8fe7a2d9f142bf28ba0423f345b815af60ded9de9f8d773454afc30690628a92

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Size

1.8MB
MD5

1c9550a01b5921a1b685437ff7f84e35
SHA1

1a92559b267ee699862a8a63ac170551593aa695
SHA256

8fe7a2d9f142bf28ba0423f345b815af60ded9de9f8d773454afc30690628a92
SHA512

aced79062ba8c528183d6ecb17c57edf2382d9757c59f7b8a4864ecb9583b3eca8706e5aa9dbdeb1b878ff8ba942a748e2d8e134d607df39754588efc050db62
SSDEEP

49152:XE19+ApwXk1QE1RzsEQPaxHNugDUYmvFur31yAipQCtXxc0H:I93wXmoKjU7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
452	alg.exe
612	DiagnosticsHub.StandardCollector.Service.exe
1620	fxssvc.exe
3844	elevation_service.exe
2068	elevation_service.exe
4048	maintenanceservice.exe
1840	msdtc.exe
1236	OSE.EXE
1980	PerceptionSimulationService.exe
64	perfhost.exe
3224	locator.exe
2304	SensorDataService.exe
4044	snmptrap.exe
4400	spectrum.exe
3736	ssh-agent.exe
4404	TieringEngineService.exe
4408	AgentService.exe
3928	vds.exe
2536	vssvc.exe
2984	wbengine.exe
4156	WmiApSrv.exe
4996	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e0ce801cc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006352904ebec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6d5c94bbec2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000915ed34bbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e37c944cbec2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a1c194ebec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009894f04dbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eff1a94cbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4a39b4cbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eff1a94cbec2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002df90e4cbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a4fce4ebec2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c3ed74cbec2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007720164cbec2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeAuditPrivilege	1620	fxssvc.exe
Token: SeRestorePrivilege	4404	TieringEngineService.exe
Token: SeManageVolumePrivilege	4404	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4408	AgentService.exe
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe
Token: SeBackupPrivilege	2984	wbengine.exe
Token: SeRestorePrivilege	2984	wbengine.exe
Token: SeSecurityPrivilege	2984	wbengine.exe
Token: 33	4996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4996	SearchIndexer.exe
Token: SeDebugPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeDebugPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeDebugPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeDebugPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeDebugPrivilege	1332	2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
Token: SeDebugPrivilege	452	alg.exe
Token: SeDebugPrivilege	452	alg.exe
Token: SeDebugPrivilege	452	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 1664	4996	SearchIndexer.exe	111
PID 4996 wrote to memory of 1664	4996	SearchIndexer.exe	111
PID 4996 wrote to memory of 4924	4996	SearchIndexer.exe	112
PID 4996 wrote to memory of 4924	4996	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_1c9550a01b5921a1b685437ff7f84e35_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1840

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b4799ebb70145b5b576f173f4c064c0a

SHA1
1acea7816fead1cbbc09882635d8c45ffdc28cb7

SHA256
05140d94b5fad0ddc4e13f548069350f15db1e985c024975c919234085c7b268

SHA512
fb39e6b57dd0b144ae10a0899b339523c760dc48e852345e6d8cbeb7d3bde07416d4101f0cdee940363973d16b30d77f7ff07b9e69659f6601f42bc37f4e8f73

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
94fbfe019c1f9d150a505e0cb1d8b6eb

SHA1
4aeed4b3578ab12643a35e11bcdce7856be28456

SHA256
69482f52c18948359425c50797fe155307674f17483a3451a2389e176eac9255

SHA512
48ac02b460b12e47ac3f38547dfb2c189867a54b3b0a4231a90d910a73eac38c4a1627672e78ede2252ba4e354e414de3c3da82c1ee85cbbbd695d72a8181a3f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
38cc5f1274fba8eae4c9c71a0ee89a4a

SHA1
39d68346e6fec6856dd002c74035da81f8f4caf7

SHA256
a1babb32f692ec0e275f9756224049ec29739bcbd47073904fc95361a7c1c5d7

SHA512
f9d4bae0dceb49cc49eaece995a56aca8d33c6ef6b900019c4224473e8fc9cc78852a0434dc70f7b23f56162c866c77114b8a8ed3fb4b881576d90412a16d882

