4df90d298d3359dde6011d3cb197b29a5945c4513e4ac5a4b6d583b772e7f75d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Size

712KB
MD5

95fa5bb3782c655d3b94ac5b361cbcb7
SHA1

b11e098c179bc0fdca3a3d022783ae8d71d88914
SHA256

4df90d298d3359dde6011d3cb197b29a5945c4513e4ac5a4b6d583b772e7f75d
SHA512

de7238d924444badcc42a26107bdc9dd67f7bd41a21dfa01d31277ab1e0e52adbd0c339dc04225bff50027d4554aaf913a0684f3540aad8801f5e8133052d9d3
SSDEEP

12288:stOw6Bau3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:C6BDV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
780	alg.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
1108	fxssvc.exe
2928	elevation_service.exe
3576	elevation_service.exe
4204	maintenanceservice.exe
3744	msdtc.exe
1704	OSE.EXE
4616	PerceptionSimulationService.exe
3324	perfhost.exe
732	locator.exe
2128	SensorDataService.exe
3552	snmptrap.exe
2004	spectrum.exe
1756	ssh-agent.exe
1276	TieringEngineService.exe
1228	AgentService.exe
1632	vds.exe
1720	vssvc.exe
4788	wbengine.exe
1064	WmiApSrv.exe
4904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\556a6b2de703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4EF9C35E-DC0D-40E1-941D-AB9119298CDF}\chrome_installer.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006835843729b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acb3c03629b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b8e9a3629b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003909da3729b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d94023829b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003756073829b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009662f03629b7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077d6ca3829b7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeAuditPrivilege	1108	fxssvc.exe
Token: SeRestorePrivilege	1276	TieringEngineService.exe
Token: SeManageVolumePrivilege	1276	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1228	AgentService.exe
Token: SeBackupPrivilege	1720	vssvc.exe
Token: SeRestorePrivilege	1720	vssvc.exe
Token: SeAuditPrivilege	1720	vssvc.exe
Token: SeBackupPrivilege	4788	wbengine.exe
Token: SeRestorePrivilege	4788	wbengine.exe
Token: SeSecurityPrivilege	4788	wbengine.exe
Token: 33	4904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4904	SearchIndexer.exe
Token: SeDebugPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeDebugPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeDebugPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeDebugPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeDebugPrivilege	1304	2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
Token: SeDebugPrivilege	780	alg.exe
Token: SeDebugPrivilege	780	alg.exe
Token: SeDebugPrivilege	780	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 1428	4904	SearchIndexer.exe	111
PID 4904 wrote to memory of 1428	4904	SearchIndexer.exe	111
PID 4904 wrote to memory of 4924	4904	SearchIndexer.exe	112
PID 4904 wrote to memory of 4924	4904	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_95fa5bb3782c655d3b94ac5b361cbcb7_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2184

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
5678020386e1ba6665258ee6bb5d038a

SHA1
d47cc6013802cef0b0981ea558000fef2edc28f5

SHA256
e237bcffad01e08d91659abb0b72af3d9bbad02d2aa0b8fd77b3a5b4327e26f7

SHA512
d67b5690edce8fcfa3ef171fbee89964f0738263169df3804f514353c16e8f75a0b3fb15c43907e5c297a8fb8ce1a9fc190254b527acd01e2445fb9c3f71a4fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f8df4d43cf3574c91310d7d8d6739672

SHA1
f4e3d53de27c95e981dfc89a7a8a3c8000d36c36

SHA256
a94b3a204b7e208787faa6079cf0c8de5d6aae73105bab9dfa69892adb561ee2

SHA512
9cf613301353afee7fedebc4a18319dd54a47716beb7f424b85f97624bda5d00a0baaae6880e05c5baf4ee1e4da9d7945bba890a0719909f2249fed2149ef0ec

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e1d0a860f04dd93e7fb12054cecf072d

