a29d64c88a6de85996f6c7154a2d311624ae9790b7752e16c7c8ac3b850526d7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Size

712KB
MD5

0cdab0bb2c75287c12dd0999ff4d4307
SHA1

f15a3fafa1836611220010ba5056db75074fdd4d
SHA256

a29d64c88a6de85996f6c7154a2d311624ae9790b7752e16c7c8ac3b850526d7
SHA512

0b0f3e81a2fbcce9ea4a45ef2d639ead0c6d2d5a17eec4c1d937ebab8698adbc63640c5c10f96c0b7f256efa4a8acd6624e105b3b48c0b55229e210a238df8f8
SSDEEP

12288:BtOw6BaFmqmFrfBCgiw4bivhqGoj85sVPL5qw+Dl:z6BzqMrfUgYbkhqfj8uqw

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1920	alg.exe
3592	DiagnosticsHub.StandardCollector.Service.exe
2920	fxssvc.exe
2276	elevation_service.exe
3780	elevation_service.exe
5064	maintenanceservice.exe
3716	msdtc.exe
3320	OSE.EXE
540	PerceptionSimulationService.exe
4792	perfhost.exe
1804	locator.exe
4932	SensorDataService.exe
4316	snmptrap.exe
1852	spectrum.exe
3184	ssh-agent.exe
920	TieringEngineService.exe
3832	AgentService.exe
4444	vds.exe
2020	vssvc.exe
3032	wbengine.exe
4468	WmiApSrv.exe
2164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e37150d5b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c3bbdcd2db5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a29bdecd2db5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000332e0fcd2db5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039f67bce2db5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f00a70ce2db5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000385254cd2db5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bb556cd2db5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005e62ace2db5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045b637cd2db5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddf132cd2db5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000885073cd2db5da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeAuditPrivilege	2920	fxssvc.exe
Token: SeRestorePrivilege	920	TieringEngineService.exe
Token: SeManageVolumePrivilege	920	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3832	AgentService.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeBackupPrivilege	3032	wbengine.exe
Token: SeRestorePrivilege	3032	wbengine.exe
Token: SeSecurityPrivilege	3032	wbengine.exe
Token: 33	2164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2164	SearchIndexer.exe
Token: SeDebugPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeDebugPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeDebugPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeDebugPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeDebugPrivilege	4284	2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2420	2164	SearchIndexer.exe	109
PID 2164 wrote to memory of 2420	2164	SearchIndexer.exe	109
PID 2164 wrote to memory of 2920	2164	SearchIndexer.exe	110
PID 2164 wrote to memory of 2920	2164	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_0cdab0bb2c75287c12dd0999ff4d4307_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4488

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1852

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2024

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
156fc439047d59ff33f11a9dd3e748f2

SHA1
335444ca0486930e0e47c96805ed4b1fc5c94cdc

SHA256
6c0486c69a1d422b8ca4d382e224837f8dc9c2e25ac6eec777979bb2f70130b7

SHA512
7ac25decf451b95f89c58555bbd853396a2f86d10fbb8d4f7631f56733796d4c218c429a6abc6c7ed70b1586e98305b3969af5e7609e9627147b2426c17173c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d8be120a1bf4cdb3cd9b1534bb2ef211

SHA1
4357ba6a85f1a8e9cc7d40b7773441adf413686b

SHA256
5705a29e4a09d70902d5e825196e14e9d3d3f8e8f05b6e27fa9aebd00a037322

SHA512
be58273c92b4a1a29f7d2fdae31bb36ec1dcea53370522f15cf4419617829c2de71af128fee6546cad676cad896c7e3e574d3023b2eed3b09b110fa1e4e7db70

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
bb224ab2dc106dc4c2250e4ce4f828bf

SHA1
a7c347c113cf5188cb8b71e6f59517cdb505c36e

SHA256
adc1dec5cbbb96ab72e42c14e71f4630d29219bd69495077c86063f69084ac6c

SHA512
a7038641778e8d6b9ed347b37021c9abcc27dd958c1e22d3324644097ffcaf7228d2b97a392ed0af4938c8ec2e79e54a05cb18966699b13f1089de39fe9288ce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
60d76aac75ab4c40654ddc540a53ee99

