7831bc16bded62e03135c81270a691d126c78c0d4606c24b160db2ed83bfdb1d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Size

712KB
MD5

f9b5cf3ae8ee5c0978dee7f68a1a3b05
SHA1

f6e7a6c6d69aa68ba443b172cc941da7c39cbb8d
SHA256

7831bc16bded62e03135c81270a691d126c78c0d4606c24b160db2ed83bfdb1d
SHA512

752377d77514d153ecb10cd7bb0c35fbcd66e1a6fe04efcbed5dd8f35d92a77b94f71f7798a4bbc376e4e5ae92fc1ac04a2f56163ed0c1fa47b30fc63a9d4ee9
SSDEEP

12288:rtOw6BaT+lCFcD1goThydrWUeB+QChZsrwbebPeVmfCUqVfZbdbHFj:Z6BEUOoTqy8QCYrLLeYKUML

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1604	alg.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
1252	fxssvc.exe
4600	elevation_service.exe
1380	elevation_service.exe
64	maintenanceservice.exe
3008	msdtc.exe
5036	OSE.EXE
1956	PerceptionSimulationService.exe
4564	perfhost.exe
4720	locator.exe
3132	SensorDataService.exe
3192	snmptrap.exe
3024	spectrum.exe
2816	ssh-agent.exe
2552	TieringEngineService.exe
3568	AgentService.exe
4336	vds.exe
1968	vssvc.exe
2632	wbengine.exe
4928	WmiApSrv.exe
4168	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\609595eec3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029397d7c3aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2f9387b3aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c724897c3aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b417547a3aceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c0c47c3aceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeAuditPrivilege	1252	fxssvc.exe
Token: SeRestorePrivilege	2552	TieringEngineService.exe
Token: SeManageVolumePrivilege	2552	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3568	AgentService.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeBackupPrivilege	2632	wbengine.exe
Token: SeRestorePrivilege	2632	wbengine.exe
Token: SeSecurityPrivilege	2632	wbengine.exe
Token: 33	4168	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4168	SearchIndexer.exe
Token: SeDebugPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeDebugPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeDebugPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeDebugPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeDebugPrivilege	4580	2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
Token: SeDebugPrivilege	1604	alg.exe
Token: SeDebugPrivilege	1604	alg.exe
Token: SeDebugPrivilege	1604	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3340	4168	SearchIndexer.exe	106
PID 4168 wrote to memory of 3340	4168	SearchIndexer.exe	106
PID 4168 wrote to memory of 4052	4168	SearchIndexer.exe	107
PID 4168 wrote to memory of 4052	4168	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_f9b5cf3ae8ee5c0978dee7f68a1a3b05_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1380

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:64

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3132

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
00e9b6b14d38e63b389939471ccab667

SHA1
813e9ce08fc29f32a5caca6b0ed5b41a5ef4fbee

SHA256
66028e5375aca2697a77c72c8707340c9b881c00dfeb586a7e48505be585fef0

SHA512
225733fff8503945859ababe072a574bce96bcb058472b76effffe084d83b5735f4bcfe6520b199a4545c754aeb862a52f9e3709b08e2cba5544cdb1981f1446

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
3c0ecff5664f3e2b281c27b6a7e3161f

SHA1
676f31f7bf451c802b960fea889d9400644a17fb

SHA256
86661ca5aa4f1a90a7ee30d74a8a9da2e65bbcfc1b6fc68c33d281561cb7b44c

SHA512
26b0717d4b9db790c7792d801ba7cb7095d7414030a55358493bd60c791a0ee136581f68641b7399f606971f606bdf61f48901cf1ffc6a4d7ce1f6a35dd88cf9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e5c58e9a0135a8a24c5ee394eca224d8

SHA1
7ed81747796eac5581bb10b72d10c4a9d947b4c5

SHA256
987c4243345f66026494d9b84c0a72f68d7de60ee5c2c6cf26458ef5e4780d74

SHA512
cf99aba17123f577e0d075d084230a34089a38080d8dd3f6d8ecc7791485e066bfc6dc72d2480ededaf6d3e31700354be900e82b09b35a01b2efb83454fc8307

