4925212fddf813a92257125fa58334149b2cd61c0fc61576813eae7b3c8da2c5

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Size

1.6MB
MD5

350cfb0ab7776c5fe2173ea4febe3a90
SHA1

2106bfef7f00a0de06eda9d80a44fa1db1db85d9
SHA256

4925212fddf813a92257125fa58334149b2cd61c0fc61576813eae7b3c8da2c5
SHA512

16d0431e259d72038eb4842e4bfa4f0124e1643ce2038f7770f60eda54775eca7454a159077dac705e1268c398a627b71389f3a5b82172eceadec8d640d4714f
SSDEEP

24576:J6BcTNjx+mZCkt76f/24pN+XNqNG6hditW:cBkf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5080	alg.exe
1008	DiagnosticsHub.StandardCollector.Service.exe
2812	fxssvc.exe
1428	elevation_service.exe
3060	elevation_service.exe
4364	maintenanceservice.exe
1060	msdtc.exe
4468	OSE.EXE
4228	PerceptionSimulationService.exe
2284	perfhost.exe
3980	locator.exe
1576	SensorDataService.exe
3352	snmptrap.exe
3116	spectrum.exe
4628	ssh-agent.exe
736	TieringEngineService.exe
2776	AgentService.exe
548	vds.exe
5072	vssvc.exe
2332	wbengine.exe
556	WmiApSrv.exe
2644	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24d1c6e5b3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B7E43319-E9B2-4347-B44F-112CD29ED4B3}\chrome_installer.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e833dca2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ecb21c92aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034b46bc92aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000424c04ca2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6a55ca2aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f20adfc82aceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004457edc82aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeAuditPrivilege	2812	fxssvc.exe
Token: SeRestorePrivilege	736	TieringEngineService.exe
Token: SeManageVolumePrivilege	736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2776	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	2332	wbengine.exe
Token: SeRestorePrivilege	2332	wbengine.exe
Token: SeSecurityPrivilege	2332	wbengine.exe
Token: 33	2644	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2644	SearchIndexer.exe
Token: SeDebugPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeDebugPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeDebugPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeDebugPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeDebugPrivilege	432	2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
Token: SeDebugPrivilege	5080	alg.exe
Token: SeDebugPrivilege	5080	alg.exe
Token: SeDebugPrivilege	5080	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1656	2644	SearchIndexer.exe	119
PID 2644 wrote to memory of 1656	2644	SearchIndexer.exe	119
PID 2644 wrote to memory of 1248	2644	SearchIndexer.exe	120
PID 2644 wrote to memory of 1248	2644	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_350cfb0ab7776c5fe2173ea4febe3a90_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1060

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3680

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7a6e7825a1b9f4cac664a9dd8db03110

SHA1
3e11edc2c89d6fef90d3914426ed873bf0325397

SHA256
614f36db7fea8219e8dc6a7cd3df62789712625bda1fe85ace555911d32b9e4c

SHA512
eb453fc4c3ce8a6d318c4816cc203aa4af1d7d1541fd33f9a37cf8f9f97251c7a775c046b7b3e235727b88daec09f6073a208526f19e5431971e3b046e334879

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
3d7612fdd3bfb1e661e07cdf813eb350

SHA1
05d8dad7f055b0eb21265f904578ffe0939db3c8

SHA256
558bd22bf328bb3fe3271ecf3496909776b12eea69754563dcbf4879c6e91506

SHA512
c28d0cd932a899945e5d0ca763dc64da4fff2abfab63e79624cf20124cdb9d8911649d65693b4a091047707bbf38a2aca28d39a72fb791622dfc93e536889ca2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
b1ec4e2cb2913cbcaa7530581535b21e

SHA1
4806c172af33dd33bddf185112a3c5e510c3dd7a

SHA256
09eb5272bebc17f86ec0d3c183a884b78cdd1afced723ac96d8e7b103cb8e2d4

SHA512
bba12d645eaeb361c8ccad3ae38c49a98d89a05897cc5b377df8006da548545a4d00383a2a27f13476c68bb72814eebf2623e5011b1544df081de80f37c532ec