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1844698b80e00bfb30aed2109d65fa3c

SHA1
8ac18ce22867b93adc63cb3d100a36e31b68e290

SHA256
5918614f53a72500a8a55a55af14b7d1b3223a00d644fca4d28907202e1573f0

SHA512
bd35252e6a83b2422bd4884bd501394c6d07f4e06b3b5c4abe5d773a88144012e4bd9a0d4f25bd01d3ea9c70432538ad83cb74188ecb793f44646a74418d2ed3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
107dda67ba103dbece8d6c43e1c40660

SHA1
4e89ff26f81ac7442ba48ed7c42d98348c408a1d

SHA256
00ed664923704838b4a84d7a55189541a8a6a203acc3d369aed60bef7be05f97

SHA512
6123fbf584cb5ad85469038a2859b217fe4e6b50abba9551c22e6f2edc985fa9c5e95d8c2170d7e0e43dab4526a38361e8ff33cb7f8f5ac0585e3df1c08db8a2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7aaaf4e0c85305135b70eb8c42de0618

SHA1
9867371811826a05b764b2b6314bd92bcf788f6c

SHA256
0190ed9c954413a28d49bfa26b10d7a844c5fa80026372717ffe9c33b6ff7e22

SHA512
7f6cf39d5bc3f60084a8a0458bda36bcdf2a0a8d2306d469fb59976e305125da8e6a3bbda6fc9374952bc8b6e907d36929a41b3593415e939f68be895494b866

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
510aa12339966ab9db5c897c61037ff4

SHA1
542df690becf0f43454a2f28c3b2d7d5fcbde833

SHA256
1e601dae83ad44707fb72daab483eb9309c4fe7b5242ff07d47f40dd1fa8ea22

SHA512
ba26d34cfd017c2ffed5dc7b94377a4f6ec766e9c9e4e755a00a34afe470fae6d2383d69fb446aa9f120af2c326a5c6b4041baef13bcbe46f46f5e28ff96abb1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d17b2485852692ef017302c24f3561ba

SHA1
d92e3185fd6ed08413a00a2abfe2d1334699f5ce

SHA256
765c57656d1fc6faeb54558905ed80e9c64a2c57709ced8aca3d9fe22e5164f7

SHA512
2694e3582901e0fc146ad8b93f3d66dc6b4bd793852f1578ba7f82768aeb315c9071229102fa1d57a61139d8071aed68798a9a3fadd1653919a80e66914c8b09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b51f1a5bff63a38b17aedcd20cee5d6a

SHA1
bf692e1890fcb5a7fa4e51d727314bcaf21edd6c

SHA256
a0a9a51d21e68b77368b5a48a1ac6b29a0b132b39825dc994cf2406fc686e587

SHA512
e2975581bfcb889394c3094d4693d2851ff27cfbf947b4c81f1a94bb979b19e0ec2b7278e92cd144ddb930ba82518710784b9af0bdf059046eb70ec74f0683b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
99e23c4434eda447d6a0eebb18168c52

SHA1
ab27af65acae911fe13a836c189cbe1c00887f28

SHA256
00fe6073a9834420e15400b497d2b65d7edfa01bc4eb17c3ae4fb84312f857c3

SHA512
318f4c1c1e87632cc1909e2b5626ee216cbde370b6e1bbc52df00cf1fe59072d9253425941c9d4812e5ab6d06d0aa13e3f73c84e032393217050d312fdae1484

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a9049de078b7306009bc3d2d9429f1a2

SHA1
a4943a4bace1db6a92ca3a8ed1a4cf3d34d2ad24

SHA256
664f8657d1c8005ae2a634f2893a44139faa021cfdae6c25934ddd039c9a52bd

SHA512
735503dd1c9c9d972ab3618b4145bbea33453456b25d37a5c6e6db06cd9f60ff2292ba017719362d20eb396abd624c6bd313ed617091a34254445af9f237a732