SHA1
fa2dc166729c01cb4f4c9ecc6404603a27baaa13

SHA256
c10fc2fcd5dce60bfd2cdbd07674f8943f4ae813d33ff8d15c8f46e225d15221

SHA512
396ab5e30171c80496b90e27b4a2fe095c68d0b1165366d4bc74fba324294dc666fa872612de86bec2263091bb0e6a4c50aa3e4c335a150265059162cc779373

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a9931abbb454f99569edcd5eb9240137

SHA1
a3d8a0f741ed855a02990b060627aebf8660a69d

SHA256
340102171451e671b8e0422ac7de8c3cf098b1eb5da8a33e32f442eda9c2ef54

SHA512
94a746c04dd439cc5dba9184af2728cfd69c96b1b2a7d2645bfc1efa0a37f889cd8e36b8bb92f7ed54c08b2df48478a2c24d4fba84197573c4519139d31343f7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ca5d4f20e122fc5fe2c0f6769010223b

SHA1
033d2edd7397793d4c8bcccd0111f47ef456ab16

SHA256
b253f824f918a6f9fedee8b1a0c2ded6a55f229d2cd469401901842f84867f6f

SHA512
6af259b5a57213f6cacbd8d7e32ff31aea6c58639265554ebd9e04a7f07ce5f0bb44476112892766896c66469c14a6c617620cf1aa5f80711e72e069d019c973

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
434c4dfbc894aba7c8dca384564ea270

SHA1
7f2a74844b8498613c0ae32756e88711afeaf9e5

SHA256
2a6f2dd55d650593ee96c764a1cae610f63242f26a005fa2375a572dfeb03daf

SHA512
36421c8fbd202dfffe31bc3a72fe7e0e2326304ce1eea80c8d04c7b8b0453fb370c587e8ea4556b25407c318ce57e25559ce678b14d2a9b12b3b8a0baa644e0d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b935a20a26aa120428a850e962e9af32

SHA1
4f1a72f44e765f213b88be72cac1c22d49634d3c

SHA256
d1e582bc1afc2b750e99d2586909a0cbdd8b91f860f219ad01c6e3ecffa7f50b

SHA512
ba18b28cac9ac547f4fdf832cc4422a70b687a82dac955d246c95cc0c56029885b435749d20ced32a4a26fc3f480d967d747ba2571f43bec04b6468e9b9bb72f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ec88fb9ecb2b81056f783ca4890daeea

SHA1
26767aef92b5b25112858328a7d461d6658f5993

SHA256
9b72dbe4cf5f355fadde6502cf63da70eb8b0843ff745d3b86298059c2da82d8

SHA512
b1e8d50f4e1087c19fdc51a45aabba6e81cc290b0d476cc5341ce9c55096a9e43fc51840c8fdf43c08bb337b716c6053cd1281f13ed17cbe293f77cca17917dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9b5fc849266cd9d2c8042c80f7bd9116

SHA1
24045bb0d48c38de12ff2196ef9f2d63a89f0967

SHA256
4b95d4c175875205d2e51236aab3cdfd7076d1b6f53c4b03b053852fe5ca59b3

SHA512
3feaba37f84adeaa28cdac77fac9bfeb1696f45dc2e532e41a0c0fe954e245fa9b8a34cb944dc9beb3d7cdcd1e01c4aed3c978616e48bccd4d7298a30f804a9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9a1fd2c5ef5601cb4f1f050fdf4db83c

SHA1
9c54827b7b3713650b6479f18fe6ff6829b228d4

SHA256
5eef849cfa89f17b42248f5f84f77d2d23443d93f5fd47c97147950179801f99

SHA512
93f941a811efc93aa719c0a800a0451b15bd20cb322281615ed523f2739fed88de3c18fbeef2035993616e794a1b77ec518da1967b994d5da44ec6f3e9bd32bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a523179055855034455d49ac126ffc35

SHA1
cda4307b6262b59a9b9c5c129fd4cb8968a7236f

SHA256
30d38d37a216035b3aefe4ddba6982ab3377fef6696c7108b7bbe53f93bfe811

SHA512
58387c4aefb246260f407c046cdce9bfeedaae13117a4770cfd178968cb832f9f9e48f4e8ca07c59f2aabeb72bc8bcfd8677c3a36a96de48ae95051175fff37f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9db8bbc34c1631cd21ccca33fe8cd783

