84ded7c9e00e27351147bee3d2aacb49fc4d7bb62f8b905798c7fcba45e390af

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Size

712KB
MD5

8ee7188d8a1c5703fa99500ee84515bb
SHA1

a078b89d2306298bf411b81a50f697cb42f42ddb
SHA256

84ded7c9e00e27351147bee3d2aacb49fc4d7bb62f8b905798c7fcba45e390af
SHA512

47d40e0ae00cc3dd447331e3d2d00fad722f83162bc45f1735982d355d4951380e0f59f20a4351ffe74841ae2ff63e7005a6b9a56cb54e225061892e76e4442a
SSDEEP

12288:ZtOw6Ba3lnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:r6B+l11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1372	alg.exe
4988	DiagnosticsHub.StandardCollector.Service.exe
2112	fxssvc.exe
4004	elevation_service.exe
4024	elevation_service.exe
1328	maintenanceservice.exe
3132	msdtc.exe
824	OSE.EXE
4428	PerceptionSimulationService.exe
4916	perfhost.exe
4852	locator.exe
4732	SensorDataService.exe
3444	snmptrap.exe
4972	spectrum.exe
1176	ssh-agent.exe
1572	TieringEngineService.exe
2408	AgentService.exe
2300	vds.exe
2476	vssvc.exe
4792	wbengine.exe
1956	WmiApSrv.exe
4040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9bf309e8e703f493.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee59ff6030b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a30905f30b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6e4e96030b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9cacb5f30b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087fb9f6030b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026d9e16130b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087c7096030b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003acf146130b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002804ab6130b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbb1536030b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeAuditPrivilege	2112	fxssvc.exe
Token: SeRestorePrivilege	1572	TieringEngineService.exe
Token: SeManageVolumePrivilege	1572	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2408	AgentService.exe
Token: SeBackupPrivilege	2476	vssvc.exe
Token: SeRestorePrivilege	2476	vssvc.exe
Token: SeAuditPrivilege	2476	vssvc.exe
Token: SeBackupPrivilege	4792	wbengine.exe
Token: SeRestorePrivilege	4792	wbengine.exe
Token: SeSecurityPrivilege	4792	wbengine.exe
Token: 33	4040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4040	SearchIndexer.exe
Token: SeDebugPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeDebugPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeDebugPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeDebugPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeDebugPrivilege	3344	2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
Token: SeDebugPrivilege	1372	alg.exe
Token: SeDebugPrivilege	1372	alg.exe
Token: SeDebugPrivilege	1372	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 4032	4040	SearchIndexer.exe	111
PID 4040 wrote to memory of 4032	4040	SearchIndexer.exe	111
PID 4040 wrote to memory of 2616	4040	SearchIndexer.exe	112
PID 4040 wrote to memory of 2616	4040	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8ee7188d8a1c5703fa99500ee84515bb_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2248

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3132

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:824

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7b96b2b5f38f63a8ed008b3b802d0c6e

SHA1
2f2d4b6a01c25ab66b59072c5cb4251f89fdd067

SHA256
89287c9c7bda8a789b1ed16be49303232ca32c650529fc1d208c3539056659d9

SHA512
ffe707e81370564dffafd3f4d311760660893770c84d0b42f828f446c4c1a81add9718d52cda9285d565b4b277d2d92a0e855d88f1683505cf3e9400c84e655a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4a1fd802217dc36353458ff63df29381

SHA1
cd18a5303de3ded18af8d68b1b07810a191367e5

SHA256
0fdea0a320182ddb26569f45b012b828fa3ddabc4a3a76a8a90b7e680d50ba0c

SHA512
5183630e762ce58e636575130bac877060ac94f1b0227e424403791f19a2fad22e8524a73bacef168e985a53776dd87986c35a04089c797053389e7edc696b15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
42b3cc71874d6f58b96990f6af7d432b