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
843cac48d9bbad8afa52fdad59239444

SHA1
a8c8cc399a5c4ada63a42eb902b01b0ea83d7235

SHA256
87544c327042c4ccc8c18763fc4a25cddbc54f8acb18276cd114690a8082e2e0

SHA512
ce7cd9693315864f97e6214c74fdce41aeec2a50fdbddad3352b517a420b1a6e6e80bab0103e1019c5dd6635f87f471eb2aa75776be16039a66a1c5166efc45c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
aedcbde7f4004a0c0adb0b3c4c12dcc2

SHA1
ad68d7b5036624c4205ad8f71111bcdde53f0291

SHA256
ba7ce5e072f79eef0d01b24bb4eefb724da59fe1aae79c66ab6df4b2f0f301b0

SHA512
7b801e862b4564c8575e5f8906cde4dc36b62832a5fdb74a4e9fae16251b8dac9c2f4347e7d118eb9c8c15844393e07528892defcb18c8f0114d8eac9d807a17

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9a71b44e405fe9c8e1431e5b0b0c0961

SHA1
fe9d6c8917c3b4819dba7492345809e1e883ba1a

SHA256
0d9bccd6370decf2424f1a2e6ec925ff0679dd132c859163eed923bdece5d217

SHA512
6206674abc359701da688e3343b3203f2afab3eb41691d1d21579a5452f7ef202b46ec3b178edd4c8c17b34d135eeb3fa8858e687b16327075651f780aa4d557

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
396353fb08fc3d10575397c602fb5a2b

SHA1
5f02964d1cda5bd89cc012ae584843905810cab3

SHA256
0551e21262ea3d6d05be93457a5862bd3c2c3fb6434b7888714359e97ac35e13

SHA512
3960bd95d3f40363da27f9b30a98c41e72262bdc5c305c182b1704cf55b679f4144b4d1a286c0852f57917c757c9b7fad64c776a4c618071a40ac4a304af8845

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f0534f51b0989d4e0ed809dae6aa819b

SHA1
276d4aaa83e07a8abfefc1573d8e64bd3fe528d3

SHA256
839bc2148bcdeb0152fc4f1bca84b96bb7c76f046a689f425f22783382d16208

SHA512
c87ac682ea288dd7e73ccfa1f8904a3a3cd420b4e7663ed6c33e94bec6fa0d0d5c6448f650661809872f1685030e56f16eb2abd96e0d25908a1b7207259280b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
687bf9fdeb48ca5799ed7061c45c78f7

SHA1
2e4bc411fb65de3b73af382d36beaca141f43c18

SHA256
67beaae5d4c2ff7f5000e7de54e76dd215b14b7f9ced1a0d2a7feb7d97d63058

SHA512
369a4bb40c3de121776ce754e90a6f90c4f3b9fc7390ff07999c372eb72c8d80d197cf3ac3932d7bfe08f0b65cc3cb7ed44a6a2c7dd7ce79a5d866c82121dafc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c500e18ad852da517fd62c3599d2b7c5

SHA1
4839933969c98b8d27b3457f5807bd270d7186c1

SHA256
26e9a8320266e88776d7b3785ba01a74f0ecaa6916c3a25a3729dca680368dda

SHA512
9bb62885da8dbc98fd315e0bfe6bad34cf5035b7c5bc386bc5eabc0031f3d3fbce8f33c3a67f771b3de469d9af87f4e612d591267fd63e6af107a46d610b24b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
394d73bce7f9b58805b6f68c0c866e61

SHA1
52419ee41f4a94b79c557dedd324ae05ed7e96ac

SHA256
e38de0fa2f43bdd2966883d4fbaef72d4b5253e72cd3ef162919eba1536b74a5

SHA512
0aae0fd76f94f5b35de65b6337155f020df2c962dec3951b43e769cdaf1778055bb234cc4b1e6ac119772c5af0ab72150d6fc35ef7c812289cf3e983a2437168