SHA1
2e450de27d986af4923f317de3f3196b1822832b

SHA256
192db6ca3af4cadf45da68a705ea29eb1db9d5e9c0583693e2d9e20cce6e3c1e

SHA512
4088344816ec535a9593dd8ee1ccdf2c90f25944521a490705cf200670059b64dde6a702a30c8f5fcd93ea5aa9cbade3401dd364fd5ff5c3173d28bdf070c038

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ee9bb9b72c3aaddb4749f5111e0c80e3

SHA1
2cc66b54de3171ab85be1dd5093e9e3a83372ea7

SHA256
c0fccd802d5d7e8a357f3dcbfdd522f2f43908def3e290f38f9eb9506ea3a133

SHA512
f78ab4b85922871d3bc3fa78cfdfd3bb61014d15707c981e2d15c6fcfb3931d205b74c028b1507044388439bd4ed4bf8203da74f3d501bf38ccbe187b142df85

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2617f1277507b1239f111173413c2fd4

SHA1
61b3e892fb34ecb128613b8b1d1cd84681d3e229

SHA256
1c429d8b4cfc2dc3998fe5a2bf808d64633ef7e988337e962e943e3feae981c2

SHA512
6afac847f649fd6636a1ab852d2821f0e18e7ff288d9b71fc1289a6debabed110d99cb057372d228ff467fc70530ba1020ccdbec4383e3b1a3db55365af2023a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f1b315e9b494708ef29299d51f091aaa

SHA1
f86232ce3f85331bd66381ed495bb27f7ab31806

SHA256
8762c1534fb9c3fe85a405b35ef53f2ad5b1d6821cf7a74abd5081d8b791588f

SHA512
2dd9017cdd3feb153f97c418f712f318482d5e426c0fbed13d9aa29d74572d4b1d32bd652e6b18024d0040ce5d8b01857e3923c48dc80c44914c7d2d08e66abc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
746f9fdcf9c7d55fdd9b558da5bcfe78

SHA1
e17dcb3251638149868775defdd88f5ab85f3c20

SHA256
4f8fdcbc4a5596336dd2bf3780cd628f9136ebaf7c8d1025b66c3bbb9496a5d6

SHA512
02fe18b83bb98e1609bfcd7cb7578276a504750d9652a2b99da6ff53a372477eb6631e9ad0ae4cc27d82090d4a5c04d2d6c8730297be097b06840676bac08bc0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f9b977bdde51476eaa246b6cb3b2319d

SHA1
cbfe9b120f89c95733fcd8fa6763c959b5dd8ec6

SHA256
c05088765f0f19480043ff083b115c311615e1bf83605813db3c2bdb59125c90

SHA512
a5707186c14f3e3d2892370ef7a1affa2b4bff53ae368f375836bb75003bc406e3e53d30d10bd0641ceb029aa6c37aa25bcf6c7867298a491b16c85f9bb717e2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d06c283a325fd3f46f1cbe32115d3e01

SHA1
e55e5f0cf6fc957be9979aaf20ae60c69dc4212c

SHA256
1cf958cfe542165260c95620153d59c9f82f291caf74aa6b4efe3b6ec98a318b

SHA512
05c77e35e81c847c324366c08d85f7a650839379f1aec71413ceff31bccdaa319853303032c468fed247a62f90b8eef5778c25946f392eee0e16bb84c5736436

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
36eeb6b5f7ec6f002e32dc0ee923ebde

SHA1
37605c79553859383a2a589906c7c5d5ce8fb88f

SHA256
9d5bbc1fda7fea0565fa85bc73d1dee2c93c1986976ed661e2215ab1dfd89b11

SHA512
9f805dc11ec34e6bee0375f1ab38d0ceb25a468b92564f6ccd79b61107d2230e63892618f61e8aaf222d25f43eece48cafc1caa74b92fd0c9d81b8659e10fe3c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
916434fbedc3159afbd760654073f443