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
367cc17d42a4cd1e94d885ac47176527

SHA1
e600b153f2ad50a54947440a3b85d7992fe85991

SHA256
65b1baf6adc6f43c85953f584131209655cb34dd401a2015de2fe0b93d6ff519

SHA512
a6ba6f3627205868d9b96a24ed1dd2c206c9f0d31a9bc1dbb87bdb5b6e286159336a31480a173866bc49a5af65c7d2c7e80995a4ef5fe82d59d19853e0cff528

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
827be09ff8a3231a0025c150885d6558

SHA1
1ae83b86f4d8ce40573d08068b7c781603afb7a6

SHA256
ba380efaf2957322d0f8b0e283175deb237b61279b5ed53af667c133ff7e8cfd

SHA512
0ccb3c75f9a215ef786a1bef47f95639f45b7a755b578e369f9574131298dcfd405cc760dc9dafe9a760f541a1f73eab4d341c51cc0a1a45c326ee5fba4b5946

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c602bf97661a00f430c520d47e315139

SHA1
32c939cf8a18ff4b42d61372003b5f97c3fb83c3

SHA256
8b38fd65029845024f0e8904d0dae68a657b3c229dabb80948fb9ef2946d7a11

SHA512
7287783274db72f69df9ac25f9b4b5a837a272a53738810516586c97ffd605548161ec5abeae4d679cd69a869b8e7cc4c9976735b75a410bb2b0437368f9ac9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
e1c7b2f3fd1fc35a5351a9950ab0a26f

SHA1
58a7315b483a68a9622b5f83d693bf25ef4b9dc6

SHA256
0c0540c81840ca7f36d96dcec9d33d72eafcdb7df31b4cbe8e2c0c6d003b2a49

SHA512
4b6c4bb68018b9d44f3a63234e56895f9f112dc26020e6ace7fed3e2f0bd8e090aaaa2680787fc79303e9096b17cf6bf25d4f5f7a0eeaa3129a12af7ec4a3b22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1e88f856bf114789be43e19fcf3804e1

SHA1
5201b7004bb36059cf4f811d639b1f4946c12613

SHA256
edfb8149ec500cc4d432784d64423e0862ab09dbc3c6f88420a6a35ced89d9df

SHA512
eafabf73fd2e84711d5ee95436cd9c7a5defacf48d965a7e7af3445dd7f1b79859e94431db506b3c2cfa6e823584fb94c007bcd4837354845db08f93fce77f55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
dbc1a5c2c91a999251b6630de6f6d870

SHA1
b7fd1255a291010a1ba3bd03db44ac6e9d685918

SHA256
1f785442c5e2edb2d664f5a38d6c567af02e6d9eae07a71213cb70a0a693a068

SHA512
8f1611e879a09df2eaff43ec409430c6d9241ca1656b6cedf43b7e93fcf81006098e77310b63f25b8aa03ca59388a033e93b5ade5f4e0d00178b3b0ff2f29d74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0373ce4ebb3f98611c4fbeaff4dbed75

SHA1
203c84b125635ba912272a834dc8f1b4c2b679d8

SHA256
f1b43d20707bc57f4e9a861b856f02cfb5723ce15cd9883a479071fcf6476529

SHA512
546b22b0b93999581465fa21090ca47d03628fe08a1ddd788ea79a67843b8e0c962fa632d25bf770b80dc6c3ead728e40782c1b4e63b8d1bd904a681347b435b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4c0499a72fbb7b172f95e31a1568cd86

SHA1
c4aeea12a6a83af0e135fb6a77c318520961be38

SHA256
58207101bac8963bf0f391f7ca6b9b535f1b240bd10125814cdf20c8b7d0bcc5

SHA512
c39ced587b08e870cf41ec64536a301ac1090a92d05fc275c6e5aa7c4d9bd163b4df0d880b1b16af487d6998ff0b6ff53e2568270d8de047cd117775e6b21010