SHA1
a4033de4740220f0c972dedc541ab813fcb1fcdd

SHA256
637972cb736e990d87e28268620ddac616116da9969aefbb9a32ff313a2cde66

SHA512
1c305c63ffb6301c3e7e730084bf397bbce33dc57459d628f1a3a8cdb1face44f397c170ed7970976e0a24c6afccaeaab7126989530b0777fac5ac7f2768e070

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2718b4918006f56eac3d88d951bd9a6b

SHA1
7e074548f538aaf23bf0028f471d7d4b834cfc86

SHA256
dc77a9bf3f08586782132c14139e3cbec8cffef1dae4ffd85809d142ea805e66

SHA512
00fd5804f1e344173156c251d55c9457a83c560fe5af9f4c5cb671e9cdcd9c12ab262171bade966f64ab3260a3a87e26effacb05f1b309b2c15b798e9e368601

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
782dff3260d7c5b5ac27e393d1d1f581

SHA1
e3d0449d0d973f163eda6154ded957c9e900c33c

SHA256
3f53f73da7017b793c5d2357961d817d49f77d1650e1c1b3944fe0387d9cc34b

SHA512
c73d2c58469773d54e665a0337ec29cd3db01b245f6048d5faeca699ab0a02d4127e099c316ce34e03930e916f8ee0e8d557f21a2d72abf093fca2541bf67788

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1567c724025d9988ac54519ff13e0f74

SHA1
05028ebbda8e7692d62b24269e79962ff007881c

SHA256
989f170808f28c301214517d99218e7d0eeecddd7ee51290737e23b172114777

SHA512
414f2eabdc1827a38c7fe7b5e0514d53120ad9b354127df0e458a88332d7aa6fba883d83d1bc9360d7fc52e3e517e44266e75ed13ff037cc117c2fe2c0f2579b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
41ce8bb47386d071644c17e4698ee001

SHA1
58c30d6cc91e6edbc98fb04ec384195795fbe5be

SHA256
ba2e55441d98b93e232f61b02cb59f3244b4ca422299e8fd3b0e3ee864a7d163

SHA512
7208f34b30f19abece9b592d870cf0b0a739a9d624bc0148218f9fb9da125493e755eaab6e5ac93c693cf8cd38416e3d156ace3375c4433ac4aee811ce73a5d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3cb9bb522e2b41e7e8601889bf5d1565

SHA1
27e01e410c4561cff2de47e380c8bf58c3ca6d0b

SHA256
20700340bcb21cff49e42d983281b332f1522c6c2e69a4e524b0bdd48203d9c6

SHA512
fec9ec778fb84531669a533b5ed381687901003c92a0dfc03c9fb9a489eb9457b6f764dab34fbec6673f5217f3bea737c4794d8cdede64ca746a6c5e967f52de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
35973711c385ac986ec739c733b82d5f

SHA1
c2692735b185390be61d4012da33db2c083d53bc

SHA256
a07541a93d45e4390ab6e62bb3e9a71c68642c2829ce8bb0bfe8fccd76a32680

SHA512
204ce8fcd107288128ef6b6313a708ed08c165a10d610d8850b2840e49418d51aa206b973d27ddcbf0f58bdb30033d2511e92041eab2348b6ada534b98ecd261

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
12c9c730f2da49ac369fec50b69e84db

SHA1
657893c195320ab1b952a9fbc4ede5bb9c278acb

SHA256
7f474d119cf549d9fd36e09fdb9e85ad3e6ed12f797945d6597c472f7a4d5967

SHA512
b56a609db4f6344b9b3f1a812a169b2439257acea128cfd600971990deec4d3188e05e87ca13cfba17b1646484fd81e8967a17c2be1507e94af3c4c88e42782d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
add317a12017137679bf8bf8c02a1bf6

SHA1
33939fa21f894b57b950242fef21dcaf25067b5a

SHA256
9406a28336806885f8d3381316c1cd3bbc78c56ef5fab1cb08e160c8a2b2eaaa

SHA512
57ab8acee12f89ce883dd95a6cd07f92c8a21ef6103f8fb781720ac29a3ea273d7e9b83ecf1c5cdb6768cdcb0072f9e32d243af728d338ce06994a817a63b58c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9dd6e487c6fa12a074e657debf57ce6b