SHA1
b7a074cf24045b74890159f8d9ef11d1496478c1

SHA256
d304abebfff67cbcfa9c4c50c0e0d715f87c41f874808e8a63968f85788d4cc4

SHA512
ca603e7a9a7127f8085d56ab273f0e1f905e1bbc4aed55428d811f370f0b2d0b9d36c8b8dcffef4b576b2741b936119dcd8c6c2d5ae538f4fbdb68b179d79b85

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5effb0b4ab40f35ded809d9b86529cc3

SHA1
56798eacea9ce123c2b57cb1494c494d803d299b

SHA256
6cb1163fd5f77aff9784806c95a0e6f8856ede0e68b593893df0d0ceaff789ec

SHA512
7448135f1da85563f87d5eaf6d926eb3e1a6fa52c2abf705bfffb3efa6863a8c5a61a4df4058f23a408970e0bd455ccbf9e1c0ce29a7eae34b00b7124578391f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dce4bd10c2f4f9cffa10e6bbfbd325a7

SHA1
15acc2290b6d278f2c53e7376f06fd566e6790c1

SHA256
c98e7f483c1305e544fee6d0fafde9c45fee62105d968d3568f5db0f71a973f4

SHA512
c7dec0bc799940d5bb3af9d84c366788cd91ab279f6fd03c46dacfaaa1ca2a846966a256b572d7a3c62fe9b2271487b8f4664472e7e2312934b367986e2b3ac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d899066949962b775bba5fabadd9ed75

SHA1
ce3d783ba27060143af0f78cc0747a2cf5dfb15c

SHA256
76c8da4a0ba92d72690e91b9c2bdde4b23feed6bdc4cc21e008823f53105b793

SHA512
6bd1eb93204be33d3656adc805cea4262f104265231c38ca1c73631abc1af728ea56571e718044bab9331a7d572c8c52d79e474eb72fcd58bbf4a48249752059

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
685009cdd56594ff47c2a254beb4f8d1

SHA1
1e008019a5392f42941bd913ed346f038bc06cb8

SHA256
b2382ffb6bab8c56c346f0aa6ec1d99860f2b81dbf08cc1aa03646526e39882a

SHA512
7b234670721a19190883321341dab1851466a222b344a7d40822074e2c84a98f5ea383524895b9e936c6dd3a21525c69a816e9534e33b7259005234fcf01b3ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
14132c3538f42f55ad24c0f6f8d865f2

SHA1
1c8f600351e817a338b4d19d13b2ffe0ee068a0e

SHA256
de011db81c91e197e97cdb32a57b1e2c7492055be8aaf39fd96af682f4e58ad6

SHA512
1207e7693a4a65e7daea128293c11d67b033fd519252ce57c61a306bdab56a6f86a23476518ac909caeb7bb57dfdf5f1b76d9e7e732be09df1982892b8cacd17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
839603528dd4a2ffa326951da776db79

SHA1
4b5bcfe16614e9c4149b062581010e73dbeffbbd

SHA256
6e3bc3fa37af0381bbde33ec4b9e10eac30dea9924584ccb4f2536b45eab64e9

SHA512
c356a2c13066221c2fd258f5f245df9fa7fea32c2fc6572846c19ac10c66861488264139d84241f832b5149079573057285ad16589abb4ead125c8076f09ffd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0a50d6e7c7a286b4021a6c72d25a1821

SHA1
1b17cb803092bb08d1136922a8e32a467cdb896f

SHA256
c86937d781e4723cb8a897d26e24c06cf32429a2e9d68807112b15e590f3cced

SHA512
02da9b65f7c72198df9c678ecbe070448222164831155f0c332c2a0e4914ce4706f96dfcdf1fce0c72320b15161016f6dd941a76baac76ca9c3cf9ce913778f7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
71fa81dede58bb2a99d318e8064e3a2f