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f73bba5f254ab2b7bdf9a77eea412baf

SHA1
9190742814606669644a687adcc2d5128f788445

SHA256
b22be7ef4299c5a27d6113269731eb127b17961622d58162b1244a25a8f14b88

SHA512
cd8237c5f7463468d4c2094ca2b44942b5383a2cb7ba59bfa1c490ababc453ece4c51b47a99bc161011081ec88a436faa560ca5cb181a35116d28e9078a942ed

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
30fc82367a8751d7f806db3aece8910d

SHA1
55d844120152337a08341058afba617e3c590899

SHA256
c3a670be2b5f8d57509e214262f55c9b237a0bf8e6ccd561ec8a44531e5b1a53

SHA512
0d316709e612050c0b3ef93c3a38ed609de56ee0fe5dbaf1e92f9a06feed73c547e22dc034548ecab4221cef347833a34e6edbb989f707b3009092c9f3f954fc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
815f45b2b9557102b2504d81621df8fb

SHA1
610e417f9114df62a17fa7c3c4253e21b98b1e01

SHA256
a2394aa8897c2e5dc6e22dd718040f61ab811827c471f306bc7c9290fb4b05ea

SHA512
cc8b4b44f32ca4cc75e591f86d928c60e80b303daa0765928b3e25ad23cca44dbcfc00b0e4f69eea28f98d403861b68571ac18ed195a26664abd888dd685a720

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d5d0d6e2337d2aa2b885a1fda02117b4

SHA1
7eb68c3ebcfc208e6b7a8a34bbb079328fcbdf2c

SHA256
450f1732b012abf105c43616f7323a6040f1aebf98efc2e61f7ef33105cf870b

SHA512
ef432168caa4664c964dc0bdd91c6455b980477f05a82019bcb640e52669ecafa9660cfd51b30c72063b0ff532cdd39e3372d0ae8baa44eb5f886b35832e5cd6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f2331c9bf6e062e44574bf593da0728e

SHA1
0bb5e2a1f15aec62be84f997bbb7173cb4949476

SHA256
897327b3be3550d96207b80de35190116982a536f150260059f2e54573fd4b65

SHA512
d80c2952cbf7d3681f5cf7f07047b5c10b22bc7d3e2cd1c60dae3e8c0cc0d18d7281dbcb48ff5487cb5e618c6a89125b3d151a9ad1b4392daf34685a7e86e8cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b292ff3d123681ea6f3d92c10a9f39f1

SHA1
93e3b55b30dd9f83e8d04b937806ad8482dea9ac

SHA256
cd3cef7b7d4f21ba7c03147c27255694813719b32550fb0da84b63f5c044e4d7

SHA512
f9091b4b27fb11f3c83b406c093b98087ef5b2fddf8b93ec039d68e766d7d2deee94f9dc2ff003feb40acb567b641bd76b963d1edebf4ab1bd8c537c67b9c16e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
21a738b051725725690f263be644113e

SHA1
01bef1d86b649b5735b02640208854652de15a2e

SHA256
c937a2c72e996a81c87b4f831e47a94aef00fb37691a9006ee858aabd91d5b3c

SHA512
b19bc34121912537bd82149c3434df4f62bbbb378a33b699e00b5a06a58044ce5befa9036de17664b457746fb71d111c194ab3cbb5688d1bce17e048f3d241d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
aa8fa0131f0a0e633b4e73be324b31ce

SHA1
31357647c5b6b126459a2327e65dcf6eba7e5e87

SHA256
7ada7c9f1a612e428f375f3f5b7c16b26ac0ccd2f69b4fb74a826020db52e2a8

SHA512
a9110795ca7fcb6c4a210200c64463e81a3fadf148906dc15bd8ffb9567a57665960c19df39eb6e428fb6005bf2bc1a8670d98085d91bcd3f3977123199b2d89

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a88db739a6910b84a61a8191cffccf2e