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b000c7eaf5cfd3a03c37c0e9afbf8553

SHA1
8507388b83b65d95f50ec8650142940201817a46

SHA256
f5d313a3032243fdc57da7dd91f7f3c0469b169115f4b28e95c6f0d571bae739

SHA512
fdef097b3dca7f04112ff1b07a931bd064747191e766474a40ed56ea15805c7a3f2922ec0ab38f64e6f4e8fac564fea9e760dd61344159c6a1f53b3a0743215b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
efdc24d3f3a692f5ee1914532e659e41

SHA1
013d94afe33898e8e2b3f3df8bc52b94d826e0a2

SHA256
b24c6a5963d4515d03ec8e57dc746c6a83bf48905a8ec505a1db31b078cfce6b

SHA512
87727b43e28d00ca095e45a17206768d725555e722fa87471939cc6b5c3d3719d964714d1892e8c3c6dfe65962ac572a90d6972cfec6b09d0cfdfec6f6553c75

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
51824d3d7e8e016967a949e273226b8f

SHA1
7f02665a4da36daefc722288b5b7d52a3ad57211

SHA256
f35309dd24465f0dc0af43a21d730198b50f6dda40bd46a21181335b20eec796

SHA512
4e2c241bb441ebcf7ec3e4a269daeed6fc6eac264cec559d40da8da8b0211b1b86b630b40fd7d087414e6c5fb2595adc6145b085c36d4be1ea289911145155a4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6051987696cb7dd2965ba0730f63cd75

SHA1
585c5cedcdac2db17dc9710b26e9583a4c354950

SHA256
80a59bbbfafa75bacca7c7a91eb38826387094983a7e4dff2492e1a11e882deb

SHA512
fa53e929c44d5f8a3dbdc0f052e30c703ab3c53c696468443989014642e7a9f5eb9f2a34b3f37c36274fa29c8528fb0266b1390a253d854fe4acf144ada9ed53

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cb9e552c19c4e08923efaba1a87b7059

SHA1
9bc8f5a8e37932400c8f578cd0236ced43bd715a

SHA256
ada9e3d072ec53f97af2d00213ab03084afaf543f08e1b57806c622c64686079

SHA512
87c30135d04ae19770b6e70ab60081e12426c5fffb78af16b65c57bc67c2e5ae30f44799e406dbdc680b89daed80f8d5c86c6749d49ef434d648af491992b274

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f1be0da496e5a788241cef28229af4ec

SHA1
c328cd90ee8eaa2b5358773bb7238fa0a0011b63

SHA256
55528608574c83fb717336926d03e0af1d142ec323f8e855700c0f3ef2567caf

SHA512
c4ae486dfcbd14dd20d24ecaf99c351cec2cf10fb2ba9e0f158884213616cc0607eb9841a68e134171e8b08e6c9eabfb6e27184be2010facc5db072b0fcc28b1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b7fd6e3391b8cd7c0b3d558e66a309e

SHA1
2608892c7b7bead07c288df77272028bd5f4536c

SHA256
fefb8145e2e078bc0eba109087073e0cb275a0c164d2cfbce9743bb84fe0b614

SHA512
8d40e42efafcf3ddaf3efdc4f1bcd7881384caa299db0815bc560a62712d43c57a00937a8e96b5430f722e58ecf28c2748a4dae23491d5b3f48cc346e08da5d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
be4e96c11aa77f7720a428438561f276

SHA1
a868c7a75173c407277427525e587317025759ce

SHA256
33ce5fe503aaf1643fdf28e5d7b44c5dc661de41b5515c3a06b9d02ddc932e17

SHA512
79e18831fef4180edd2876f23474529f29d5fb0cbb6d5c9843e791cbd7f8741f90865f35f92214e4c72cf9aa6802153c5dfe0863c19238277e5b4719f0c67589

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fcd2c51ea8dc31f093f9852cd2ec20ec

