fe1d6caffec8f78f734cdbae6c483f77d9c3f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
a9fe4c3543a1a886bf3ce58c26038426

SHA1
e1d64fca18c352bee0f6f49ffda7926361614510

SHA256
5f89a76743e8856348da01d253685dece1dc03f3f7bd7a31061059cfda6ef627

SHA512
8c28f645875279b3a252a7560f6ac29a9c1aed01a14a41b682b80263e33d666c92bda7660bbe25b5221b304bcfcd33bb6d7dea01a9bc16e8c678d5f1095578ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
f22f107ecbb5779211e7768cb3ecc170

SHA1
8ee9f4c9d7e152be8a338c8db3f8f2578f142d6c

SHA256
41bf2b1b56596154c2a2f52890a34fec666c3026c4385e94500923f3e9288987

SHA512
e837f33fbb0552300d0d48a80fa7a07a9954f496baeb73d32e12631d7f06c4774d34a47e9772082b76c015f98120334ef4032eda50b64ee45e353a331e95f312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
216c2e9547e82266a615022118082292

SHA1
8ac1882b4f7f90cad7a80035bea3d1c76e68048c

SHA256
dbbc51f2cb4218471be387cd5086f7de1b0731c91955713dc9b5ed69eebfe380

SHA512
345ec5639fc38926142d8f961ae34dc6e668e14532d0d9be98fa6cfbbfe6b74e04ae4584bccac1403824aec1f7a60b7517cde9c36d8f1b687ce3166f0ffd4663

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
2d4d20370ed57924513db1d18f2d2c00

SHA1
4c90e5a20e7a5653ce5d88924164c46742186a04

SHA256
7f8d6ec58adf40875371c28a8fa8620ef2593c2bd4daad83fe9bd7ded916b96b

SHA512
5e614af45446a743c19448d5bda85eba6e4c3c2e740185d79b5703331d1b12b869925044f7def32ad0e757f11ffed151529d1f3d63e0e66db7e7be4bd133bb53

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
4fa53eb111ffb14e2ed60f5b6e4b0754

SHA1
a533e3aa4e02f76b85fd695cba51ea4da2dc4e84

SHA256
84ff15682cf6b2ee93613f69a3e5cb20436122a857051eb33c3462ff548fc8ec

SHA512
2bf4af4b2bc9b6fc751750845ed49f23857fbe24eebeb1e216ddb01cb24a17d90429e46f8a173da68cfa01214cc684c84b85f35e60fcd09b571e806e1622e9fb

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
0e44f7614953a981484cfc5665589fdf

SHA1
d82c4924f8e2776ca1a766c1e8cc6ab16f42ec25

SHA256
f32b577f4d34997858dc2fd06133472417c24dc965ded15fc271c7af9f662e8d

SHA512
9f23b6a3c7ef2e5c5a9099f08c97599ebdae0fac319cbcc7117197f3953d82dfde1c487b0798b330463ef280d923a9ae80452aea2eb95091da54441ca5a37b23

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b2d5e0fe26cbf661ddc12be251d766f6

SHA1
df96c13691af88ab7c8146264d002d6ab7b82388

SHA256
302d272cd6d0c636c8e617329895286bb9f92f2f810b924e863127d0105e539b

SHA512
6fa8b8629933177b0a733031d101fe08c1164060e2cc468044a9ffc09235cd745da5003921e32291d6627e6cd3a4399cef35464de61d19248e9ae88c19afa47e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
8062fbc99a40bcfd6f8f10fddc2fd1c8

SHA1
3a573cbfaa9d2c7f45a0454af7370628e78a919e

SHA256
c24ee2310a5a9679b8f404d87f14defa8168f26d4ebd4869edacb596086ebcf6

SHA512
dee473316411fc04b762a58e313dcd628bc252eaab8f5e3570136271c682e88e32d5a13ada0476cfe82541dd7c4969650cde5ec8343e3f44725a4cc3dfcdc7bf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c4b1d6653acd575581aad488fef3158a

SHA1
962de8a5beb8e3be3407d638719ddfd6aeefe4a9

SHA256
5503716b6ccbbe9aee12c98b2328d43344009cad9228fde5a1bea18774a47261

SHA512
8d27adf87657119762dd5861e60205fae80d3782e975fa24f796f6e5c79456398816198cc28201687050e65f0608d2b52c6efcc1cc07f8d1645fa3a4eeeea304

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
6dcd508eb3f233a6a7d9f8de0c688948