SHA1
200a3a14cb8b6b3dc46b0f9cbd4052b734847f57

SHA256
74de0cb65d8d80fc23aa04db8befdcf00d1f928bc5333ff92027e6f0f2dd6ddb

SHA512
d8e97d3d3f435ffb4b05e50234c5c380732f7877680d68ee996757e8399844fd494646b4a14eb490b5a13f07d5b1b64df0c20a8fa4d5215b10a31f95523e40d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
248f50cde84e5bb222c6f53ff7fdaf78

SHA1
8dc6cc8b9822a0f968a02cff93f71fc95866a529

SHA256
c8b3b6a90c289f788886f6fccfa6a6a33e80475c63eaea0bca364132364734bc

SHA512
34d2232c84e2a55bba777701ed1036e6222d2b77fdc24a1b774bbd8b389c10d9461cfd00232146c4a2397072c9560dda8fe679a9bb4095bacee00b444db990eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b2aeaae710f2cb71334ddc781149eaa1

SHA1
944906d36f6d91dd829ab3a8c577a72351b124bf

SHA256
6f87ef1a1326ccf58b6e510077aec2319db444c9b0bca732d59bd97b5d52ae00

SHA512
6e9c6d07cb30558398f66b7fbd862c4726884c32e5bc41d921298d9c946c1cdb9c61ec774860126819c36adc601964e28ebc6c3c2857c6ad8783d102b2ca2247

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
fc3af14db85e9426f982def4dbe84740

SHA1
6b111c26d4db7237d1414e9e5f37fed54edfb01d

SHA256
2a277abd21578fd3f033ddd287656625c7d88a9931144610170fc3ec6887a03e

SHA512
60d4e66b7167ea15db112c072402f20b00814864b468404f185ba6f0554eea6e6e6615c1e634c996f021adbb6152cea24d8993023f07baabfdb2f6518cc2b0da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
ec5a8b03de69ce668b70fc5878e68b6c

SHA1
8857548a27d9d7b88c70a8ddc55984904b20b8f2

SHA256
462cfec00ad9928722c897d65a89fccad5ab59a95421d1bffef25bde90078540

SHA512
7a594ef38cc36e64e9748409e017e4beca1733e70152b0a84126dd3610e864023fd5b5f8c6548dc191fd3d8be56592990ec02204ade1cb58f8b8eb3a82e460b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
22d623c1e9afac23ac083b26f0a07962

SHA1
498adf0c946b5374f470f836c90acb074f960fb5

SHA256
0713fd3ee105d156f7fb3f5c1fdcff7a3859f4dcfbcde455cf7790bc4e06da64

SHA512
67e3992720f5f5f3190a6796df62a616d4f5aceea4ac29b95e83e630143095ed2fcd3653fd16696ca9fbb6b1c678fbfeccd7c0a5d0187ae760bf7585c7df0c4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
8bb8827bd898d5b3ed6495026d211390

SHA1
64534bcc2b2e75e5f2e02cb9e9a47c76f9330fd3

SHA256
4ee5c637c82699d5e3e268a3d26968b6d9439375780c93b4804ac18aa46f3296

SHA512
c282bdb4c2c91521824e823077c2a1b878502ffc0d9fd812a05ce846fc639bed0792bcba06f61f28a73bb9a6dc0e020e966632a374662bef0dc9d25dfc7a658c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
f996d2a01377408b66af02d50e4edea1

SHA1
8017d2c7e4c16d8b4df611cb2d43e3e6ea6d08a6

SHA256
e8f0bea4d673cf5c0f0a6e6b2c3d9fac471c767dca49da44df2a97e25e239590

SHA512
cb012514ae193ed0079b3b267d517661e0d492825ac0facb225cee6e28dc49ec479203a740f4fbc058713ebb8d8c564bb30a2ddc5e55d5b41d7476b2257940de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0c144dc1c4ab0e02fb9933e75e8df4d0