SHA1
84e237254609287cac8e68a53ee289fe50da4a43

SHA256
b2a4498570e681190bab5e901cbbc90e87dd4fb1c91cdd4728359955e0254d60

SHA512
05debacbce06fc3cc1c3a5f6c4bd153576165bcefec6ef8d1dfc7c46353b71562d9e3e2e48dd55a9b82419a5599c3ff0938f2a88385b1e2b2deeb081d2f8cf47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6fb5c048398d14caab1361aa191523fa

SHA1
518dbf8c44724ee90466306ad0e64b95ce49fb10

SHA256
3df2a4cba2a60c5e7b030bd1d99f1639c2d2dbe27c1a746888e09ad6d2a353b6

SHA512
5be312da07f4e9a67d41d2305b0975c7494e93ec8d5244652477eb920145516e9629bb0bb909f20f0f7a7f8c834c9e2d775ad32331c4b3db3b1333b6cd80684e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
10db406bae0fbc0ff4153e56e1c88c85

SHA1
968185ee6aaffbf9ef487dadd15a98243d4706db

SHA256
66087a4909bb0a8160e5227fc81f728b966d8eb56cdcc1bf37653e8d375cea60

SHA512
afe4c9185f306cc36201af8ce4a455ff74ae0a3dec860959285b2ceabd741561c59fe2b62a54901d1115d841040f1b9da439ffc2cb6d35143d2ab5bd4f27cc72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
abef7e68368cb02311a963893bd3f7bb

SHA1
e9cbeb9bd00aabb574d9949117a0842b1b790e41

SHA256
4f6416f0271c4a655c803b399dc856e5afc77e824383d3702c2658e73b3ecad7

SHA512
5e4761330c0d4dbf2d0fc2527d02434f4845a3b69421ddb5269f4278157e85b8e4c5144122e356524b7e7228dab28750227a4e27e9b1dfae92c8f2a3dc7df20d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
982764f79dced2095834d87a0084645d

SHA1
ce03f74bf61be86c7cb9e5a995f8760f6ae83f77

SHA256
7165b35b4a7a2a37e15639d18062f693a7501dbea1eadb8b4365dc43529cbdfb

SHA512
c38c6271a60f09c4a0602c253657fbd2917996dfb1b328199d6965548dff580d12e1f4ca870f70d6cb566490aa5a067e9bca1e3debaa5bb411268eefc88d4d22

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b3d6afbdd6162d6bd5f1494de28fcb0c

SHA1
5cfd20b74ba2247eb867fa38461050965b653c5b

SHA256
6a750e1149ad5d1c04e294d3f4bdf339c49cc9356e71bcf0338a5d947a287901

SHA512
442f0abe755f414f6f823cb4a04e880d1be4a46a3fdf0e98c4088eff4591831c84a9abc0aee5609b3651bdebf4bd1a5e5915748895af893218a7eeb5d7cbee99

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
90788c9edf4be989ff32b556ed0bfebd

SHA1
cc1f8ada4e696d90d1e70c8a198e5e9021aa3054

SHA256
19e1b27b8834e8b22bdc0993432d9f4cfb33b5ce98e3c838ee96e89d110be53e

SHA512
633a06ca30da334d49a54aa9c08e9b8c66fdd0afd02019cdbc9d25aec8e783bb840a999da57e377f2c1829721c01ca52d0e1a49144c13d1447119020c8c8da61

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
57f36e03cc6094b284d0eef7f8597e8d

SHA1
3c78bd05d04b5e4f20afc26fea1cfc8f93a0d641

SHA256
bbb3ce3fae4266221158bf1032c21bf3e9ac9f096127891579cd72683c6f6221

SHA512
9c21d1170605cb32df8bd12ef966b0511d6c3f0f04260be137deab3c79bfb27f81b54837dd452c0d05bc598212e41c534edf8f2a53dbda11bba09f5fcc636db6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8ccfda3b6f8c3af6ea87fe9d9c33fecc