SHA1
31e0f72e5f2e619062779ab535444b9ddcf120ea

SHA256
1ba767bf6b35dfa7c1cba6a0baf5a5d51880ae9931af005cc9dfa93d5d1ae041

SHA512
d3fae85e4b031b9e80037b1421265518450121cb831a9b41e7f268a32ef9eb1c9431daa365856f57b87ec3735429c368128e5b80694822276078a2c8890e15fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d54bc5cd8533df0600c634715d1e1893

SHA1
2eea0e741373e5c1cbf10477408c9d64ca0806c7

SHA256
347099d9c58f6f1b5d5defd5d583f5e8f0b0e44ebd1a63f8159bc6f8b93c1dba

SHA512
4d1ae3a907458a5dd600a378ecced4a367685a3ab8f22947921bf96a6efae7939fb3e4e9d50f6d41efb236f586f00db28669b2f7a17049750eb586f1528fb54d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
350da323f9dc8adc8f991404e76a3b9b

SHA1
fc84adaf3c181da227d62474507e5c3c80ec6ff7

SHA256
8341d14e048eb8c179915da76ba51b241a5b6aa446e4b36396257e7f5ace3f9b

SHA512
8091cb497101835ffddc8ae2e39ff61e20f2798cfb7670d1b384b203c5033db24f5012d467ca8866a81261daa1a284bac6e10abdb672e241640374afe8b76bd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d07debb0b6746e355ffeb6032c1567d2

SHA1
9cc3bfe9c060925861f66f00433ee9e6fecb4a15

SHA256
d04eeb2e38556d6cfe52b7f03588b61aad97a9729e6d7f3eedbd21e6a4de4a2a

SHA512
b6294d992afd1377ae63d9ad1cdb2e325bc6b675fd10ac85fb2a00b3828b2b92ea119e6b4c0a5c6c16ff3f6b649c6758087e06962c37a1d782b960db9f1302d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
cfe99dcd227dffbcd622b497d51d061d

SHA1
81d52ca392b841a40b2a30c55b28047ec5f2bc65

SHA256
ac011e549eec444bdb7ffe579e43bbe6da7ffa3bfb0364aa78d332fcadeeeb28

SHA512
7f59c4c369e837b60716b9fb3af33e583a877adb4fac93a7c4aec2beb4a245ca537620fe57a93addc24d6b43d13a56929d5b57502b99ffbf029779868d97a4db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
aa486cb39561512b32d8e839bbd7175f

SHA1
f699f0e3e7b42644fb851cbf0b965f37ae5fdcf9

SHA256
87f1956af65b97af8c6b1a9206cc198cd041e9ef2c8d13f744d82c48245ecd52

SHA512
faa4a2583f82728faf6049e8d6a1d8317183738748c921c79cad7996c565ac60948494975b371a3105b1c32cd7c342d02ff57e9d9885744429b9a2579053be80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
12fcb10b4c49db55e66fd248ede137bd

SHA1
0ed1511ee91b1fb6738770ac22cdd25d5afda55f

SHA256
c2e71cd6e6c2d91287a00fc4fca40d733188ae7b5065b8a93236bbe87416d228

SHA512
221363cbe57fb362758942e8e84ab222cd0f3c6d2b4ed4784ff8e86a7b46394710fd1dc4ff88c27d90ee6a16e0165b031ff7848aaea8f285e16535584cecf948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2c6a91fc877e588c7d8b97fae3be1936

SHA1
d9fcfadc3b9f90f6d3d20dee22d0132971c73cff

SHA256
68db6eaec6bc790cb549ddb40d55d83916aafb994be43ea2068ae8d6ec1f7e99

SHA512
c918461620c9ec99bc365642581226ac1285494fb80975725a617168ed8f60eb43e7bd0d62fd45c293af0db422ad8682ab07a83618c3619677ac465fbad52981

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3113e548fca98979fe62c5b237308f07