SHA1
309680fbf7c7396dcf0537767a8eaee0962f3b00

SHA256
337feccdbfff87552ffe1f2203ee8608ec595a5c9089cddbd5130836456531b1

SHA512
17340914cefe73226874ba08bdc9952214318ddc54773fdeb0d3bb43d224945c1314fa26844577eb9682dcfb2c3d8a31aaa4c704afe63c27d1a56abc2d4b8fc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
21fa70b0a8315cd357d00b880a6c4b6a

SHA1
047aabecfd1bbc4c336dc42bcbbf88225f346a82

SHA256
d8b0eb79df36cfd99c53f2affb3adc06bd19410e606a4bc0e512d8a8a57ee22b

SHA512
d6b87afa9e056877743aec2c0808fab7230144ccdf0dac4c763f9c133f46d9c4999f659ea0ababfee133b7c36d02735e8b9f7b34318d0322cb458f5ab1a65a07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
1ac613399aae8bc284d0e43644c82383

SHA1
f0e7170899630f895f655f9ecda39e948d689dc5

SHA256
d4edd8c530b18cd8f486075b6264ec0126144af370da1953598835bccfa8a381

SHA512
9d680db4965015cad59300657b6d5a5ca308b707fa9cfbc5cf651b6a910037fc1d8d39248efef8f26c154ac00a1474d50b57178b194f681a620304b7bd80ffff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
8e3f774bbeac4ffdccaf0e4afcc3e94a

SHA1
3a25d4ded0b44077d96939ee891d71f7ded0ae61

SHA256
7129bda11128745359ecda7c5e7e4e0a86fba57a1dc4bf6918a2331a83d67a72

SHA512
b8ab5857d3b55f6eff1f9c2f09386b6314ea249b2e990bab1e900c9a8b32667c80b2b7855ef97997b3b810e29f290f698566b47f99fbab1be664f09d0d90ff31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
8a60562aba05b98c367e0671053c9c74

SHA1
b2e1d7ae2b40b9695827712039a4b50218c9aab5

SHA256
f59cce120c3307042f004cf068a44dc6e8ed3d40599910cfdf5d8f6fb080fb23

SHA512
66ecb632403ee3cb1b0168d4c8884892fd154a04b0d82a685efe6ce54987e8546b8ecdb301e6a68c7d3d7cf9a4be711fd4a052d75d8401fc8710a4b4e0fc9c0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
52261c0aed79d504b2f2b817dc17669a

SHA1
6ef883f659bb5f4b0c3391a91145080452894f0d

SHA256
0178a4229e95a24e908272a67d6f1fc8f0aa5ab4869dccbef4261d5eeb9f2ee2

SHA512
aefbcb93f62808cde82df3031e2ed666c2ec27a896fb7f14d8fdf508133c49563481d064cfb1c697ed49de452129b099da0d683f4a1bf0bf1fba31df34c18190

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
cd5d6a7f2d95436e19a884cfe4cc880b

SHA1
d2257647741d67ac0ab05c5d710b9a73f71133be

SHA256
856c12fcff6d0e1b13e7d77752506d09d33cbda1a01c1a6e332f02ba1d6e6bac

SHA512
992562f190081d687667782c83d4cc060690133e1c1bc6b97d8f99d004a2467f1ba10a161369bcd982176cd7b989cb842e4ff6156c6529391f65f256cd5b06cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f92f9a173fcdba768e851297c6ee7136

SHA1
21b6f8e7ab929bb7d5252e6f2b148b9345509f41

SHA256
88b91b699ee8cdd7a0e93dfd8ea3b35a28c8853d360d9e4006ad6b9c15196191

SHA512
8b40b52586278daa1302878ca8645fe7facc478207e5811f4079686316cfe49f1c07807127547b6004a24e499398d6ba1b9376ab39da5b48d00f4102fbcee128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ce842245152a269edd2d871472022b06

SHA1
bdc8c5756e3deb5be009704c64a91d8df4946dce

SHA256
5cb2e4f824fa666d65de5866f2ca31e7cdc22d48931de4b8ed83a91cdd51b6c8

SHA512
47e4a0aa9bde9fba67ec8472dd122e8b05df0de4bbbab4683b7378c6c41d6fda9a15cb594abb5e6d84461cd36b81ac5403f862b4f1de9330d071fbb4d0459537