SHA1
d9391a4fa79e5bb8a91d9854291aa390458c6557

SHA256
dfd3d4969930d77affd7ce8513bae9d45a171f6b69859972f8c6540153f1bd4c

SHA512
d65ff40f71c23c39fcb8b7a0e5b5b9135ca29b158c2e60e2c6795bcfa37bcb59f1aede1d0373c48e99b606ef5ad625f00a086b2f9d1dc1a378b949dad6fb9484

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
57e959e8aaac504e36b3c4e1bda85ab0

SHA1
72c1289465c0daff12230ce3318b279295cca3e8

SHA256
ca537589516605d948c148009959c835d30c848ed06e0764621774a168450e0d

SHA512
a2dba0dbef7a5538c570ed2302c6e1fd2bef0c59cbf16adddfbbcc8a1bd309c2796cb4ffd48b9d7d63829f717e19b2011b85cfdfae038b61678c8a4b1ddebd09

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
71de5caca5634609f011710fcf7cac82

SHA1
f0d2b74eeecf452f9327f6f686665e79a70c7551

SHA256
91b5de0cabea3cd8616b8fe18f0317324d770ed27adc5a4a87ed46afcf278d51

SHA512
978bcd4cb5eb6c25949cbc45c13fea5184acff54132662f15c200b7577a12c79e7693b1b2f593968a1cbafb20653f822758c7dc6f3c7e9802a36d75ba69c6bdb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
da923c5f2c8747a4f69fb3cf36e87bcb

SHA1
d43c792a956dd6ba8452811bfd5c1fea63b22be6

SHA256
f921474283b6786b493b971751ae24c8ea631caf0fb340c0e8ef6de6b850d95b

SHA512
d9bfcd04628326397643fd38cde272ab720de5c09a16abbbaf92759fa1392873c3833c681f17b9ae31e2f62e6ba4888fe065c12bd8eb7acdc478e45798bac192

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f8da7240a6c7e125a6b7df7b8e591c45

SHA1
529fe728d6c86e9541d5d8e6574a2e9e0f8458bd

SHA256
beb9fb08085de729e6436e45875222673fc3f94821cd5ef7bb8babc3fb22effc

SHA512
c2248c942aa6ba1bd7c44acdbc1ab7c9fef18fe367e0c4e9ef78ad972e9003370fc490024ccc2ba40248309f17f34d9662739b1ff5f1fdf38463a866d89b3115

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
825c970a1e8cf6cbab503e98afd10a8c

SHA1
7f38da69b76d81efed2adfe0a7090f9b83259776

SHA256
eb55256756cdc8bd8403ddd2a57be57b3eb02605b886ffd82d04526b2cb5f2f0

SHA512
084565052034b79190b137dc5f87d06646d6d89ec03373bfd0115a60cae75cd4846ef036e0be04e2f094e8228cc583dbe724074a170a1645cfa5ac896b18a601

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
83d486e352c596734fdd198b40fb1629

SHA1
fdcbe3a1decc578be2dd54f88689cde07113659b

SHA256
2b557e1acd101e383914e940d2bbb1cf011e5a026e0e33bccf6cc5662d4a95f5

SHA512
5b77508ce365a725b0dbc17dec637400a575bcc26ad5f79b04408db65c489062c1e482a4a9c99bdd4b588c66d35650fcc632c609a6a8fb41b12d504b5324ab58

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4822640d45c1f4f34ba0a2028a913e5f

SHA1
45d633abf10b383f0dbaee5f54fd72de25a13051

SHA256
b684d096caf21ba2afe5eb0b1113b5d92be3fda4d535dac2cff299728b423234

SHA512
4b1af4f3cad565af49880cb160a66cea0011f8dea17fe82b08bff543dca8cb4ee3d518980f4617f34d8f2abe214f7b96ace148b84a765de55bb8897d477d6716

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f9ffc05f653751687455266b05c29bb0