SHA1
4621edf0a7c2e32ea22b533764f41b14ebd3cb05

SHA256
e9909f72beee677883e2f2120f6908d91d42fcbdf25e75ff8b6fc8db1e344cac

SHA512
bb5c400a8b2c378b4532fc51155600fd8d035a011497196e22f8931a6d82037d116ff9c4ef3d55baf5ce5b2094fb61b7be8835179f9412d9c15946a580380986

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
34b3880f61d2783cdaeffd3a00373016

SHA1
c38b4becb77d91fd536f4b24f41637fa76f86755

SHA256
5595be94028bb30b53d3336497be548e0a7dc9e1d0e304df7c2392f72f9aebc1

SHA512
73893ac1fa189712dd24c0c54b13ce217e4354fed56e867199e98de9c05b40cef88d3995ac748c9b4189736a86ebd46096a21f589f45782903306d1c6c3b312a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ef8d25a9976a455f44fa2880b7f0a6a9

SHA1
0789a1e2c0be6e23dd0926bc3e594fc3518c29e0

SHA256
12422d65c12c53c009ee145b6b2efd66b3c14affb49b4cf30e56e40d7e3a0166

SHA512
5229df8e1148cdca00cddfed1465ab4f49e4948f9908771933ffc92ad3be602c1306a8808602654ea7ca9bad4c8855fd53972e9400fa7d75f252ecb4cea0cea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
72218cba2369a4fa7cc55426a3651df2

SHA1
bf8b8e103a8a5c1e9ece243773cf871ea7cfda05

SHA256
1000dd5f2a86f902002abbf23c4e256f03909b0152a4c12d758fe303d07f796d

SHA512
5f870638c3fbb87e946acbbb28cc05f26e047d31e75dc521a343798e645dcc04d33c900e9fd1c6b3249db9ecd020d1059173c66536667e4debbe5f8733e7bedb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
29b4868b8321fcec8360efdaf9d69611

SHA1
b8c1662fe722000f3ec2ac080c3ae09c1317361a

SHA256
9c82e7ed51961503762cb5a1717affebf85aaf51893b37cc1191977894fec737

SHA512
06655dc70f6135556b50f26ffdd7e2da32e50718cc11a1745f2b696911173f3f04a59f21f18e984cef947ee88713df3f670ae50c32931db7765b10cdd569fa98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b8eb4ad716f229d364bab748982046ea

SHA1
1930770525ace8fb8ef3220f8fb5161faea0dc95

SHA256
ec17ff4ad447be2253a8f66f2a51e31b1ab8efd01fd1041b9b623d336118aa7b

SHA512
c8b151c186b19e0fdcec26c44f1aa9009e1ef2957e2929b9251c8fa0ce387ccf526141aac1d5b1ef2ed5e1bbdd6a731a278d178a1af515120ee98234249ad281

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
76759c929a5692b680a8927c8231704b

SHA1
3ab63262aff24bf5d2ecbc0e50255670a04d7c12

SHA256
8df8f56e8edb24056f3845bc3894e3d3c0d904c47b1cbc53013b065c4177f566

SHA512
92999750e5dffaacabc2ba10e340169c24a1c5dcafbcd1a9a7869b1a44aee862d800240836d0502363a53a443ee082085ea39d243097290b1150f52da6e03192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ab0d12f8dde91f7a362ec7bed1400f36

SHA1
a57bafa34f1e247632e9ffc919bad70f77bbc785

SHA256
649566f4b1522fe5ed6e386b328137f6d166b37b68650d3fea0fa06db9db6650

SHA512
9ab6a3a440359a9399f0ff45a77a5623876c9c87fba4807aacfb55db09b79ac3923783b9f23fa7ae6a583e169448f2acecdf5316b29c8f6b527c9310c0831d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
15141b885192706d633ee5d21ee7f829