SHA1
c4a07a7dac6cdca1df346e58c3da3f0729920bfc

SHA256
fd8a993444531f8745d2507b495c7981cb1f9e01be372dd63be20320ade71948

SHA512
44bc5a8b15ebbbbe1a38cffccc1edd9e73b9538db45f374010e2f05854b41270f30cecb7e746095cd75980bf19de207545bd122e1bdb112d743e5e8b60355d6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8190ae492dedfeaf503a605639db2e33

SHA1
1cf926d5937eca21d5ba42b2b1a3255ca54e81d6

SHA256
8e92c6f071e371c9a4855f7c30478ad6ba1e3ce27446f834acef4f83263530bb

SHA512
7c3fe74c7a850374e86a3dd0caf23e432a166f25fdf50a21925284d2a542b05f00e08b3b2df6e69fd2001c8fdf34aacd1628ff76cfa197ec1fab7a7392253056

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
827895c9380ccfab627f7ac514222cb4

SHA1
88f38ddd52c13f17613b912fb0b1c9a4cbaa0256

SHA256
441ec9beecc9cb2254a0e835ce32f3c6d23189be5bf359a43a37b5ff6e7271c1

SHA512
12aa790cd65a58de6814b7574fcdd76a979ddf42786ac1a60245fdfe0ee0ec37d4779e8cddd14287d52bb3b8245ca9e10b329910b1016d1c620c7eff73fa911e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
4cdf4a72df91230b6521f384adb318a4

SHA1
a27822636aa0307f92f3fe5fc0bf66146083bebd

SHA256
c020cdddaa1f371fb8d649e535ca8417726d74d1af281924bdebd3214ed6c652

SHA512
6d3271dcae57b25fa30bc3d1372b50c0b6f2ddc67710f756db984010fe0918751417c457c14b1fb71d9f365d608830fc0cf21bfbea45990e313185d7147e2e36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c3f366894eea2888914b38d230d50a5a

SHA1
841f94ef3bf28e99e5c61d215cfa792a7ef2b4a1

SHA256
2da6a2a6ce1daa41feed8308ed6dcb4b70f3cb20fc44826ac5965a4ddcf5d7f7

SHA512
a35e9ad618eeb23c345e33970b1af2404c3cc756fd03fcb425d1c83b0ed9463589da2eab87887a5744efdac5c59721cd5eed9cd02195eb2c3a614fec25b61488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
fb397266ed9d7000115ba1032aa0d122

SHA1
281e77ef6f6cb7998db41c21340e58535834965d

SHA256
a58dc29e785fa61ef36949c2e56b6973e1a4c9dd30d1968d5dc6423e60d8ba8b

SHA512
6eb876b2df1f91f0b10657f2a46f3c54771a17d7635eb76961895b5005565d1c357e75bacbbd6bc70711df1742a9e63608f48ee1b83489e8b4bc29fecdd1808e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9a10d1080ed531b8e010cb5e1272ec79

SHA1
c5b8568d55b30807c35dd3c1e9aa26c5e504f616

SHA256
eba37dbf15550f1466d760a0398bac27676402b7106519e061bd0aaefc08e1d5

SHA512
254e0ba4be3dd86b12233140f386dc7d78c0e123139d1632f7d7f4de4d2b12d888ef1d07acb400eb5256744b9599654ad20f30fe99d7dfb265fcc3a782337584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fcf3bf357279e6c2a1c14a7d28916352

SHA1
16820a50c2fc9c0c8202dd6ec23e98d649181a79

SHA256
22d8b8a936b37bf7d6bfd9e71ff65ed6765cc57efcc59c7390481065181d5e97

SHA512
6b0f621b911d0c8ea814b2b49404e4ba1db783b7640cdaa4a80dbd6322f64ed509abdef5f646959fd834e85bebc06afbf7b77da30353fec12cd8ed1864d69e29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6027917f576ef721fa68ed64779d47cd