SHA1
cd2b63730713c10c0e84afc4f09b06c6b903c43f

SHA256
d6c773d3eb2e05b91bf56638f4bfecdc519100b64fd30ad5fb4432db58823b39

SHA512
c64bd1e05958adba0e4f012d797c4bcdd7de0b14f449386b3b0fccbba07d18ccc9ffd472a3d05aa0a564d4950bae8d3549b38b5f13a1b9de1673871991069647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d402400a3730e990f7e9bbfb29fa9c56

SHA1
0b5bbd5dfbb888abedfa91a0977fac1f7fb22ec4

SHA256
75bf5ae463af5fac9d1153c3a2c965177da9edc4e63930405ff37e329716d444

SHA512
928ac20702c81a232f0b2ff52a6033b7d8428b51f90f57fd59c4c434187c57f35c97a1271ea9156d8ce2163d5238b01ba771294a9ff8d58e6036b642fc43320e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a70c7320b4c19a32048d06d07c2fd266

SHA1
4a176367785cc5a73383558b86a4745801b983fa

SHA256
3bf6ccfac1bf1ac1a1bfeff4e9b0488513bee6d2c12d17effc6254a1e09cf2ca

SHA512
b861fdbf5aed963d91359c85115997501238ee9cd4d8f5fd55bf5399a4353a9cbc6f48eef8adf07677e7997090be939920767cc1b578ac03b6815ad1bc46cc96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3a97c79ec4058bb7ae0a3fa56d74d180

SHA1
82d74f5a0601b41ad21aa6fea40a20d67219bd64

SHA256
c0f46981ebed9b6535d7d0ef1578e220c1e2a7ef37c4cc93baa1ed82c03227f1

SHA512
94a944e3ad1643b5709755a8222405046c36a0b13df4764de793169ed05f4c0486c153432ae23629d92fa79b89698eac7618d9a74def197ad800844061cd1cf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
50c658e1d0848467cc38ddcbfe0bee1a

SHA1
506a752b0ee5ed939be6a70998d0b9e552ff67f0

SHA256
7c26a3edff0df501380d150b898a9fe9a52d868bee153cfa31e59b80af1f958e

SHA512
85306c77425eddef5a1ee14969995c94c26f3aff6b0006e533d51392bae260d5339e486b5466847345ba3db83b4bd6a54e3f6792fc0cbaa417fe7c3498dcfb9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
30f06173efc85c5b5c13151e9528411b

SHA1
7a553903b051bc5bca16aed27b0e7e78b90ee5aa

SHA256
d7f2a0d13380826879dbcea8d3fcb2fa5dbd8f005e211009888994fccee9162e

SHA512
a2e2c8d70070753502b6f920c730210918756d8c1b2ce80c2472c373230eb6e4917b849bfd46577c302db73ac2b22f498774a1e144bf9f83ce2cda513d69c7a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3d58f9b959849b1d6f23a8f459654255

SHA1
1a915a0873513305c98f7a5a2201a24bd943ca52

SHA256
cdd95cec5372f2a0116cd2757214aa5720524c1e4616b5cf1188fa7ac1cebc11

SHA512
f3779e081aa9bed4054c3a3c9398bbfabcbeff034e6415273f7e2e9a536c60aec580a717a3697547a06988f0ee2f39558d26e58f0392163d0c0f795b200206bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
096b26b79e17810800cecf44127d2330

SHA1
a10c90ce226b712977794f3f4f619d7a4ab4fa10

SHA256
a554d0d94cddcaf59db4bb207f1fac471388f35f731f4fc4d08e00cf77b06ab0

SHA512
38f9ff41b056734fb62839b739118a30f2b1f1a09d262de21a070793dc279858d32aec3c06206b19c1ef3fe67e1c0dcc1eca91ba928cab876386531c1ca128d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
595ff279b29cfd51938bb62e3ab2c527