SHA1
994f2d70aa238401da79202c532829f2eb6a9570

SHA256
b17a2f59708fbafed1310d71ea735efee7cc4f6d5ad96e650a7598087029da52

SHA512
4cb9827fd2963c43b44dbd03fbeb8e6c8006b3675ae897f557b553cd43931a9f5b2d5eb5f9d239bb99a0a4c5804b2a7023ab578bba0998cbe889f70ddf1f15a9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d47783bd0f676ef8e57fe9129c083ba1

SHA1
728d3f65c48c7d6bdd03f2e87bc7c8516cde12ea

SHA256
79fee7ba86c85e2330f5a9d72b0d239a059aa1cd07af364e3cefa649ba54f3a8

SHA512
b37b51923627cb9532a09e8d76e62a32939d923d9d81d1a7e5fa0bc27a981e0f3c79649a75cc0c1311b770c5f7f7091dc3b42e07a9e40b73e245368edee76feb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
479114d7455b8fde34107521da40b8c5

SHA1
2f0a78a3d85576c47fe8deb40c16da996aa6a917

SHA256
d1c314ac53fcc866bc7313da38f0d9feb219992553e1d1f244787de27d51fcad

SHA512
001a1de8ec23abfbec30bf8c15b2034ec14b9b952131bd06fe7fce9cde3dc30973099fb87b20dbd685045fb2b903eab05f1d0b792908fda8298121c840c5ff01

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
bd4e438d019498c8a6327878eec7992e

SHA1
3eacdabc3a0b429b5263a86cfd1a68f5fc19f9c7

SHA256
50765bbded6fe8947754049b3fe2ae2d739b0ef34ed31b8b27ad1bb58cf78d18

SHA512
16e83203765417b4e091447b5f98c0a10f9ec385f9ff838c4df7848f57ac49442088587b218157d020a9c2fb72f7a8267e6b256cb92c0f47e32b186f78ff1529

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e37167e8f2c89a9ef0a0a1f5036b3e88

SHA1
1cd5e258f389a61f0cd3fc806e9a14e3cd7411d9

SHA256
9f080425e7ee7d70595e7f32672bd7f470611068311420a74486021a9b41867d

SHA512
cf04f05ea9e05baf42d17b650ea6830ed7572cca826f295b8eb93cc417c75c49a6dd5eb9b224cf86df1157cf7ae1ad80f665f9b2bc87a4a3b25ac24dd68c83b2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
353989eac62927b010ca708bd160b6a8

SHA1
17442cd229073e70827d138139c30a2a24e358a9

SHA256
4939fe550d13cfd4bd77225799bed5573b7cebf09e5f1fcc8c82b09b74e8c25b

SHA512
5532b6f213614853e92847581fb15294a143872c8233f198f2ee95c2cd9f4c7d029d3f72fa0fa6b69acf2d4c0cfaf785ffcd340db27d395bb9f1dcce1cc32f25

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e7d0ea9af3c7968afb192d28dd325de

SHA1
4893bdfc9db909a4bafb7c83491dd3aeac4605c8

SHA256
fdff9bf0de6361beea8ae82972111521321f5ea11499935fcb88daca6cd67bf7

SHA512
1b82db0a1b058e060a2f93775ccbde9a75d0772929eb669c71a1266b2d7ccb5c2838a7a8bcd87f54591373f641412f5a776403ff8b333fd5aaed38fb8ea48d6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
eee5b8e08e12df555e75d80cff6ac0c6

SHA1
cee12e7b12f52586500a50434c8c9136016545d7

SHA256
cae5f905c6f444af59f83c2804a5553b10254d4193d16eacd2e18a10f543632c

SHA512
ea365d12757680fb34e14bed1da3d5ac034716774d7f658873a3cc8bc7b32207c8bece9d8643e31280dba9232b22924a77da5a31a86e567d6a9ecf1ce512f108

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
66ef1cdf86fc93e020601fbcbf3b9f68

SHA1
cb5a8375d3984183a9ee1ee21ee1737a48635f13

SHA256
e8829c01d705e49310592e063837a1217c9670750bd88ca015784e5a2f8dde3f

SHA512
2fed3761dbc18060ca9cafbf37dd9451319a8554ddedccacbefeab4d88d42a64eefc42b3439387f2418bbf510791bfa3b2d3d6373cd3c862b0d6762f74381be4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
bb985bf2310d3a49178c1f9bfdf39413