SHA1
03b4b2b19aad5d44e5a80575a174b273c4420a68

SHA256
2b435d0948da1dde1caedb96224bdaeb000622f4388653877544f31733b4be1f

SHA512
70d0da176f1a37b134a558120f3181cbf06ecc5cb8ff0aeb326ec2b46de3d22dec0aba5639e0cb57af51897bdb004bb61778ea7342c6b9a04b3c0ae2bf4b0f68

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
ddf9d29d5e7e766591fe9d5b2c5221ef

SHA1
748fd4238b337ba8ccf0c688b0837ee716d2015c

SHA256
9cf7eb78837e0f527ae6c84c18ca39e3344d581bef4cb886391f031252169624

SHA512
fc2d06902b118b9d8c0c9e16316dccb05e87b45c05374e26ea4eb034eb4fe10437ad06ad33c88cdd20139e415a59cd1e1d1596b27d3c2ddae5c30e37e5683eaa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
33999e3d645599f354368f261c5baa09

SHA1
cabd0f9f175607307f0c9bfa7dbaf3138e58bd49

SHA256
cb88cdf8cbfc4d36ce0b48d43143b239c22c1bfb55b59fb77d716adba851da13

SHA512
f1de351a44cfd6e199bcc0ee31734bd7ba010ec8a6db43ad3e39c4e09fc11f30b7fdd7665bcfdc05de4d6a9a6557415d6cc781b8419ba452597baadb2df433f6

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
0349e8c34fc0b6b7c26745f06cb61803

SHA1
fac9976e0e32b18ce6cd2a4399ef88927d18141c

SHA256
e295720f8b9e5f78beed230158a0c65d689b8ff79f188253edc74a3f07969510

SHA512
4609fcafb6fd974608512b783abf41aaa8fcb79316967da6d37f17bdbdf7ceaa5cb090fcab4bd618387ac5d9c9fbd45ac290a39cd12d94cc08b311e6385be84d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
bf504ae384af7af1f20971f9b18fd2a6

SHA1
5ca2fe9371c3c5bfe035df7223e5be9d49e2d805

SHA256
86ff1b5f3a983028a6da3c655e1ac0a7cf8d2d8638016248687d6d9ea8c05498

SHA512
671aeb8f4f129fbed487b8b1d76564756b3a84dc1944e08f87f35002edf3a9c68d7120020652d0618a5760a7f3b528d94e6d84c47dfd0d19bb89137e07bb5d3c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fc182742cf60ec3ff5d91e9d2e0212fb

SHA1
c758e26d995b31e42a6748a2e029683e88bbe2f3

SHA256
8b0f45a34316a604e5d507fa38b678dfd27224ea673eb92692bfbaf280a23a4d

SHA512
92ea8c315e044ed00d4fa55ccdd9bb9ee72e5396a6ceaafae704646814485d222db74fbe87586d5afcab223076c74a5e8c11b9eca8005bfb63735ffa5a1ba79c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
60b8dd519735e8b5eb2c698d53cbb8f3

SHA1
368c0457163d1a12cb6d4b3d7b88f79b751fac6f

SHA256
1265f5fb2f3f24c88a99dd892289d8a3970595bfa7580ce0110299a9a970fc7a

SHA512
8ac7d8673b8cb7e1cea5884961bb05df08dd61398bcbaebb662a0ce30a0e25112ac7348198bcc83093ab11c4be6881efca025a4d14409d05274bcdab258bc8a9

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
441edb3e64096bf746ec60ee85d5d79d

SHA1
642e5af0ce3de1dc8ff05c3c7e3223505f910e85

SHA256
d5f1e709c48381141165c97a60f455bf6a683027cae5dafadcb97ae33b0f1245

SHA512
57c7c385b0ec941c69e29441ed7b54b86f20b337efdd34ff0f49b62a3f65246f64d012dc55a0e274b83f4c576902bd9501256043bafdea699162f8a6656fbbe8

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
babeedf03d936b7fc2247e591101b4a4

SHA1
b199bd0aed6fb673d84f85e1a81c469a17319d86

SHA256
662be300e741e310d7e3b399b4f24488922cb2e6867238999720b3837b320eb0

SHA512
07871b2dd83c13334ad6812517ce7d58714d98b8f846711eaec0b317e3ada99ab5f607a537dc0b1b3a7980aff12d36c8c775ffa19f286e2193e23f60d6bcf4a0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
a0f1f8d0e6eec683b4f79e77a1c83904