SHA1
7d7a8471ea25ee26433a0a877215b0be92e74e0b

SHA256
04352cd2ce009ee520630ccf641315948074ea56411e45be10dd0ade19fc33b6

SHA512
6824a699b17abd5e67fd57423c3f935ca1572a2410623c57ce2898b719524f87e6ef8b73f6d8c79b8e60af6fbba9dfcda88cb7e9ffc345263b0c36866066b19c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e6343b350e349edcec5745c4cc044e25

SHA1
24864051a18ce4de651b09944760ce0ffcb99d8c

SHA256
1c8600158199de5171f1babb8832826cea17ba97a762b68b6d3fe462b92bcb14

SHA512
bdf873b26a86b6698ef998a82a25d0b74f295ef567ddc20a967d6e3333a06eac4fd2f62df2b836a5330115ea796e9549d36cc8bd45135039b57c60ad89c2658c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ebd7268c1bbf9b4088eda1c16747d75b

SHA1
16fbd69b84f23b1a4556e79d3b27330b39ac11dd

SHA256
8e0db2d2b12e7f77d2ccd945dc42c4fafa0903b711319c4e2d3aaf9d171170aa

SHA512
3b11fd9d2c696bfff1b2c2b362ede0406b6d9af6ba6a552ec63d0dca087b050cf0373a4d8a94aae6d1a7e0b8e57dc36b197d24774f3095dd1f444471ce835f45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
72d626d85f23f2c5c53579544dec5a68

SHA1
3b94d7c05502a232d65f317e179ad4398932c3ce

SHA256
c74b10243baab896d6fc77745ddfccc8a7fb70aef1c3ec59868949daf6385205

SHA512
ce257b9aa68929701f5e8e90a3bf8bd7c9f03c2102380812fc2e93a148c737a4e43f4443e00d6047078643c9d2d66354b40181f94ca5f23b0377d36a74df66a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
66d24613a33591e00fd27ecb1fd41925

SHA1
f5b6ef525c950e0f548348e33ecc34ad715f0e3d

SHA256
911a84820bf957f88adf9f2fcd99b814e99ebb6bb384dad4bc3e598c88a0413e

SHA512
7a0281812ac4b7ab6b8024cee774c7e72a6d6c9b56359b0d193e52ec64907453171bc9bf2c1031a4fe39d21a6a7b233a6b4879ff3b6ea14217ec0dda0dafbc10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9d71defbef8525b1636dbde6c7f207fb

SHA1
740dfeb11b62a411534e237bfc50028919218bd4

SHA256
dd007ae688488a1ca64a0438c9ba5a7965c945276702754e9fb6ec4f9757bf84

SHA512
8329fd23b6d67c17799b7f70d3e40fac124d82b8f98c4637b745234dab5faa61e751c8c001374bcaf51c511adc30679b1695f39042d64fdee9a5ec6516679db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
208abc1e92e2cda65eb504994eacdd28

SHA1
c22c1719cd7f4b12e604316ae3a25bcba4d0efa3

SHA256
519dbaed2bdbf991196b171683c4739e8e066be9ad138de2e917dbc65735f1c7

SHA512
d29bb435f5785cfd6ed807c001baf4552f2f9674105de12fa1a1819c12443082356e18f1366f7a12f88278cf0a2178e3298334c67a4dba35b00d56e24062ece8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
206b18ab6eeab1ba2491125c43c4bb32

SHA1
282369a2e805bcb7f77dd1c91ccfce528bb09d09

SHA256
6781b908842f243290d79c915e0f8cd489e1d9d31121c1a1f9b932f826efc50f

SHA512
dccc7e5806f35188d20f8e40fcf01d5138723afa6ca9c8328cf00841310633387576412c3db0326030d8999535930fa195212d4041a44e728951442ed22c5ee0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
59b3d93c1db619330b38c777c52ad567

SHA1
0e22d399e8dcd7a433549518cdd2a71f08f03435

SHA256
70a5de2f299c0141ed5e8c3413f7d3dceba12cc7aef783c98a1a5c62975df163

SHA512
8366e881b1d7ac726c9dba6b2e60e31bdc2507c8eb22f6fd5e78f231667bdf0466559530b71c794a8d454ceb4f3efad1db633830858abcf20a91444e2c6d0391