SHA1
e34aa96184ab3d185f823acb156a20261840a68d

SHA256
0ed9e4c4be18280a6c066d69b677455b6f96ee0eab33d0c689f4d4da0790fd4f

SHA512
cad488d9270bae1401eb7c28cfe64e5c8efacff4390ae48c35307d8b65b4b54c80acddc1d8b8c320d388093c2702a277c903adb6def2765bdf95025e5764b889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
594ce08e803e32fa0abaa6194cfd1040

SHA1
394f3703103ddf1bd0a837e32556f4519769095a

SHA256
ab4efee6b8ce8d6de418ab4d065c0b16431f2d4c50ffdb6f2b696ac51094ab22

SHA512
3094c7e22e2a7da86a5ef629b7679b6b80f422b77b5b69f5e5069b6202e848c1b4419c5189073569fd90750d419bce8f0ffbeb9cd5e6091699d422d5dfa3130f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0ee7baf925d7e797c3e0b87fd0f85ad6

SHA1
158f498ed4f24242e9c9cffd24898cff790a16b5

SHA256
f53f05c9800e77665680f9ea81467f255746ecf1db1c1737cbeaebb696806e55

SHA512
88e78e950b440e4e2fec87e56810998af285721c21c6d443acfbbbaff46d97e20b0b9c45acb49b1faf9079ec35ab34ddd74e5081cdf4fb972ea1a909f094c4df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ffc14ecae10d553864f4cd5d1eac9047

SHA1
e9b80b37ae50ad2b9232a3008c0b5519a26766f5

SHA256
eeec278161c974fc2f72c99c354f36e1176258dc9b5227533725ebff4848db11

SHA512
12323fe26bc60d50ac3724199b1959110476706ca30556e4486fe2ad8c724fe67247ee60c3a7a7c6da3f945e1706959c50e3e2bf4ad65826eee4875f4b7741c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
40c1c5e23acef47a6cab2b3ab89a8230

SHA1
e25f09ac00a117e196ae6a7591b914194145cfbb

SHA256
14931fdea0d5ff77800723d2e01ca7c5d4b273f61065439eed88a15bb1f3e6a5

SHA512
fc0093b6dbc888bf8a4c465fbed7a60f567b76abd76ccab892e7bd3519595f7981bfaa7e78e0da9ae92b440a44c59f31995f0cbcabc498fbe7e11459d8dbb9ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
5d6e6a780292c8d649bb29b7a6082968

SHA1
0043801cb95dc90d5fab3760e8f9aea3459a8135

SHA256
fc36d28a96256f3e3efddef02737b98fe8b5b042b0d81b11b20da4380f9082ea

SHA512
f6eaffc9f233641062c1348e9971c3f45a707cbc252fbdfa578d89b5c0bd7e6f2544dc6667b7e956e14fbf1fb07146d77e130db77587d1f8575bc2a6e8f2d833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c50f2521ad72892c78e28cfa0f7313fd

SHA1
6bb8e80b32bd99e539e3059fd2258e212b69a5d7

SHA256
c2be6bdb7de5ce5b10bbfb7540f4580c3048d624ca40806203a811266f34eea1

SHA512
1c677c33b11102e07b591f022d3eec13080441fcdaf867b8e34b2dc4e1538679f491a0d19136a11293cb9435a27450b10350ba49e26e966e042c3184839a8027

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a1c5c028dc3b5c40129daafe7e2896d5

SHA1
cdd3444db109b8ecad4357dfb708324b848f4304

SHA256
00c5d109a0464a3897a905443ce244fac162483d8539520fb2b4d3925c141058

SHA512
c1c1ffbd08fa963342244dfa8828c35e036295cbe2a95ab6af282d8cd1072b8f2764e9acf87640994ca6e7c6b33d8f9438547cc0f168ba6593649f1c175228a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e5af5cd2ecbb784822df562b809a681c