SHA1
1b618255222270424d979866f0a9f8fcf41fc12a

SHA256
7d7729cb045424e68faa4700a11df4d64b022003e110e3e15bf5129089f0d416

SHA512
d846a8a74c4b66784be17947818713fa36f67767d43cd684f1968fe2047f3fe39e136258c5f1a60db03a12b0ef602f1fc1086879f122eb5e272be2afa040b586

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6aa503bad9d432a5bd816155f737d733

SHA1
e8726c93fd3b4fb9ac40dadd87d2603eb4229d86

SHA256
417de19fd38e7f0ef3f02c23062e6a782410a3b71c544505190411f59bb67d09

SHA512
c636c9dc47f6aa8f7d0e1574f63e60bdbae44ecfde039eb67cfdc8caaaff2f0421f91ddd1b112a9ff879ba278cc817f5030f808f7c083be66ce653e5d0483fa0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9b654e94625c96776750e1a243447eea

SHA1
da7f64a88a84964825816e8ad571cc4a8def7b53

SHA256
cf7c023beb04fdb9cfb2e9a75754308cc1df88ec860c2034c837a505b781dccb

SHA512
c067a282d0d82b73dbc7b2109bb49369cf3641b04d683c65ef0f2db0da969d897d361069855482636160d3b525ef3dee7ff8f00c5eeb9d377370fe40e7193652

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f82a59c80a8e965da94b132f3fc917c4

SHA1
5584bb871efe1d114005bda6ea4b292b44d13612

SHA256
67ade0e4e6b58dca71248f3343cd7bfa8bdf81137b972899bf9a3cdcf5878c1b

SHA512
b4bd7dd599c3511f0f98d6364999c30b5fa9fd54c9f5072c7c93763f93482b369961b7165c2e5f023a3c2289c8f02f51c351e27f8d9ddf8ab9b60f4b9d5c5957

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9f6b6de4800375e82bce673394705854

SHA1
3b229561dd19a752ee674e8a0837951467ce24a4

SHA256
e0964af9c9cb88d29f2aae0750e1be98c279c5900f192d924098531dae098753

SHA512
f4bf86a2d60805c1b8e80385dc0cbd731e0fb3212950b4974dc69c18bf5ea12d1ebdf4af463fa77ef7aef6fc2855b0e583aa7b95d7ff8e43cb9634ea1aee28ae

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
951159a5f2862d792d29bbe82307f871

SHA1
301a6f374192639b4ccbb81db6713f5c46d9aa6a

SHA256
82093c8809c9114149fb361c57b7615519aa6f60254767f5cc63e0169d4192fa

SHA512
1abc87026ffb0107df08870e0de94595c34871a6788dad934d9fe313fd01153d1d21d345caf8e815d4e5a459374824ea73cdbb15f347ef69e6308fcace5a17a4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ae36c8eb684395701406db9bec60cb77

SHA1
e97d9806a083bea1e197cdb394e7b4e73ecc7c31

SHA256
42cf02762026f3ebb644156a30073efa74d8124bb50bbb324b87657ccc5a4dc8

SHA512
78b48dd2bbd17b29b7611fc1571bed5c1f8ef0aae11fb160c97082b371ecd81ed4161bc48f323ee569bbdaea52d84a0fe7ffc72af3e6da85d5c6c6d73c8a34ff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
417bd767951680cac2d5887518f6abff

SHA1
82c6bc833d0306e5cad043d797024198abe41837

SHA256
a13627989b6f7f0fe9a36d4ebddd4741a5a4a5256536dd71cecdb8975a0f2bef

SHA512
5ef7a20f9bf4248a6806bcd7357ff0e05261b88cbc02cb749f56027fdf07f38a8dc7031ccd36b0f7507ad2a9834d618630a2371944f66491716eba3d53a73a77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a4d5d21032e910d8ebfd3f464c88d953