SHA1
ac08454688c614b87306412eadf863e88188bb05

SHA256
57b7a1683bb7ba581b9009c4e11502a34d08c2b0e61875082ac4756c42ec1d98

SHA512
4bb5972f9f238b901069287456bf31e3665f54738831a6aab2a02e9c5fa39be560ca06691d188361155bdd3d6a79e52d81827782a1d859c5f6964edc7f145bd9

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
c1421ba358dc91c3fbfbb46a8822c37b

SHA1
78168eb35814f610b70c050215381457c059f3cb

SHA256
81900d366f654c0328f916204db9c37516cac760b9b7ed2cc4698e998144b0d5

SHA512
93ab9a855427f27128ef3cf7be5c41982ee306ab02ec352b92e633338fcaabdfa296d2d8524a5c274a63b417937e0eaab1643f657ba95f9d7a3a9ac671cee917

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2e0e3dbf46b37a5d66d7fbc90707c1af

SHA1
3d02d7ceed617c085c707e87f26968586d0bee3e

SHA256
ed38f58f988e65713ab90c31c76be8f51fa70a73d14af7956c76b9a9f5dac6b8

SHA512
90310d4bb4d7a61d65d565e82bd7b928dc7af8122c7124bfcc6352cd64a101ed42875882ff08ebdc382a6e0ea5ad40c15b2ffffbdaf55427843fa0585e3d664f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
1e920e3597a14a6919b165778fd3f4ec

SHA1
e9878e23ca5327130b3031de38c94a5c39a1b8ce

SHA256
c4ddf9d7612e2e0e825ed44f44364c9c7236f5f4c46aab5531b687c0e0e2d73d

SHA512
9ea32197ec5c85ec0b9a546896e6c63c51231d8ec1a68393ed7a890285ad84000422103eed16610379b0d2c32295ea504b85ea101fb9fea0e453f5a039c630c0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
ccd4763e020bbc1268444495acae652f

SHA1
5327a80557ee608c01092a63f7752b3813211f4d

SHA256
fa4c0435cc23db46f86630e20af4cdc6939d310f43eb6810e4746ea10156083b

SHA512
e12d78fc008ecb2293d6cd12c43d87fb568f62ff2408948752f22954061fe3bf122413c287ff9c54cf5eb9e92ef54974f3c61f8495adbe8fc1fe782be89b1e38

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
a5dbc30421c90ff61798d498b15087c3

SHA1
8a01e905b63e3c0f29f57ec5836d81544b7089ed

SHA256
449581a9a9c4ce20d4b36fffd2324b65bd19b9d034602190b3f3b8b85481fce1

SHA512
eddad07e2b0eebaa6d55f8c70eea7227b5612d218f4d9738982aa61f2b8692e3676d304ca4b840984ddb888725e9915e00e70345ba37b3fdb7b721f8bb089ee8

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
569f3d874c81921fc8efbf87da57943c

SHA1
215c693755fd79f1fad8a7f74844bb358a8b819f

SHA256
8025f0ebd7a93ae8b12e490dfcf00dd1d1b45e7d48129e18f9886de1db98e762

SHA512
5dc9f95f2d3b7139f17ed29e4007abe446effaefbc4799ff5087ff72d652915764806cddb080da4caebba297205e185f944f9632b292034ba9d9338e3de6eeeb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
a7650bff45f46106f270570903ba0652

SHA1
c35531ec08b56a9e6b08c007177981807ed96244

SHA256
6ec2791896195dc99739253efeb786c8fdc46e891d4e722e266c660de1e907d9

SHA512
2e2ea73ad183a078658b9af3b7042545307d63398dfae4290df02f9643357d5edd21b7f7e8d0ddb2d0c798f48ebcf10c91f06c1d10f43558c13b4ccc6a0abc9d

Download Submit
memory/368-525-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/368-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/396-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/396-165-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/396-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/396-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1164-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1164-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1276-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1276-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1444-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1444-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1516-524-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1516-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1588-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1660-465-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1660-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1704-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1704-530-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1952-50-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1952-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1952-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1952-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1952-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2224-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2224-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2240-97-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2240-89-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2280-1-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/2280-6-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/2280-101-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2280-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2344-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2344-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2344-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2344-127-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2380-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2380-531-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2540-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2540-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2540-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3196-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3196-522-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3212-439-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3212-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3280-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3280-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4132-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4132-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4132-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4132-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4292-521-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4292-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4332-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4332-528-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4548-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4548-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4548-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4548-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4548-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download