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
42c6e4eac02802357c5d11464357b431

SHA1
249da95a5a77aa212aea5c13e1a09a3c59fce1c3

SHA256
3ee17bead0e1f9ae6bd94dc4f00ce844989e838129f6bc47ec20fe75ac7c7ff0

SHA512
db9db24035018aa6d59ae57738ae1af611417170ebb623e06c3a357c7448793e17ba34d13fc9c2a93ff92b89b947d7ac12b6d1c384c2212f106b3249e07bb9b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3f890fe51d323ff5834d8fca6e557357

SHA1
c59b44293771c0018fd88451702a4e165c0e4c8b

SHA256
4040cd22dbea92c46a4505b97da40ce8d1671e141c5d4677e6069e2dcf7fa957

SHA512
173ce73b5493f4e4551bbfe560b4272cd3aa79bfa53832522a2e51b36088592aacf751f44ad9a58efc757fd28c70cbbe7eced9dad3e34f23e2038ee5cc310b86

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
aeeef7978726abbea6118d377fc13288

SHA1
8b926e46849dd9d58f75e662cb76fb693b061e30

SHA256
5e94d6e07a7841cdfc33c34b8f89044cd4d8271c633644b2861332ebecd6b006

SHA512
f67188a8403b175199042813ef1900096b010be9639f81a593252f5726c1edd7c60865f6d60f97eb2cfa045b26d198a102fe2754fd23c49eff28c97ebfd10949

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
82156cb0351a1506d5b2197dde8d27a3

SHA1
978a7a5e01d7a8f54ec464701141316d04c75db2

SHA256
72e56c926278859e95b37990d260efd5f77f0cbaaa7ebe191bcb0373c5e8f297

SHA512
280f687f5f228301af302a2d0fa4562c21383b22267d87895c4617b13c1eae69e3989660226afd702fb0e9fd2b3afceebfbb9f37de434f68a71cc090021703ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5f8576937fe1de0053b97b19a746e0ee

SHA1
57fdab8fb01ada009fac13f2fbcf4f53d8334960

SHA256
970eecf3794bcc67c96f7e7b5daa37bb5c686d9197461da1095959c673bbf549

SHA512
220f81ead36e67d5f3345ceb97d7f710a1f608fc79b28916a059ce05e68dd87bb77280705b58526be761a886ead811673b11a6235ae70275a6a28e15bfdaaef2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
12dfed4818257cecbb8e55120c0196c4

SHA1
bfd483bbb21201c3a59ce9a33e5f789f1b8eb49b

SHA256
a2e219b3ad5af323fa27b9deb8b4329f89a13a5640c3876bd5e56cd62c3a00ad

SHA512
4bd33b33f81c9690b05b1171c634ce3ec53dfc35fb37bbabab1ad50d2f2bd47d55e3c69a519919dc155f5caf2f2f25e890e50cb3af6ca9b398971deaefa4d238

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
aaa310abf7e14eb46392538b7761a7b7

SHA1
95536f3a93470bd00a82a6d21ccb64ab483f4b3c

SHA256
46c1146eca522b55a73440dec5f5710a889256a7a18c1f73a18951d5e4f4cf05

SHA512
ac8888c63ed596290545d67060bcd62d52b24cd78229e6c40cb79585c261579eb0baf795a4e2737149701a270b0a99c7ecf7c03a6dbaaa605e74dfbc93218688

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
613d539a63bc88f05d6f12f09fa1bc9a

SHA1
1ffe2f4e4f3ff7202807ea16f0a52b9bd7fcea59

SHA256
3cb63a9b59365169e7e4cc4def510858ce0301e6d104f1db421b121f1c2f97a4

SHA512
bb73b3a5bdd5b5a00e1c3535cc9752638e3bd01be64a2054195e38381221ae28c3605812a5f92f8f96947318cf4cfbda43537f694b5be81471798ee0a4c63eb0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
dbaba3829506e94d6d4a27834e5ac66d