SHA1
46766d577082f7e1b11863c94bd915901abb4e2a

SHA256
33c5c6c771db790244dda40a3885f273ff094e758a34bf05525773d5b51d16ad

SHA512
0d6098f8d6f70d1d683f20b81964767a584f4e64854c122d35979ca58c2c422cd386047610d2aa19764a032cfc3635b1cba992950dab86bff61df96069dd9ff7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
66f1daff1f3936952f340e3b793d97bd

SHA1
284054c18dc8f2cc07e83c7a90056cd72419fa72

SHA256
2d6478c450235653a47434be205fbf6e207c9fbf27c6ced433b8db6899b38a46

SHA512
bdaf384c1d037d2c5f0460f958a2d6ae97ee7e6a9acd4463a15d4cac989344f649f0eec6257da417fbf86b4ae5711878d6b83497afda12921cf08734e201b144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
445383d964d2fc2cfc79cbec69f58a3a

SHA1
200ae66f14f526673fd6fb18514c7cfadc276b6c

SHA256
6249349548089c3204cb824830a7c90548d5893fbc31d5f5fd5900041ba610f4

SHA512
b657713183a26f7f91029084cda413ee93553a39c0f558563a34383d64b60b129354f8a58d48d04dbaf901226535094edc80a99f4aff462393e8bd4c547a389b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d70e347c9f6f4969c30bf41ca88c9a85

SHA1
8543d3be2e21f06ad10bf16ed75817789f04362e

SHA256
258bb40f93391d810dcc01422ec7d1b99d2c970a34444e49dd18209d3876b34c

SHA512
bf1f6d43b3f0d4cbe59bcb883ee550005e760f6098e0afd734d6e3ab63604439fbe4a518b09a9761bb59325c931a6c70d657949c61d9f6ccece10030a20cd9bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bf3e2d24baae320bd29dd5cf0530fe60

SHA1
7a3f2409f275fb8ef146b69699bd6a060a639604

SHA256
c8eb496b0b59db647d8739f366d8b89d7fc29cf6edd074e932f3ab516cf86274

SHA512
ad3df1e8367df4b9ea2da55488425915f6740fd20834a07a3b56daafdc50842e6530dad74f1cd54f57626e840b5b42329c513077819f6e35fe7623b70c611876

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0e227bd1e861526aa5511cb4be4a5537

SHA1
32cabd093c4a81430c4fd5d5e5104611d0646172

SHA256
483d3f138893484218fd036f822029ad4c6c004cc6198074ca7f681781c85d1b

SHA512
0ea47ed07a7bed6d64589551b9089b1dcf3e214c264f13f6bfd7c9b3c89652e7544f336f7e0341361fbb6db99a9c0b9774287d53db98a98f62c6ea34cffa86bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
80ffdf662267fd56d227070e338ca020

SHA1
b80745da2dc7e9acb0d342d44596e4c31f0b98e2

SHA256
d599f3200cdc3945c3b8e745fed08ce759f7281aba7cf81afa638f05b487a3c2

SHA512
ef0265d602bce7bf2994862acebfe8bdeccc074d976225d284fceb28ac2386372f4e88e30e8961ac0387a9081c4ad080e5991ea4d8c473880253f5d49f796d26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
b27a35dd928ddf24494a1fab0ef4583f

SHA1
8e51d9c2e1b8607541eac6f757d478fb9eae8a13

SHA256
e17ae72b4e84710afb0b4d05a4837bf47a484f730b4caec414a2d1b3392e083b

SHA512
b0bfebba981ef24fb023264e47ac5db42e5a25e3b284a52fc0985e8fecab7803e29e2ccebf28cf273ef064efa0f60ae2fd3a79f4c7c93fa3f1d8d18fee4440b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
34e919ce3c66c3a75854aed0ed7c0ae5

SHA1
4f5e4c854df5a0e8a9a64aef9fdbb9d5aec98d27

SHA256
658961044ee0eb5f553797b32b1fe740457191b5b6515f6b622c2b0f0c745c93

SHA512
81c374262b35a6b71d27e1e37f9f1a8942111b58e1c44586add72ae2dbed8da76ceebb6c90ee279c369f2889c9f1a53015087294f7ccdc2815214fb477cf2745