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2513b848746a530049beb60f0eaf9bf5

SHA1
0f3ae887780ff505eb19b3fd442ed64abcbd7bb6

SHA256
c423d8c12c5e487cd848ef19b007f775343e2bf41a8fbb807f66676bae20b83d

SHA512
4fe9de4a524388ea62f0db25e01424a6a3e9b1164fe2dfea63a03e21ac4a845e024336d4e63ab6b16a623db48dc630ac6855f373ec3fa3cf273f4a124272d5fc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
ac680111ef48195cb1951d26d2ee073e

SHA1
6e4d0cbc032119f5cd2a0abaf4429459de0fe0ad

SHA256
35a7424980fc354b807862c108600fa8950b1032abc8d1b541396803247ba2da

SHA512
ad648aca1711e57a3ee88c828a640ddcc8e25b792454006bb2f05c5420421196069712f317e8c1f0a01f2cc6ffad2e210acdd79551ea68659abdcf053254d183

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
359666858713b88709c04e6cba55dd75

SHA1
c6ff36021ddfa1852f616eab51bf4b492d7c0937

SHA256
c48386470b7618086ca74ed9d9536e6ad864187632a501e1cf6cf2765114d404

SHA512
f69e2697c7312537e59c79c62f46040413b8836c9a9d70f301afdc38265a6901da979878ee11fe6359b24c61587c9bbb6b17acc86ba9fee9e3ccac87639ffca7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
28f97fe76e115d867b24c459dbcc3db2

SHA1
dc44ce92082667695dc942e79db3e128f20b829d

SHA256
8a63afe345ed62ad8d2e4f5295ef15a924d4cad68274d32e1af7a8cbb63f7774

SHA512
8e81cf6c076b9ca82841a21ffb6573d632dd22b6540010a63c4e9fa1b7c307fc00670ee502284b89dc2d45b3a9f759b8d6c17421c49db046f7e39fa350338b37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9deb0649e7af108ba33bfdfcd86155db

SHA1
8c01b60a55ef051870077a3208aef257ac23ba35

SHA256
bb49cbf20ffc3a876ce8aef43e06af825183c2c3e33738ff0065313221271b64

SHA512
395c04cbade84e1cffe0291fe5c4582b8f74660159e3fd7b6fe44a0becf001214164f9c726d8529ee2528b0be2fa978663d403686a17631616999c43d66f673f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
70ae8f9e13a4bf3baa7fdcaeb7f9b0ca

SHA1
a8c8e75296f1af238dcdc39c7c797746205140c6

SHA256
0572f9d8fff803e10587f0b10b8961e297bbee9179d0f0d8482b59dcf51b6cd6

SHA512
368f3069da1e525ec12dbbf512906dc22ff9edefd6387af38b4d01bc6c6cb94842d5d3269ab126988f6238f1d2c6d86888569d955b8365473ca31eae9d7df237

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a01c77c1f1e16b7698fa1de23f49f81d

SHA1
1d3b3be6a9a109df15c275f2c473bdff1cda7872

SHA256
3a9393ac1eb040c8f0005be9f064917686982281738546f1e36b529a088b7dc1

SHA512
2e14a89fe6eaa4609220306ced07595796008edc4d30f9e17ee5ada5f2ae1f8d1f7876def000800841ea7684f90af8e57541f5aace33ecd94ad311d001c5a194

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
154a53cc860514822e1913bbd4eba518

SHA1
46397ffe8b9ffb4f1d5c1141fd03060c96c4e290

SHA256
c6bc799879050ed135e7fbb356555e15a1ca23679904268ed242ba6e14d5bdd3

SHA512
abe6f794b6a8171cf98a8de43e01a5785844de28fdffe30bc0d65fedd4636a3346d4ffa74e2a5d1b3f5c2a24d8cceffcc04bfed3ac7b6925beb8ffd84ac2b57e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bf433952f09c7925b3f9c57ad73cc673