SHA1
12932d99b4ddf9dbc6ec64b5b8db00c4ddef56fa

SHA256
d4dc20c54b77ade4c216744b6754ec223300548f431b9b388e05aac52f37dc41

SHA512
89a57d3194c010f5a689fc04ced56061b81ddbf833db114345ff2299147fecbfc14aeecf6ea28472af2bde5c444db6c66014425fea97559b2727974eda246b67

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8317c5c2c23a5059ec5575de693ed1a2

SHA1
418cb54434f7262ba449a5ad41bd79930ac3c055

SHA256
a763c64ed6c6492478548f362128155e2f11bc24c83464fd6e06c5eda65f37a3

SHA512
d8e024c16e65dd4d491cc372537425dedbcb6483678f2cb32f3862c11f47015b4beaf664b4c80e89b5b7ec91392b63ca4dd9a834590b5dea8a667a3ee0ccd11b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f95485bfef1db8d325de8fa845c91600

SHA1
a1776af27f8d98e05e93eb278967c30e78790e7a

SHA256
3791453f4063fbceac26be3a22a77c7b9c9f46a23359ccd42ef2621ad2d33617

SHA512
595280c2c5b47033dfcdb30832b75e7e26780e5388c638ceba79b1eb830c364740c2ed3a71a4f0df223bec18d4e16a8f32d74b7babffca7f331851d7d23c9940

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1e0587f2ff8fcbe02458d32aaec7cff0

SHA1
14754c6c3ab14d3bbd16ec0efc6b8b3fdf622299

SHA256
fb35a95091d1d6721ae73fbae1535879a9f9c2c070eb39e7afff445426be44f0

SHA512
16664200c5b539aa4ea76c06b4bd55bbe91df6ab301b2185a784fcf7f0f06d6b113420318702ef3bb717577ffe54c392c9edf9dfe583cbf27c9b7ac81f294f88

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
70227e3a7fdf405937918bb4de37ee28

SHA1
34b1b761ebc525f874e501eed3777e96405bb323

SHA256
fbe9ee1e6805e0d18ac948b1d2706485ef1ba1eb6edbc3714033439ff577444f

SHA512
8a920e43e9f9ad4914289702d73192af21a587fe4ccfccf38dc83a8f3bbf767062dd21b789aea1db0b2c18f96c8d83a42f33f0582dde378d68fe2b37172de597

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2c48bf1493a6d6309fd88b741bc291bd

SHA1
6793041cec5f828cd58f6e0ead218cca5780db8f

SHA256
439771ef936ee135c76b9f677aec5335067a94b13f1b71ba387658f227e47bac

SHA512
0f180292d7dd0ab08084c721e161d67ecb380fa2f3aa6aa239ac810033ee27fa0cd44c4ce98a7b084ebbec572e714e51e5c4e58c7828a7340cf3ca5017aa6c61

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a9a4a4d380621edea2476a3e3d915e95

SHA1
571cc999ab8698ab5f9fbd28ab6a78804ba9bf4d

SHA256
1040d1989935755ba473d397b6097d368a512aca3cc7ba7fe4e1630e979e42df

SHA512
274adde18e0ceba5231d01db4a961b7c70237a505c5bea822f9b4c10a2637b8183df404e5f9566cf090631e26aa7033fada3c68ee6af334abe9b10d4574894dc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
194ead0fd4159d911192c5576325ed9a

SHA1
96bd941c90de989cfaad6c8af87651f5b113acc0

SHA256
caee792f032b5a68d92cdd9e568df7da0036ea688ef676c05292fdde8a7984ce

SHA512
b8bf9118458404c4945a6a27f640a782f6cbd5af8711182c77a94bfc1161710913b529f1cb2d05851d1b0801f0bedc9f94083d33543a4df18f217891454a0358

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5ac9d450121b762b85d9b894aa6001f6