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
31fe7ca185a334e208be31785f5d1251

SHA1
29ecb0b1cad2d556c1b4b65e94fd390041948db1

SHA256
6581c9d0202fd0fd187158083da24d6f6432dcd2f8165859c8ce426b08c55ad2

SHA512
2d391a8d56e8bb4d870c0414f94a7405e7605947e0abcd88e2a6462d18d4af3dc416448096e83b8efe63695f820f2e6dd0d83d19bdeafb5deb1cdba476480301

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1e361879b7acc2cba698fc8b7725ad72

SHA1
59d0451bc7a5a5672b4ae2b56fae5be6a980b52a

SHA256
00b4e239398622ccade134fceffbaf1baa94b2556cd54985b1cf98dacd3849d9

SHA512
e949d6588217ba448417fd80087b39706a7a4df3a7052e6b64d88a2c87cd6cc639748e9003d563da6951295c40d86eae35f1ca00e3b2caec9a29982fb60416a1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
44a12247c529823089a5800c50548859

SHA1
389bb0ccc4ddcf9df41f2470836de521cbce90c5

SHA256
ed1f0be482e254b30a43abe9509df2595f2894987e1e42e00d4648e286229f8c

SHA512
76dd2b5f32517020146e55173867862b94ad9f4ab02b03973c6d7d6154276a1c6dd2834c5ae09d6aba38c56d5ecfda9a55b661d017fa7d07582a3e74bb5e740a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f042959c0caeead1b644241f78ab3927

SHA1
3a6147cfee0ae0629ff89caa67d3319d5b5b3d18

SHA256
d3e32032a48cceeb3a46a8d8214028f4448e84f18f610bc03efd8eb59c0f7d1c

SHA512
203039c5b1c44d020ba7ba82771b5b2c66dec1ec734dcfd9db4f2c95582f91dd96df3b877e136c96b27b61416bb8b4c9e69ea1249e8c7925bbf856df0aa0e923

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c6e8f9e46a36c922b5959fff1c358ac3

SHA1
52e8c3a7442e43718eced80aa0c1a7792a6a3371

SHA256
db8deaa5227339a0db3e692c60e59587bb84a8f10795ed48061e13ebd99bfb29

SHA512
12a1396baff48bc553cd3bc399e445740832e92d6b8cf672a833a8d9329bcbbf4c06d5a63019b8ee3543bad0e28d85469dfa46326781777a9a35b8f01b38895a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9f6ddbfef5c1224db6e1f7b0f64bc6c1

SHA1
13926523f43beea4b729add671a98428ab2eed4e

SHA256
32ac54b36c0c63608337f0af064f4c7d816d667a470640bfd2b9306d139f0807

SHA512
098eb877d990025459e8cd9cb999a9ca27b151fb61cb53cad28744366dc3a5088eb76b4ea47a18d83544f13b3b47c07f873b2da806d7b7c6055ea781b7998998

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6f1da7f555c0709ffe7831a1c83679e6

SHA1
1b3795094a22e096a73ecd7f052dae74a78a9477

SHA256
f20bc14bdb9828c80cacd4e54ee94fe76521a7d81972650e6a385f77951554e0

SHA512
d4073f136efcbe4b124e5fe42317bd8825d88039d941490fc74f92b024895777f90849e317c0af845f384db3239c8408e96e7afaeee13be01d5def23cc71db42

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bcf2c00512a01949317a135b0f571136

SHA1
af78453654d73725fd7c4c02b4cee1d1d6d1de1a

SHA256
485d317abdfce7867d18068bf7602ab48463a93b45c0bdd16902946a7e59946b

SHA512
c8857fdd39a7e47ca097e916798de76c0a435abb17f4cb96bf23191f0fb42dc49dcd043ddaf362600aba8db8cb9522c3de5dfb22710340a27dc34269e22e3ea0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f9da15321aaec39faa82f2deacb1bf8e