SHA1
318eace4fde038eaf8e0eef02a4d5d2150a79f49

SHA256
3e7fb7141792f6ff5d82458055cab5982af30b79d4435d35d603eb831532c393

SHA512
c9cb26ce1f021af1cf3cc5d9ff82466a31c46a31784f0244d74f70a2a3519561ede63a2be2d6d35756b6cbf15c946bb4e9414d46803c2edfda337f4dff03ea86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7b51c11651f79e27a8ed450c9dd2ba76

SHA1
85ef662cd7136b2286d7ea9f4dadc997a83595ad

SHA256
eab22a30256a215b4020a74eaa08a9ae5e1dfe5d04a47192e7aa4ab407ebda7c

SHA512
83e8fdde8a5c1a4cf8941bf58fb4411fa2a744f916f0b81897de39e88041d6d1e2da00e9542f9e92f0ba9c3981bc148bf1ca8c35d1a1098951ca936244d59cdf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d8ca8a3a24b0c5ee209e78dd04a85afb

SHA1
7dbfe920bbde19505fee23412f7327b145e781ef

SHA256
41f8c18ec6ba514b1dcebf24df93e7146f90dbbc67781b255076a1befd6cf782

SHA512
9fdf5c8c9c4d49343608791f3ac3f6fd7ff8f4aba8f22d2642a9ec0c4ad497d92454244c6cb683ac03e8fa6c20e7a93c93e5a22b069abf355884418aa7dd29ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a235d4800c74d3ee18e1e8f80a6b2a28

SHA1
09e2f6c283ab3159445e60d0d7d7257260ecdec5

SHA256
3d733217e703be5a8e25f5ba9324b7b8828ff68e7e09519ffda746c469a42fd1

SHA512
613f65542e04d8a85bcfc9945820d74ac0c500aad01eb136edffb58b1aa43cee796bdde2442d57cb77739634bd39656ebb506652f1187615c7cff56480405e7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0447eca13d552162b12c93610cf66d40

SHA1
27b122f83025b11ab2b3c2c9bb32dee01400b5c7

SHA256
5f89470a177f5e2105adeebf34d4b6a8d177335be0016df8605be23d3351d529

SHA512
895efc984d4e5df2d58e6e09d3646981a375a61a73cf56842c0d14e27cefda7ddb41aad858c7090b6b98cef5f2b541b0cdec9e0877d50d2434aaed1bb7252630

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fd5ad6ba5f76db22d0fd8f95501cf59e

SHA1
6b418cd11cf8d010a4e7f14341c44f662dd560bc

SHA256
5681a630639dcb6a03225bef12dc80e27f33502f022a6a71e6aafb18e78bc642

SHA512
aa1f20afd6a1c72129ac4db77677509af49fc51eba23553560c888d0b00a3d300c2f534c10639632500d28f5c4a80e6f682dcd76b7583de6d0efb0378a2562bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
29c85c56625c252292cf780fe48534af

SHA1
c098ec0d08857fe67892b8d23b7a5b38874b9b85

SHA256
1896ec838510bf5e8ac944158450caf8264d4414fc77b7108b4cb3699da1dd95

SHA512
6745fd841bd16431ee4fc27058b090387d52fc3fbc5f4dfe6aa3d7bb4018d060ffbc076ec4fa07c94bc45fd704a27287e9ceabababeabbc8ec428d9beb802ede

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
bb983aedaa081d85ea9d550f6bd6060d

SHA1
a7c5ba459864c8ffdd5e830e2dafd6e6cf6ee051

SHA256
87b6087934f1986a7dbb01d7c3189ede425d337ef540e160805b06009f5d326b

SHA512
fbc9424cdff38c2ec403a35c251d8caf141b7ef3e033fe273ddf89da40e67d03f18876e98b67e04f4dde09393a71a5cb2527c230fd170edc7cfbe146ceea11e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dc6d838cd085bfdbd5f8d726cfefe0ef