SHA1
260e27693c58fefa187161229f6dc4e519294720

SHA256
bbbd844fd5686bd67b25429443decf1053bdad7068fc02d44c45c95d8a1d2a8d

SHA512
099e3669405b89a5bab763a7b3605b8147586f2473a9b0d4a538017b91eb13b54a716fd9f2dd89b56bdf450e48a7ef2668c15cf3d8a23f1b36075594ff7cc5ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
59483942229894440775381d2f7c8b6a

SHA1
c68279eeb514c26ea9819953abe925661e5e2c5e

SHA256
913e6ee7a668ce5266d905f4cf6cef4e0f797edc6fa8fdbf5b68cff0c1522142

SHA512
0831b2a59f85f4be745241f1df6cc557b16510c4a3003b92bb0eb275c4956cd52e563fdc9550e18bf5d43ffd1baede65883928f9d0b8ed9777ba3833459ef7ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
d0226c37247669dda5f34dcca6c31976

SHA1
f7c6c47ec9a03c86ac5206a0128cef3841fed4bc

SHA256
1696b7fd44893cf642a17ae9a72d77e6cbe888351dc3b9906111e04fb91e02a7

SHA512
e527e3914a6d0fd7350ce241c0e8389d673b3c4111e9ed58e9efd41e168260f6b3483db4b2f631abbc34dae3b414c34472292505c4c92514b0e0e895545b667a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f0adc3fb374eb1da47a73d904ef36808

SHA1
8366e255dec8952d667fe599e62b1445d7e0a2ef

SHA256
b4bb5b9a2bd9a4cf8dbf25bc65d14b10ddb2e52c1f7af077bbaf3b6cf858c3b6

SHA512
d3d157ad9d07141e1dc83895e279c3a21cabfc23b472308635ceda7ec164c940a853c1b0d1b6cefb7b737a7f1f9f0bf59627ef5bf7dc4fe79fb6e12636b6aad8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
fedfbd0cf657c87b678fe8e88f0d0664

SHA1
d427debcb44f1ed6b8f505786355e68572d1884c

SHA256
4b74c5d2bc806e5a330616a0352255262b8a468a72ec570135e6589b0be33b3b

SHA512
c1000aa1405447884c2e4e93bf343bf37574c8024dec1837e4e3607c64bac01e2a5d7b005df8f1c9c5ed5a4425f37892bb05da46f4459e7f87a6d29eec48ac68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
98c06d240b4726e63db044b6f63e4087

SHA1
6b942abebaed15d685d818554dffb9399b4e08c9

SHA256
688faad4f7accad0387430a277b80f026c8a15c11a90e0493657b1ed79328afa

SHA512
e94ac02ecfbb3d64cb9230ad728ee9a578f6762ec745f8eb3959fad9aa75e83e80785991a5305e35943a838fe319648c9a986c72098d3089fd408ebdb5039353

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ac66b17392a081e0226411ceec862505

SHA1
c639d407d4febf527ce0abe09f0d17cede915e3e

SHA256
8da57bfb84ccfa4a67e6f0a3583d2b93989eb4a8c63295817c92156d307c02d7

SHA512
bfacdfdf81e1737b28a8dd930826b92dfe7c4db836a13271dcb64bbe3ec35fec5fb5599d976ee19ab7903497f2513c6c1f13845a5652d03bd083d67c5a13a323

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c9a928b68aa9e9037623f4c5f04efe07

SHA1
e6fde183b98b59a0e83dbe83f80452e391233357

SHA256
4165f305704d14eb86c80c20a72ea2978714ec647c63ea4002dc9469683a0e3d

SHA512
1080fb2d07aac506b553cbc303c3b8599a3c62b7effe10edfb8fda221812b7aab73b79eaf49c258ac062acacdedcd377b8df7a34d393a83eec6869e87a4d4b55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
9806208e6a3af52f6151ac600c7b51a9