SHA1
e381e0b5441dc66d60e9eb74ef753c591cea8f86

SHA256
f284168f3993ddb5d06b54c5e2147ecb8ffdfe36e952e41296548498cb4ab020

SHA512
180fe1783de6a0dcb2e7e200b1f94dfdfc383a3d4b762315f53381a94ce653914ac17c84086aaccdaacc46ada320705320ad3fd3e07a8ba8a6001d7e20e2d03f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4dc930f1babbc8f37f4d791387ad70f0

SHA1
5d67a371a743e77c3407a7581bc8c1318774f632

SHA256
f8f41a3668450cbd0ad6c358b154e0ec236685efb5c8e243f4b76c41f5b08f32

SHA512
c8c461b7a33e7381b182f9212cd0e7b2b995122544c5a0a3595a08aba7996548124c2fd523dfd108aed1d0d325df9aad12af8388f0211ecb9d0668c89d8c2841

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
53a59372795c5fa17f7726aeb2a4cb8a

SHA1
f56593b31f18ca4b8e5ec908519355c2f5cf308d

SHA256
034634efe0355c955cdaaee32274364aff2aa7b6dfab5190440c864ce6176d11

SHA512
2a92a3e88ec8b2a98b65b3b3728e6537860dcdba825696cfb785113272739a3957a9c18a4ff8830f136b18fc580134d1580d493a7c58e33f48313cc0abd291ed

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8028ad4435826b150b0454f475099ac6

SHA1
2ba036307b46cd24f8e2883dd79f2be29a1ac2a5

SHA256
53ff3ff638c3435ca036403b74edc8269072d2ef897907874a9c824e83fba970

SHA512
4dc75072db67ac2aa23700ec1e50f2e56318ac66e6aa21f07b054d884185f6ca3969c50017551a961f3c40ae05350cb164d5758fa985c9ec3c4c7d1664f8ff14

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4ee0ac48e637a90fbf22c16b4b88b354

SHA1
dbf7c4fa5f513e2a8e21a9b715801aba2d59acff

SHA256
0875247f728e50ef91c0480700aef58ad6d10f335d7aa3cfefd193818e626834

SHA512
25403d5bc1f75bdc3e601dbfcebfc9af89319093ff0155bd41dcb2677353a2de3f967e49048d4c9e7e1256ac08c502f290c6a78b4dc347bdff6b2ae57f8093a4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
51307b3b7a2fac3baa053c0f4d7004d7

SHA1
9cb2521ea3b7de6b848126ad49b472191dff6b5a

SHA256
214dbaa8fca42fff8fe2fc9889e0d5b27c88773a2a5f6ba2895c09b0d6d65384

SHA512
491355a6ffcc2e29c710d47581ae31d2d75d932c085df17d9bcad1c3c4ffebe2c35a5b4317ff0f17b2dc03578fd7390e05844aaa5ea89a757d73df3f870ba726

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e756daddcbc098b058827e2604a62ba0

SHA1
c0c3afa44e63c5c97e481dedf083356d4c448a87

SHA256
db669bf4f06b8d8ccf41bdeb3292f2999f20781474d4dd2309539506b30179ce

SHA512
0f76e68663f9213b4f1b942a2f55f30f94eb9489cbf994e91d44e6afa6c0191a4d0bb815bcf013b5f7801a042313af33dd76ad1e768cef90653a4eb600ea8169

Download Submit
memory/540-194-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/920-268-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1804-196-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1852-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1920-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1920-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1920-19-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1920-550-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1920-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2020-269-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2020-555-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2164-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2164-557-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2276-552-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2276-70-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2276-57-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2276-51-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2920-38-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2920-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2920-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2920-44-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2920-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3032-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3184-267-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3320-193-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3592-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3592-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3592-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3716-88-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3716-192-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3780-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3780-551-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3780-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3780-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3832-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4284-460-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4284-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/4284-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4284-8-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/4284-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/4316-265-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4444-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4468-271-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4468-556-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4792-195-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4932-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4932-499-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5064-78-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5064-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5064-72-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5064-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5064-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download