SHA1
60b45d51dc49ba08b1221707db6f278aee152905

SHA256
32958f54c90365bf44bc6d42667154b4d114beae673fb3b200d9b517b6f5f6e4

SHA512
364f946c889ff6c94b1c43987f597d7c47bc95dc41bf3138b7d35e9dbe299a69c0efe50fd4ad1f6f887ed9905b72252ad8f37a6620e68089873d8d75cac265c7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a673d35e0fd2bf1cbb949c2edb3ca576

SHA1
c811fd047f123ba904f0915f1fe859ca79d11161

SHA256
c1deef85cfad2c920383e388ca6b848b6c8fa69989f0e7af978bda27ac342784

SHA512
feef690d7fa510482bca0a48349ea67d197f4d26503a75de262ec2362104f7600b7b0f75e8b334be734098117afa3b8a691ed70591734a9c41ac5128e5e5dbdf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5ca4c84bdee2a46d1f20c1d445030225

SHA1
d3e487aef99fe6b69cb9dcbda01b845970427228

SHA256
4928d068b0ac5a4dd0632f133237af680f707a77a9b98b6528fe790f1dac57f9

SHA512
00570171bde52d2c655c5595a9c2805432c6c7f17beb4556e7b8abb29e63c6c6a1f63e5d81318f055bf562099cfdb88d878ae2509f2ce5e744770c058d42b012

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
20edcde947aa33fb7158d6223d9124bb

SHA1
be5a5231a0e8b1740fed3f6c2bf2ae4d954e4a50

SHA256
2fe46767d2dde59362b1a461b8457c2126beddcd81494c928144aed5e8831fed

SHA512
7e0bca8d83e340253087522f117047b7308b3594ef4865fb6fffa373494e55c0366fd5bd052b5ce768a9fb5d5f55bcab10dcdb3b69a946a2acbbee84c1bebdc7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
692c57decbe96cb933fa7d227c6776b9

SHA1
bedb598d4b9775c35a9609b20011e65ddac53a90

SHA256
f52e8f2f72bc7cb03e8a71aebf57668177f8c24d126f2b2b75cea6636a0429d0

SHA512
4b8d98701c033e4e09138cb6d805e0f8f765d72660355025e920d41ff1cd8139e359435780294cf73dc3f36291a1c32e530690489e69c99c5221973fa34f1f95

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ecdcc7183f37d6d0cce2a69a7280993e

SHA1
98b201586f0f2084136de7a6ccb12b4394ecaf8d

SHA256
0a997251662f2a412084888696259d3fdf7d935b20756bef16e81351b992e8ae

SHA512
a07b6e32ba092f91cd0f2f04d5b1ab23a1f47a52fa21907bf15a940c752eca60f63abe2341fe17c7d5f01be23b391b28d774b08af3ce4d026ef2b7d11c2ed20e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4bc4f5671629532b164e65865fd16868

SHA1
f9a10f63859e3671d1cbeeaeb3dd534d62912494

SHA256
e37e1ea245a022732fa4371c3abc69570c4db15610e5b29454831d3c9133038a

SHA512
543dded94a2110c96cf38e41291218b5537b8c1909c23e296473bab899bc275efb56299ff3d6b86d4702f16168793fc3fd7aedaafe93ed305234ce06528ea27a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f97639fc2480cc5dd1f54275a466de8c

SHA1
83c346442b1daec9671812b9e779d041d7c2021b

SHA256
e8a788033309f2cfb79064918aa24c1778992ebdfe8875d26e08edc8c069a5b7

SHA512
30340a5e6b760de30444b55778004738acc953cdca730dcc52c7f9ffe82521e469518c33b4c4778246f5a320f3ee35b245ac6b1679a45f55edf7ba6c84afde60

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
023efea13207e8b57ab797eefb4f88ce

SHA1
6d4f1c10e5f2e1143af74788e0ef5e4c775cdd8e

SHA256
4762348d9e1cbef7575b450dbfbffd7ab4c9d75f77459cc66d9398da9b8db026

SHA512
798b40d057159de039fa339881ed71f09294b684a8ec3d3cf72da8f75431bdd95c905212579199c6fff9e89fde6d5db464b6af48cbff071ec7b82984352dcdc2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cd6f87e7705e4daa7b27eabd2bd883aa