SHA1
b4c375752cfa0ee4d3478d44404bdbc2a356014b

SHA256
04b5d6cb0c1158565602d86d4b6898a4e150b9be31aae1517d6f43cf9c24049a

SHA512
760becb3ba088d65a5b4f7c10e191e9c1fd4cd708c35df7749ab5a18298a00275ebc15470e1b1eb8e05c397893c5581b1c9a075974bf7c17608c013b060b8ea3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7cc03000cff0e3282df011abcdd52066

SHA1
e1fcc5f92c2b8e981a37d06426ceb747c94c9446

SHA256
fa85ddffbd08b00afc14af500056fed0f873012eb0226d90a32d25aef566115c

SHA512
f69cc9b72f767107571b97a4092c8a7ee37ddd3c969fe51647aeba45f7cd97b14b4755289e55f59133819b4af06e8ab6f94c7498658e358d7d5c679e802d2249

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6be6172644891afcd35b56a757632c69

SHA1
4be0c81b995dbc354d7f6d6d488f7ecb37762233

SHA256
1d3af9e39643c26a2dfca0b396d7a5928f2c4526dcc5b5d3b4dd807ffbf8dccd

SHA512
f97a5f74b06dd581371c7b3109517e84cc1793b47390c8965927b5147e4fbed44426c0ee1a5d7444a57b50885e0c0f573f865c9317024474ff4b7384b48d9540

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2d4be5926afa71ae557acaeb3c4214e2

SHA1
b718c0f626b3dda82e20e2e129c8e0e32befe489

SHA256
e9f05f46eed0fc3fcfaa35ac0c1c9a7322f8f233f17569fec016cd8ec17bb973

SHA512
22fc0882e035cc070e6a7c6d84da9fcd194507a01b43758c3b820835384f56ab0d42b59f1565f2697e0e52bff21326e203ff46db94e919d2480fbb6070f69873

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fef6de86c6d358168a5bb25c9127aeec

SHA1
021b512a6a33f03df8b19558e4ca8fef92bf77eb

SHA256
73da7942b26a3c5ba4b7ef45d3de11e96687be8bd6bc0efa1dd8039442bf6882

SHA512
28d36ef9121c4144512203ece464ed3fed06816e1cfb9e826165f0412439556bcce6a3ff159dafbede4fab66bdf5ac8c073d6f1012aa69efe99094b15b89f267

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a13800a1658e6d2aa9f92b64f4343e1e

SHA1
560005916f01240db99609ca3d3e33be82371fde

SHA256
c1c9fa8960b139b91779cfd704c64e22e8553b0c4d7d7f400cb3c68dc119b188

SHA512
671a79f3a318e4d22d54da25bd689c7d4f26947c01119aeaffc76373028e1a9186b7cb412626ef4f582fab314a8aed2bd015c99f6f328f032904bc83954ef221

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c71fb71b93f9bccd9bace0db4616d3bf

SHA1
9b16ca8b52214c97e45bd650b74f0dc6d13f0098

SHA256
0232c381ade91a46b4091a85ac16504073c5e8afdb4dca738c3b672ddaa7001f

SHA512
78320ae09596f62273fd32d08cb4bbb1b9de0fbbfb9c073174ba0e6f458df5bdea4a3a1993d8bb814c2ce54bd0add0a519c67932c8b8aa824b1e4b5936781ed8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
32a363d83653ee10882346076d1aae74

SHA1
8a07d431d1603f376c396403761fc234bb1eb2c0

SHA256
f8495e954de26d80fb6d28702981e8b4ae1739d4902d0c32e60cf036b84c9f74

SHA512
b40fb800e1a1ebb17d9de5382ef86ccadc319b39b63925c3202090d5de80b5ba269726e9fdbda6575849136ccb3b52f6388746b976c28059bfc98c64fc4b1c3e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8a369cdf33a202aa6658ea3770a24ae0