SHA1
cb25872b6a0e39df4f2443111c3356c6e7e53154

SHA256
b829e05f464cfdaab69120199a2a20a74c7576178e5296a6e2aa408a1533ac43

SHA512
a34de9b881809d7ef1ba12bc0278d4f7da5212518d733bf5d51624a3cc30998f51d2e68fa6d1fa809e65d75ab8019dd5f9856108425e3ca3028ff822cf33ac66

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b55211bb278ede5557648cd857d5c48a

SHA1
98a731ec0a5b37c565f03107c78a0fd4ecb2f866

SHA256
fdb2515b634f1bdfd319122b5cd79a45de6afee0773d1a53a4f0e18a18a5356e

SHA512
0c064e8665a2052100f4f15f07b2653d490d4699a154979a090359edb88770666c478a74fdc59d3a77a7c0b4de63b48d004fb584e5c3a95c2c7ee2c0eb4d1a17

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0273f7a985b2137f13447c76a6813f3a

SHA1
f76228430a0c462bfdabc12a35af376450180386

SHA256
8452204d82a9cb96639a809e9793630f509019f11922947f7bdccb03cf08c5c1

SHA512
6ff186fc9e2b751fe2b417ad123530d93a08f3a2f5b18b328098e82099080af97bc514240811ec7b6df80cb1451602a3cdaad0944bfa18f7948b222998231c64

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
750f990c35ecd974fa07c167a5037b1d

SHA1
897ed99861fce0e0c7b0819eaeeeedc95774219d

SHA256
c991f9380ae63eaab75572eb32afd1cd5838cf1a35089e964337af82d87b7ce0

SHA512
9d41ecf43d2426d7d0d1113e066b6d7de2e07ad658c375211f0ccf9cbeeddec53b5a1502782ffdf4061094a7b4a40570cae95355ae17a66bde3949a0629f5469

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
97e7994dd07d58fc0de99d177066329e

SHA1
b5eb029df93ea8f81cf3670e79d9d816a9726314

SHA256
39086459e6780bbd6d263f4693ce92a22a94df0e31d1e9df36fbc3766458edd6

SHA512
4091a7e9e7eee0ff61144299b2bdbfc795ee8f2592d9003c498de44066c9de4fce110bab7d69f98d21fd17f8cbb1ee08db47721c08c7e6631e40dd4a07cf0bc8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7d726771fcea6df643136a497a345dce

SHA1
1909825cd256fd594c84015031db22cb78f3639a

SHA256
8f2b4b0a5bdb950523be9a5b34d992cf47716c514f933d3860ce934a0dc890d2

SHA512
d084fb17e0eb10836e0eac7d427941b850cea1c81de2d2d849eb790028b42f91f3b9383ad446adcb5e9fefc7db052d686005a7b1e259f5a77b6c7585e50f5869

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
335dd06a4ebfd8bba85eaa192dab3e12

SHA1
e0691b690fa979b4f00db72e1b830b09416e4d5b

SHA256
1e5eb024697014caadeadda3a162a23086e3928dd259a66592ced469df74509a

SHA512
6fd5d7a46a609e6cdff908af9be152ab50a733a2e861f3ed1fb00748921690ecd5a218c15a98b701d9e379be494a258ae85401448520afab313bc6fc8f318ae6

Download Submit
memory/732-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/780-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/780-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/780-158-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/780-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/780-18-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1064-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1064-546-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1108-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1108-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1108-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1108-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1108-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1228-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1228-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1276-540-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1276-204-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1304-141-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1304-6-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/1304-1-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/1304-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1632-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1632-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1704-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1720-542-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1720-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1756-203-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2004-202-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2004-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-472-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2128-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2928-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2928-253-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2928-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2928-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3292-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3292-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3292-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3324-145-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3552-201-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3576-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3576-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3576-274-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3576-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3744-142-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4204-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4204-85-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4204-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4204-74-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4204-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4616-144-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4788-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4788-545-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4904-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4904-547-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download