SHA1
736f7feb91a2dcec0b73e717a15a02024d31a157

SHA256
80da609c82ead316717570c8b0c00b7508a9f3affd5d0d9abd8cf36cea8e91f4

SHA512
b84786c82c60772b0ba407bd64b2c5d6a13067430b11ac157291761f9703d00efcebc4d5db8228f1906c05a9ed06a066fd944c86b5d19eb81fddee98fa26f494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
04e6704e0af61617a42d9996fad7b9db

SHA1
7d827d14b2bfd9cae246226a9b733ceb2d79fc65

SHA256
6f75e365e858a06c3138d39002494b9901faff1aca5f02557124694b960f6c9d

SHA512
1ce41c6ada38903fb24415beb5e630ad27cf53942453956ff4adba8418ba1fdd4fa661d289736919fed360fba2f90eb973f94927154336fd98b17e3cb2e85c09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
1432d8321bec23598a70b0f2d436bdb1

SHA1
3e39aba5e5b9ef95a1b34d32cc45d8cd295c983a

SHA256
b08d7bd98b22ab1e0bc6458fafafe56a1df82348ef106ea8ff5b4c721f9c5d20

SHA512
25e7cdd32421b10573f552fb61579f3b6f9307827983d88a7109c030182b2af6f023fc2569cc96ff361a9a55c7257d2c031e682cd2853f055c913b5df4e3d694

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
f52c556578c4562c54e29924780cd49d

SHA1
34c2a698877a48e5c4e0782672dc689410b6a12b

SHA256
602c85fd250b4f401648244b005a80d69f5072ad4ec3801b7f8dba0a0a4dc60c

SHA512
1769b54fccd8906e986a861c053de5d1f34c8202415482f9c47e170830438dc1866e607b0f49431ecab53e4a6f86df7c0a82f32ad3f38af3227b9a1ac66ba86e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
36defa935f703292ef092cf1db462694

SHA1
23504ec926580ca329222a4a0d0694533ec509b3

SHA256
f6e109ac277235aa0d73195c17c46a33c5ddf20bfd5bdff77e51f93a21a21cd3

SHA512
7df8c7f602b33cf6171064aa977862951c2df2ea4bd20c84ad1f4c0f595c30e8c9c7be44ab5d8066f7f22697019eec2958c5a7540ed2254d70bb276b1cc1afe3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
2833e7160b3851064943bc6e81ef8a09

SHA1
27cc498d87da3f06ae91fec6076619eb403c11fc

SHA256
f2f3e804a5de4294aa75b122d67edcb40cf4c5267d6294cbc4abfd1bc2146c54

SHA512
704949b76f49d712f4b15f9fb8716f6f1f3f34c84a0928bd42ba169b9d2c10c6fb4abfdfbd491d9fcc7891ec002c8a6cbacf6aa9da0e9d7f682d82a1d9eab71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
d05c2560359054e21f8422e941e9d7a5

SHA1
4ee47bfb50f62e77c5f45c39299ea5070e333af1

SHA256
e98563a2dd3615f5b8f4719e5498ff0fade7ecab01ed2a6b5fb5662a92e226e0

SHA512
978f53388d9202bb8d0a6a8a45e81f0a9ae57c9a4abd7ab6aef31d3827c930e815f967ef8eb150504fd439ec38d15d72a48f185cc478eb35b91f0247229eb1b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
9a26c89a6f16ed4ba18a91466b917805

SHA1
5402f61aed34f482c233ac67d0eb71d349403525

SHA256
2283348d4963482caa97fd09bccf2d4b6c6db5d19521351285ab211acc613908

SHA512
4fe7500d5177517e4a955451f475726c7ac46aa5944c480bc52eb6f4bbd25bd0341190d74189c1967e72c6c30141366bace46526c202b9d8773169d949b530b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ded1edf8a31bd5e47fd3e3e02b8aa8d6

SHA1
aff5fd1945120aed68f8e1c7c1c529adce29c675

SHA256
24f835525629fdc71d0087d56c9f6b68e14fba27a0eb82b94341ebd575baf39a

SHA512
2a2ce0545bd13158f65b4d0ab5149f2e9f2875800aa2bccd4896b3107d6d7f69e8e853784ebb1c4a41f83ba1d6c7ec608056572733e48326cd104b5b70b42f90