SHA1
cd0daa93bab561858a82701b711afacef099ae13

SHA256
efde15aeb134fbc3995b363b60278b5962d09d54f5a86ce97f4c0e4c71d1a669

SHA512
a04b9861b0bfb76a103502356fe9dc84dcf0a382cd9aebf90d8c075415eae130b40b535d08579f6e5e95d80400e0d607830f0d1b3d7ad98fd5d602d899bd5ce2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d346d0769d55247127bee7efe4ad4354

SHA1
4f049fa04db28ddf91be563d9809a60a2d4df438

SHA256
e1bf685a6e8f2b502a4a42f20e4c5a203f94a1f7c0ea87956f34c6c6449780b7

SHA512
7185bc05990e10b12de780216143b9fe737c961c1d1fd2a04c753c94a6c1380fd3077246d5f395d1cce57c275037f8f57e5fd10164bd1b0d6baffd8c6a99d4d4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5faa503437997b1399fb10c6640ecd64

SHA1
3986b6abef29b981fc4209f1bc530ab6d82e52f6

SHA256
a9dc453d9988b4b21ce41e72254db9b6abfa7b9c58f05b45b5071f79ee46942b

SHA512
3d92c2756cb04d662ecc4dfd702f9bdbd6313b060a120647b8c4bb3686853f7a57dca520c3e94fcd34a6178c0458484164c68eda6dd62f2e9ca1954463a00817

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
04b210b88d889e843ae4eb1c3fff8be0

SHA1
07cb8345d01ecd004e095698fe43aea0af6ccac3

SHA256
2d1396099382e33325717e01155ed78ca1da21be45dbceed7fe7ebd7f6b4be56

SHA512
f94feb335781f8b37c5b2939107a5e6571670da210573b8725e14a6901c98898419376e102356b8415d948c148e5e7b8b06e860da87f2e4bbec747b111f76821

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bc1922481fa7ed94861c7c952ae57855

SHA1
ae97d5e5cc98316cfd2e6c146d275b5cffc2334c

SHA256
50efc4a9b4581e044866e034b0a3d5f967137d473937fc2f22555f9cc13b6b87

SHA512
00b93bba7a5d3229edaa135129105b5857dfaeab0ee59920ddecb243e25cdceceb23afeea090ad8facc43f72f7db51b372d6778485091979d20cf3173d439b6e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4c978af16d65829e0f00705258cdaea4

SHA1
abbaf09f2dd7cc1790395166c8b52eb35349f0c4

SHA256
a17f6d66876c680b36cdedf8f6784a00d7ff6f61678f502429dd6a10a911baef

SHA512
d775ba57f65d3eb05d463807b6afa6872cf9cc8f55997d80a509ef4788def49dd5da5da67db58431536d8af1d1acd9e6683315d521108371d03fc9a9b522c3bc

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ac570e69868402b2e3f5fa54a09554da

SHA1
950dc895d1f3caf1d2e2bc203a0bf5f0f4176ef9

SHA256
e5544e28863bd2638a32d30deabbc363b0e8db964334fa5acc80a171e66d5235

SHA512
9f1eaca544673eb493ca048f9922de3f8d22315aad19a4c327c92108356cd3f4323bc530b1e16bb1ff453187d16290dbb3e3dc7bc9f561546ec810e55edd453d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
11f8ff21c8fdab346bd8cee15622ec0e

SHA1
5fdf118a8dd5fd9ba197864f5f1d264caf93d40b

SHA256
c3ce593083e637438379e73de377954382492de92a0bc07dfd85b7a3f6602c4f

SHA512
04fa1fb2242f7072d064562abe97e9c5c3d3943c399f9720a1c8c3b7692c5675db28ad7c3030a46365cf7ef1719c87c6cfa541abe41bf796079fce0e1829aede