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1f8ae66321ba290c4a12b5ec49c15025

SHA1
54424a225ba7856c182d80e5239a68d31c663631

SHA256
4f8de5590d85006eb3ebe307a97fca30a24177851b2521adee125e6bbac972ac

SHA512
72a1efc43d394083a98a5bc3ba863731b84b7ad648a51244baab8a9691c145454b842f99f43b1ff989d3b97049f3a9b1c1769b4c9376648f028feb05f830173d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
2cf937b274344ec4394c49f3071f7b4e

SHA1
714633cfd2f31c7abf4d71fc4527659289128919

SHA256
5499a2f4b1e5df1db2c523a8b3a15239ec95ad7bec8fb77e5a5d437b0fb192c0

SHA512
59983e01ec153233c38b0c3bcb59e02c903c39936256d3fdb0dab2eeaeaded246b84fdfd31c05a7b1d3f6997d78b348f07ee8bee3850276cd2699fb7a2f42e35

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
31f9f1d8ee2a3128c5f36228f980bd84

SHA1
c369e4345b4c3789469e71642527012e540bfeb4

SHA256
ea769a611a22d57170fc9a720dc992090e7b70032019d534abc94729cb7b2b3a

SHA512
f386dc1ec09a073f19a6f1e0dcbd0359adc2a9b84473a90ef86ee1769152827df7bd3b7d2097b7e3872b1365001c2d8c1ca79bafacd0d27a7ecdb48cf6322603

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7b2fab03b5867c1d7636f1348e59e75d

SHA1
3ba2f1083aed34fa41ff69dbafe54b395a91cee5

SHA256
a9df3a6f244e9c5d8ccd3667c87c912b98455cd1ab78ca3059ac5822c6d02986

SHA512
3e64edd503d161668c229e6245bc72eaa23d9c5682376c037912c1310ab670eea7772fe998615a25b381a3b9b005ff2123d926ee53fa153140c148c7585457c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e3dc05276cf0a249914d5ffe8c8a2018

SHA1
20ea12c91171e49dc4a5d03634778dab8b6b8a4f

SHA256
25c00681114bc8e2ae9cf521d74c4a0e2eca6d869fceaff05e013444e8f4ed8d

SHA512
ea7dfd2837e2323e4f5612b60d53998381cfc11d1964a772650b385d097a70df6047121560045e375e459855a015d079d0a90745d3e03fb431b258d6a217096a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dc4c11968d68400bfbc02295a0fb7088

SHA1
f8ad7c69ce9d952bf5036f98d2d93bbbfe82311f

SHA256
d84035b6059fd9518bf900da2f8d4a46882a2e3c53696e880b25a11296b7085e

SHA512
1cc30c4f0b4c3012ccb1b6e30e203b51a7ec383095516f764791995df4cc0fdc195d75c4e25c68b1c4c96e8fa8003ad462aaddf9475f6d0c1d6f141b60267775

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
43a630654bd74409513230b8b474c50f

SHA1
63a968c78ae1138b8857759d8934678e0e34dc9d

SHA256
10a2ee50ac5680252ce63a9c2e8d4ffbdf2e4ff11466cb990116347dbae5529d

SHA512
84c428dba703f08a5fe7af40ff206b21a4d1edc99e99fd4f121cad4195d15f8d8d5ab31685a1d364942b2a187576f5589126772c8b8a2e48acadadc032b157c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c7b0f62e6abe0575dd9e8f584112cbae

SHA1
273f4295560fb6709626a35551177d97534cf6db

SHA256
caab8e379c04bd735b2a424bac2818f53dfc29e69f75aef9050df6b68f33bfc8

SHA512
faf991089f331437458275aae3734fd7810e7a082e33f5a27cfdb20f4c63eaf18376f686f10362eb8bb32b0b9fe43d88fd0f087154699103a46b142ec4ebe202