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f7ae892e0fffc796556509f422fff2de

SHA1
5a5c95686489243366e66963b442dee2aee3a3d1

SHA256
84d7ac0f6374e842db1108993c9bdee781965b323841ffa331f45475388a037f

SHA512
8643892b46a4b7923835758bd7ae7ccfc2bd5870ea0477862c7acce5b77663578e7e098635edb05fe1761bfe7fe86913953ab90ce23b5839a9e9583e806db2ea

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
cdff8d84ba01d7c19e78b230f838d85a

SHA1
78d3d9a5afe28fc381b414409e8ecd18b1856ba4

SHA256
ba34b3a4ab0f1ef361fec670f29812e3c731c0dfcd3aa54f302142c6f3bdceee

SHA512
f2b544b7a6b024f962c217fa8ce7f14064f5c85df805b6587e211f6b95915539f267099abe4ae16680d8b62cd43465f04f6ab42347be209ec1ced31212ecc81a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a7030febe0c5139109309d6c6518f6ac

SHA1
3fe0aedd0d14951defba40f287def9d342184d3e

SHA256
1718ed9c2a035f0c818835a2e6929aeb75a811c2d0016652a528cf38276d3a08

SHA512
1db3e4f9c112127a5f4224a9a37f02ff948cafccd000e66f9abb406b02f54bf56a219882cbd3d861651845e7d7c4eaac16420ce7d89846815a64b2e322dbf58c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c984bf0c3638c3951d90f8b8ee22d12c

SHA1
203bd30efe165e09acd4ff46ef84de58b7264467

SHA256
02f48b8e40c9337c246fae2f04d41bc9786e715ba8a2bd8f5c3c11363107d98c

SHA512
c3e131e305c9a1b803622415ab16462fa4dcdf6b8449a69bce7d1118adc1da6020efb519d29e7257983046500293ae05838d17ea455756b1c5921502ff89b745

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1476c978ef8e5046b0cac7471f9315ca

SHA1
1a0de6f3429ea7b657fd45189ab3d71e1ea37143

SHA256
5fcb247a1d5c9cf6e2674f86cfa816ad7ff5f1833138844e727d670c5104e094

SHA512
03c56d908f860647b92cab955ae9398204cf79a33ef352368f73e98edf0514d9d104421d02b191333e5a4cd7b451954db1276625540ad8ad2512ff6fce1bfe58

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ed4667fcd77ba87a00b3ab9b8ff6a049

SHA1
18bee2c0b210da5259af0c6277e90e59f1f8bb43

SHA256
0f62ef7637e9ba4b4d99b93c73741c6ef5feeac220ea2817b830d8ad6e6c0921

SHA512
20537d60dc3e399482404eb4cbc1478ed1f069e6e740f969e4bdbc742b10c5053cd27a9822936ac237688cd2a5c81ef664f9ab68c6e55442c93bfc3b2bfe542b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0794216410f1f225f0390f424b099796

SHA1
1abe75e599759a487398f2ccd4242ac6c1edd51f

SHA256
756de3c4011495f2ef302de1c81845638454831a9b5eff43ae38993f3aa0d2b0

SHA512
4af2594b12d5e05bd183b307a0535e9c5b5681aec59b26a19b24203402bd78a9ca11deb21bd9ced311ed4e33962dc938c17552eb7f27787a6b44671d22d0051a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3fcc1b6f6623cfb4130d6dc3b03c5881

SHA1
807fd1445bce6bcff04fbed069cebca7166bf801

SHA256
3948da2f1a28d7f6dff1fc81355c05b8c1dfc2237da1add128ad907ff1efdc83

SHA512
b00841041813ff91de035f984a98a16bbef56ae925a72dfcf10ad081b789b52a9caed543119b29705833eeaf7013980e28ec82733cecc5f9c427afa0c5480361

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6375ece93f15a3c7af9224f99d563dd0