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
eb2e663b622577547d46fcdf930b01ce

SHA1
03fdb777159211472c9c55c6944b3655a27de8ab

SHA256
94a85aa25ad1538106b5b2ef6426b583ae17c0a36a6b10f0eba5626991feb5d6

SHA512
b328d09558be31e507155d0cc7f39383b093bd6c8ff5056eb7a78b3cd47aa1a51cb8f7d67872e43c28ca98293270bafe6671bc3ea8894f416df195062b9a847f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a085fc186c6cd2b92f7bc74b86450fd

SHA1
03003dc9744b16de1744f1d89b4c737b2d3a8fe9

SHA256
2d82f728b9f39fe8e0608a2acab9a43c7b682d15f53345d80c6f55e525488e3d

SHA512
ad7161db5f1596f88d5046c2063049be509726716255a112d11a03e0ebd14b51e8a89974dced85ac66233db9c0ee1cfd977af5571d166b45e55ca7563129191c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
74175b6281ed215367294a97aed4a60b

SHA1
0c66706e1be84040e9db225b71acea629a857971

SHA256
9e86b986da137b48138c8550cda3621eccdd1a1d068c33cc86d3aff43a5ff522

SHA512
1e0a3217f92f260aecda15eb8c80793927e01fd6bdeb43425049bb98147604cdbc2ab398f7cbd6d69cd546949032265709f1a4295c00841340814d95f41a18b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fab2db992faf34ec1c6f5c8f7bba0d3f

SHA1
ca703d0ee7e5f154a578972990478fad6b8ce55b

SHA256
72e0538b1d447aece7709a21ce2f8949ba36c646b572da811069288afa190acf

SHA512
74f707320f7e6472b3d2fc80246fbbb03226b802615c8c5b9b141dab0fc291f73cbaf9b5257ada195d4ff7f2475c999ff818bf0c637132b88dea5e8237cab4dc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4c0cae591a15ddd79211ae1640998dba

SHA1
99e52ec6cc0e2ca86fa108cf9123f709e3bfffa6

SHA256
87068f41b875dfe7104a938c71eba3cafce76125d663e6c7185254794a7c7e6b

SHA512
97c64980dfdaffa0a33a8c31df03879ebbb4947f021b5f7d5c12ac4b6040b31d0e984ae18f54b5bef9ed6deef40ba5b300d664c57be873efa3bcd6cb72e0f5ee

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5dad30c0fb308b11f69d1e84fc26e466

SHA1
a2d1ba214e2e67cb928638f884b15452ae1b38d6

SHA256
2c1336f596a196fbffe258c3d143d8c461547e0b9838ae88d6531d8e83abb4b3

SHA512
4214ddf2187a7dc343d24774d4774305934a0892ee78c38a562063c4fd29abeacd7d57fb0a24a49cce651f6ea5d4694a076cb1218590ad8707ba9b5097e6a70b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4a8fb7c813fd34f1712bc086f32500e6

SHA1
266e5aa66d92ab9606c586643f588c3c3d401755

SHA256
8840cd8339ea18ecfe757e36480d633a745088a37dea141ee666f75702a399a8

SHA512
e4398c4a9e88c611330bac89a40ab3f580eeaa5016191b622490e0b7498eca1cd946363f500fed622d3c5561cc281197dd297f8ab288d04ec9be70eaa85f6758

Download Submit
memory/824-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/824-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1176-538-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1328-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1328-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1328-80-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1328-83-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1328-75-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1372-20-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1372-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1372-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1372-18-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1372-11-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1572-208-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1572-539-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1956-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1956-645-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2112-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2112-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2112-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2112-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2112-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2300-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2300-639-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2408-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2476-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2476-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3132-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3132-89-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3344-6-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3344-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3344-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3344-100-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3444-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3444-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4004-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-54-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4004-48-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4024-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4040-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4040-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4428-113-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4428-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4732-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4732-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-643-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4792-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4852-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4852-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4916-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4916-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4972-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4972-466-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4988-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4988-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4988-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4988-141-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download