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
9e8a4c37a1eaa002b3cfa90d2a519921

SHA1
dbdd29c5b5ef1ac647098d7adcae7b03adff307e

SHA256
010f53855288112ba8c1d14fd2990f1d641359c2665f261154652b99b10a5341

SHA512
39eda270dc2ea1fdd3536577bfc13e5b41081fac1c36e5c357d2fba1921e1104f2cfa0804137f5970e0c29fef8d64e37e3ace5e1f5b2b189e40ae773f40b3c11

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06010c387d4c6b60d05dd507a2380d85

SHA1
27b014946673414cfac279eb57d3e97f947ff1e1

SHA256
196544a4a382be97c8ad9fc7a26de2615bba084cbf45e4bd95c3d982832ec822

SHA512
ac70c2d71a33a24301443fdf432f352a47bf17558b9c603384977c7258292964ee6d6ba247ac1c6617fe243c14d1f2751b1e2fbc79a65fea59af8febfc48ecb9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cace7f8cedca40b4c2cfdc1fb9780799

SHA1
15bea46053b88aff5c2688c1e7f03872be402889

SHA256
0a61704829b02601a628837166c08078ecbb13d7720b1d3208b38e9a1a7e2c98

SHA512
fe23bed87fc519ab89358f5e9c4d653cbf0d0158796b4277a0ed88174dba53b4e3407a52ec2ea79afc1fc57e927252ed3366e9d09216b6c9f7459aa8e6c7ac1d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b7cf764f9c441ded83e452c42973b259

SHA1
12b6c0c41dfe5c8a4d8bcb37dd9058984a281098

SHA256
2cf9b483f7238dced9f076578f5a4bbb9c7336b1471b2b39ef7302940f02c228

SHA512
6fdbefa21154be7ddd228198573e01e10a03f21409b3579e37efdf6e59b5f2db56467cc19a48a94ca563781b64684f91ac7ab697988a1f501ec1a7f1b5b2fd2e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
eec6e0d2ba98f7c1aedd7204ad049256

SHA1
291a13a993855261d4ba5b7d83240f0a6996af93

SHA256
ee4835f020bb77b5256fc7d8fdf1141c1d8104bd70901dfbd3c943a16aa56b9d

SHA512
50471bd31fd029e2cdeb05e44deee94f93035fca900a866ecc2547d3c96277b0ea3a4d876b292fe232541574ec7718bcd74ccdc5d1cf4240809baee1118e668d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
193e3c8a74193805e49dff5fb189bf9a

SHA1
bbb72126ea41dea0a558f5a137cceae589e9a20e

SHA256
0fb2b35123456ddd2121f459e0afc5598462178d16d6096af45ba2744c92b241

SHA512
52f5bd762a301e4e539403703c78105920b0981fab74c71d88ddf7f9f35257e4029bd35f078745705f6a25b1aa622ca95ba001ed5cae89594b817f180298828e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
717ef052c5ee60e2275ddc04eedcd511

SHA1
8ab7fd78f8efea7fdb61a4bfc48d2469fe763ae0

SHA256
998eea0a63bcf40027ff368c9a1265db950c114597061d6ef60eaa32d544b6b1

SHA512
9d467cc52b058feb64740f2cfa9cbcec1249f34dfba7d4996813f132292d0a508ab29aa3e06fbd8de423f4bd2a48085362ee405952e75841cd2135386c5e6ae9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
49a3a10bff3c3474230533ca0b91d1b7

SHA1
30bb4e2a273b3c9edea936e61137eb11fabe62b3

SHA256
fb94effca5fb915361223835b5be3e77571b11d96d20ded62665e0fb31c08ee9

SHA512
6566c4e9ee040181f59acd789f6f2b4b7e5023deb0c4d1a62b3bd8e4f64db648795e12079c439977dda69b22a4bc8d4458e911aa4a16d462862e7b22702a07bd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
eb740ea045d4305eb2fe1495ed41155e