SHA1
0a7ef402cd52c7593ee900c6119bbe6419f58e94

SHA256
6fd6b24c00fec36682ae88f427aa537b6951c79825fb901d744d5c5ed9d31f13

SHA512
f132294ffb2d342a88bdc5f36324125e585d8f70d8f43d0812f0cdd566eb226f727e7900e0d888ccacb5e95bddb6b177bbd2e584f56f76b209b6b29c3d569f14

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46dd1034d435db3d13781a8c0e438989

SHA1
9ac3803e101acf6833fb1a5ee374e3041acedfc4

SHA256
5afcb233b414c77a6736fb7f2be69652fd0fa0378fd2173075501edb19e84c1f

SHA512
fe2d90ef0ddd9c849cde9d7f01c0de82feff631f58192cccc8c97c8de4847e7c78fe63c407c0740321145dc62966c41fd3737772ace214c129fd67ff2a01c3fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d799d7c0117eb32a7e3e40e84938d3ad

SHA1
f47953650c077ac4271fec4f0958bb118a58b6d3

SHA256
5211bfd8932c7d49f831667d31e96b2664249948f841b43ef782d23c2b950d5d

SHA512
7df4e3ec1dd8a28cf041d14f878ac9a45bb432c23994fe443ff99c77cbf298792522dd3cb6bab15827fad3d5854a13ffa822906ca9ef163f28402e393a0d8b7b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ee901964acc5a57baf7e543f1bcafab2

SHA1
62534f93a5305fd571563b1311fb2b9e0a310c89

SHA256
a2f36edc7413e7612f127aabfdea65c3c01742ea2a641c1ec1536fbad3846e0c

SHA512
7e888ae232d49c650dd5c31f5218a1a9823425dc20f8a08cdfd0078e88d7a6ff4dcb8a8d49094161483d64189a894c7bd4edaa99c5da047c7c2c8ed14bc9b452

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9157a1fedcb73ae24e959f88c61ddaed

SHA1
60e2312232c39d690e2b54ced7a6d6ba36b0c173

SHA256
175d096af3ef73c0a8b3be067f1c180fcc55edda99d8f278fe9355364b62a3d3

SHA512
124d0b22fd61531341f6483071e51e406528cafa75c0612eef69caf7b1b0ea7f4c26234ec50a238cdc5d9b330e9f658744170bd92277db9e15f721f3d41ddd69

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5b271a70dc975e4c2f14c56a07e95d21

SHA1
6fd7a4ebef51158a7482b67280cbd98311cc1efd

SHA256
54b8b33555ad1f1e99ade071ea8b273a60b321a41ec614c0d8f403bad50c5ae1

SHA512
ec19b5cfe8ce28e7171ca45c62e86937350f289d476218eee8786b0abed9cda66733fa4576e2670a06fcf63ca5899d0d7afd40a8352b47167eeadf00489c0eb2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
08691e306271a5b82b9b155c31b647b5

SHA1
e242f1879727257c15c4cfb6e371884eaee11312

SHA256
78295adeeedd5ff01beb4b1178316603bb8f9b887268167107655ef31364ad14

SHA512
81f7c4c4d5268b670d69e237755a97a66abbdb280e92415fcf4dcd07facfc5c2b1e699193ceb0f1283ccfab05ab5f961492ce47d7b45198dc2fa5780cfacfdb8

Download Submit
memory/64-86-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/64-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/64-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/64-76-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/64-82-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/1252-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1252-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1252-38-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1252-47-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1252-61-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/1380-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1380-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1380-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1380-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1604-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1604-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1604-117-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1604-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1956-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1956-118-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1968-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1968-624-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2552-622-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2552-191-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2632-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2632-627-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2816-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2816-587-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3008-92-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3008-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3008-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3024-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3024-516-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3132-586-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3132-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3192-441-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3192-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3296-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3296-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3296-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3568-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3568-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4168-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-629-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4336-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4336-623-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4564-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4564-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4580-90-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4580-6-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4580-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4580-1-0x0000000002310000-0x0000000002377000-memory.dmp

Filesize
412KB

Download
memory/4600-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4600-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4600-56-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4600-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4720-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4720-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4928-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4928-628-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5036-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5036-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download