SHA1
266b70f1b4727dea0e0ac97eba3c4eff16d6cf54

SHA256
f72a61e2b11c4333f5d38ce606242664ed21c4f139fdb68342ac03b32151ac2b

SHA512
ffc7dc9161df5feb91824eaf36eefc5c4b7b9d3eb742ad4dcdc9f542ab620531f81edb44a06f3a6cfb0d90c7784b9c676e79d79a8797fcf1ccbbcb1084d077d6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
481938c53449912bb8fcc8587926abc0

SHA1
ba1add31b9c2070b205208709f5a7be0e27c16f4

SHA256
dd0128c1ae6b8cf16a906a2ce075105859d949d59c64d4bab96b4767fe384eb5

SHA512
747ba91b4bdaefc99e402b13ab69974b3df4d73468f1ab856a04ff710d073b87522d6de9baa08eba743c5fe957bb2046ecf66d2ed1b42db59727ebb0353c8b6a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
65a6b3a10bb323774ee40c15a6a05238

SHA1
87fdf24c060282164fe3112a2aff6fc8658a35b5

SHA256
a313d1336fd982863857d4353374d215fb2d7015d2f9249e095bfa096d18fa8d

SHA512
b771de2e22ee7bbd85848212eb87f4c86186ce0614da7fe3d76cc8932aa50a2f5c077b8fd655d616f1f0d68f2f4017f52db6d328cfe00428497118d442e7d60b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
55a2c730f103ba76b2efd4c050fe8390

SHA1
39348d4dbc2c026ab735d379bca7d04bd1ceca8b

SHA256
efc1d573d130ae991296654be262920d0356612ecf530a1ea521ba997cbb12ad

SHA512
7ee76a9e53d49f19f793cd3622700a6a0ca227d3503247a3944241f1254f8d9d10e31b81e4203514fe9c893356c5e58710b54df5a0607dfdcc0278dc19226642

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
26c2a96d0ef92e1a6af9e8d655a3f8ee

SHA1
42c43582f4ab42dd9ab180f401b890ed819b0671

SHA256
523a28abbdb346a40671592246629bf5e9fe6a9c322a912e6f9377669a1cb501

SHA512
2c51a58661cc20cb3a340cb92d79bfdd74cb96428ad1508fae0710fdb263ac45b56f4e7588a6101fcf46e06413f0322192fec5a5e930638e54dd57f7395fde3d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d6a6e0510eb4e58e6d0d2833e9cc76ac

SHA1
573f5cfb8b2f0aad9ec018516ea5a0c46e3243fe

SHA256
9596c69ec25a40ec1ef662f561a3b133c80622c6e7266a4f9b616342aa988727

SHA512
3246e16f890b3dd9946d25f6ffd9544ea8bb5056c8bf6ce1c2749cb38664365bf85f6a147b5875c5df2589417e95f737893f570e5fe1bd1c48f8cefe3c09b973

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
31436e3bba946d4c1158347e552123d5

SHA1
1ca178f9e40c6e11bb825102467bc22c4a77301d

SHA256
bf1a195459ca6ee5e2e844fb656fb080d2f2f3ae42b1cbf9039ec2294d35ee0e

SHA512
cd29d4f101fce492c778bfbf8c7d16a8e4f3db470c1833ef57103eee3746c4dc0b99d178dd3415577cbe7bd598e975ef86cada075b92276448cd701fc671d467

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7be297a8b4d0a6c9d6cf505f49837ceb

SHA1
4ff69ee4e902aa09f2e69ff10a93a4c5fe6905a9

SHA256
f1d6f00dcd032bab944fe9ec00530f0d6435cccf6cca94960cac7eb599e21c96

SHA512
e5e3927104ea3a83a34952f4a9706f137a5f229199b0fe030c210b2fbc83ecc22e3665c2242510c4631b0a03cbe659199ec220e4423f91bfc56f9d5d51976875

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2fb5dc7901488ac2a44fc58774af2f73