SHA1
cf07d0da5c240327be95d7e982dbbab0d70af0a3

SHA256
09be05f5c5ab456ea4b6172e703373240977da6b5a4da555b2f47f5c1a24c27d

SHA512
37757a3e10918ee97414105b41e8034704c61443e8d68c0682c696ab4bc6ba65b91c7075df965dd53cf96b2ff2aed158caacef0fcca4f08828b066fa422525d6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
05eaa070a4bae33b9e98553c08bc1a82

SHA1
8ac5536a949c1e613736b53ca0401a524650694b

SHA256
3554b377e91ef25fe9be095d963d5cd0e40662000f8a0eddf0f5d65ff2cc35d2

SHA512
816c074f0e74632ff47bf8333c7ec42f154df01c480cae801493c6997a4f4828e17683461cd6e5adf9f02692261ab0d09da442a3504b9727c4298ebdd068aeab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
c2e0f95acc512d66c5780abc4277eaf6

SHA1
17e44941c4ed00dc5888111e323605e13c599349

SHA256
f00ba2d5a7d0494dfe19c5d12f23fbff49c1593a6e3abefa5cfdafe5d4ab93a9

SHA512
f44e8086451fa098c0bbf3db79ba11b3cfb4e30160a3257d88e899ebafe598ce3b10d68df2cda4a3122d901bd235f65a231feb59baa0119c726b647a121f7b9b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b26526ed0fc5af92dd7f79afacc3ccff

SHA1
171553132e5ca94a4f3aea5f76ce7cfad5f21441

SHA256
a2634102778c6f240c689b7d3d17df2c7f49e66c09404ff4346d30b68df97d40

SHA512
7a9da246a05a5185e95cc6f8d0b7235a194895dabc8d24205777311c72c19ef7693d9f4d6850caeb69532628b504976dc6b24ee49f8e4426d5619306bd9729fe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6aada4a157320f5df85ea3e7314698ba

SHA1
dd591d0c56a720012bb537f9b429f417a9b71f20

SHA256
304d05b80daf49d18c4a1e6c0328746eb98da4af70c0fbd60822bdd40367c301

SHA512
55cc67a913194525ec14784998e313cc7cd32d0360eef09409d99af14e64c1df7abb4b0d462419eaea036d211994946e7abcccca287a6d8d01066fe573d9aa3e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1393ee6287fe45638d03dbbbcb5c42c2

SHA1
0fc040828a74c3b90be7c7581d6e5ee7067dfe45

SHA256
bd46ec4b95b0d93c1368aaa2d20534aac0ca4309634f505788b13688e6d2b174

SHA512
01d90dee04021e6b3672e9f149800037c30bf5ce7a348e536708d5fd334b98863acb997ceaee60a6a1b769b96c36c4248af6c129f52cfc4e95a1679deb24eeec

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
7a50f355f31903f3b9fa4fe68b263116

SHA1
eb1b609cb49721e84c71c9ddba6f828e39d3eeae

SHA256
322830b19f6004d645c597d299046ab74d259951e9bb2d1030b02296cdccfaa7

SHA512
ff8d370b2d75216d1f84763587cbd815ed81bb83d95abae542706c521efb5a91fb291b3d8de5e95abf8de995df2ae08956daa82ebfa7d23e5c112405c580a107

Download Submit
memory/432-98-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/432-6-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/432-0-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/432-2-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/548-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/548-537-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/556-248-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/556-540-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/736-467-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/736-195-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1008-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1008-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1008-30-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1060-86-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1060-95-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1428-47-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1428-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1428-53-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1428-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1576-260-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1576-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2332-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2332-539-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2644-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2644-543-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2776-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2776-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-35-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2812-55-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2812-41-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/2812-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2812-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3060-175-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3060-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3060-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3060-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3116-429-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3116-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3352-375-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3352-159-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3980-128-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3980-247-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4228-224-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4228-114-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4364-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4364-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4364-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4364-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4364-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4468-212-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4468-107-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4628-176-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4628-457-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5072-538-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-243-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5080-124-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5080-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5080-18-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5080-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download