SHA1
96563d4c94a562414ea631d78580d74fe79c0605

SHA256
ad74d03b8495b359fb264a3fff10975ec874407b8cdab0a7d50c4a902f049ac0

SHA512
90dffb0c62411d10307821b161bbf2ab9e0c8bde3e2d1f15e0b15492fbbf0da59502a7095324f68a14cd360bc179101b11edb9748acaeb9389d42002a1869bbf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2498ecb4a815488c3ccca585e4f802ee

SHA1
9b7c63c2eb01932c7cddfac73c9bd4a992206fb0

SHA256
5eb653f655e02fa37ecc995ebc29b8e1cb8f6da13e310b593904cb48a1c73710

SHA512
3088994d351b6fade3f00301250a5e13325085667ca5ee76397ea9303cd7bcc7ec7150ac7f1f249aa83773481133a154e900e5d7768b947bb727aae5b113d931

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
ad92607a6db4a344e7ef32e70d1eac94

SHA1
e2db27e31de9077c2f58bc68f234812596bc1579

SHA256
772c2233cd38cae4177eab85eebef616c23e69637d9c0fdfbef21a841071cc51

SHA512
db5162a5ab51dd488407804526b5f6e2737d8cd63ef770c8104997c274bf84e634ce52c30901f0c79c4f44b711e38f3e9719366785bec1804c3cbc4b4bdf32f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4254b9b5763d25f221135521f30ce69d

SHA1
ee14bb9c3e21c7915beb50be78f6fa780fad9418

SHA256
3fd2352386f77b7d60510232651fd5b2b31f895cff5ec859f0dd84456d2b1dde

SHA512
6700fe0152744d340a3c7d5e0e077e65ecac7554b6e0b57fd73d9111d4f7115026e041b6c4b1264ea6f6a3557324440fe58f5806de9069bd018ab711542fbfa7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4129e3bcb73ec5a0b3a0286b5191902e

SHA1
c925610e8f7cc27903c206f84bd202d9acf61683

SHA256
32148ec799bf5a97a1452bf9ea12dcc46cf623292141667259c712bf0184f432

SHA512
fbec3dfd774f8b7c990eb21ed5349535cb264d0cff1bc09e40dea65e789ac7ec94c265f65e0614c486e536e36b868b80e2f53c1466d939d7b7218337c82949a0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
3e2fbf6fa61270fd3dd7a585fe0d799a

SHA1
b4a540631c7103739f6b0f0478795b58259480bf

SHA256
dee3e036aa445c57ec11442ef7dad8b3d641304bf5ff6757990c76a4dc877b9c

SHA512
7c0e1ee8800f87b36a9607a0f514abb088b1deceea8e4178ede0413e34d005da02cd83dab2fbdd2f77d0642c5edb544afaf973b5287720071fc248fcf1618947

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
f26505a20e40c00d09df313d838625ff

SHA1
0f117a2eef69a0bf52eccf5893a6e63eed93ff8d

SHA256
e6d6213cbecf89ca6610acd3be0c3b191d936e69c00a883b580be87748f61ff2

SHA512
ba5190c928328428c20f77ff07b47031e0742736d6fbf5f4cd222d78a2a98c6756c5fc8b266f97a2f857cc951916cf5361abf27a8a59332baaedd7002340a16e

Download Submit
memory/64-131-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/64-250-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/452-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/452-92-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/452-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/452-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/612-127-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/612-34-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/612-26-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/612-35-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1236-226-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1236-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1332-65-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1332-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1332-8-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1332-0-0x0000000002360000-0x00000000023C7000-memory.dmp

Filesize
412KB

Download
memory/1620-38-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1620-47-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1620-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1620-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1620-52-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1840-211-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1840-94-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1840-93-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1980-238-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1980-128-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2068-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2068-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2068-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2068-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2304-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2304-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2304-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2536-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2536-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2984-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2984-602-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3224-262-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3224-141-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3736-189-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3736-592-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3844-183-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3844-54-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3844-60-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3844-62-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3928-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3928-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4044-164-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4044-387-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4048-89-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4048-87-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4048-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4048-83-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4048-77-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4156-605-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4156-263-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4400-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4400-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4404-200-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4404-599-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4408-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4408-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4996-606-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4996-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download