f05f66428acedcbc55a83f16335ae8004494f075bf4712c47015ad53d35a6728

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Size

1.6MB
MD5

81e9bfdedd6efd6129a2f1837cd1a68e
SHA1

5e0379879fcf1a9efdca5fb31706f5da061e18d9
SHA256

f05f66428acedcbc55a83f16335ae8004494f075bf4712c47015ad53d35a6728
SHA512

494579e9008bfefc0973ca7e59a809dbd4224054457bd853c7483ede6ae031c1d38cc762ee51d054a11c7343235ed695fa804cb08313c14eea00813c256f29d7
SSDEEP

12288:ktOw6Ba2TduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcJ0:66BZTduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3484	alg.exe
228	DiagnosticsHub.StandardCollector.Service.exe
2588	fxssvc.exe
4376	elevation_service.exe
4424	elevation_service.exe
2012	maintenanceservice.exe
2540	msdtc.exe
216	OSE.EXE
628	PerceptionSimulationService.exe
1748	perfhost.exe
2068	locator.exe
4700	SensorDataService.exe
3124	snmptrap.exe
4360	spectrum.exe
3980	ssh-agent.exe
4208	TieringEngineService.exe
4388	AgentService.exe
4824	vds.exe
1340	vssvc.exe
3104	wbengine.exe
4796	WmiApSrv.exe
3504	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23627354ad45b396.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daabf7f45c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009aa30bf45c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c50c19f55c99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000021d6af55c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000684371f55c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb35a7f65c99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe
228	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeAuditPrivilege	2588	fxssvc.exe
Token: SeRestorePrivilege	4208	TieringEngineService.exe
Token: SeManageVolumePrivilege	4208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4388	AgentService.exe
Token: SeBackupPrivilege	1340	vssvc.exe
Token: SeRestorePrivilege	1340	vssvc.exe
Token: SeAuditPrivilege	1340	vssvc.exe
Token: SeBackupPrivilege	3104	wbengine.exe
Token: SeRestorePrivilege	3104	wbengine.exe
Token: SeSecurityPrivilege	3104	wbengine.exe
Token: 33	3504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeDebugPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeDebugPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeDebugPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeDebugPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeDebugPrivilege	4920	2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
Token: SeDebugPrivilege	228	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4448	3504	SearchIndexer.exe	113
PID 3504 wrote to memory of 4448	3504	SearchIndexer.exe	113
PID 3504 wrote to memory of 4736	3504	SearchIndexer.exe	114
PID 3504 wrote to memory of 4736	3504	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_81e9bfdedd6efd6129a2f1837cd1a68e_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2540

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4700

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4360

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2648

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
62ca60cdd72e94ae67853c32e855a621

SHA1
4ba95dc2e7e0df5d91a3e771bb16b8f1ea2340f5

SHA256
6f57d710d2179630362d03894666617abdbc1580241c8bfe8877dad2794ee128

SHA512
d6dd2545dea29fec2a7c6b779d6ae87192cf2f4415a4fba5f452f46ee0b30f8dd63dc047728949db01ee1888cf0fd880fad23dd4734d2ef2086f33b974953516

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3e59961d0f4675ab4cb4664ace9f6cb4

SHA1
57c9e8869ae3c93dd214121f8eb8faae121433ce

SHA256
0bdd13d336557aa7ecbf6ca6a977f33dba5d047d36c18546997dd600c9fee68a

SHA512
8d8992eedaf78bec9850e2f8960f5076b0d5670e6d48746f24c3b9cd8dae90f72af25b75e52c4680141c3c34c657e31985bb7dc095d72d52b2e5385552c06286

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
1aaaa2709ad32aeb88416d5f2cd19f00

SHA1
e606bdca9e53e0bcedc86a833d88b931482ea0ec

SHA256
d93572253a61998a17c62184e5a78215a7e3cd9a87572863086d6f4fdaf1953c

SHA512
6d362d96ce08188f4b3833914d236bc07d4536eaca96a213f2f8e20a2d79411733a91014cb5db939e2bce6010dcdca600e119af6faff554f13b967e503e20197

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
1c5939a76aa5c31d083e5e9edb319207

SHA1
927b1f37a71868d70d6a1beadab10630c3d1561a

SHA256
3c26c75aaca082d9c59c50e5d67ccec9c6a5cf9301cffade7b3186541f835235

SHA512
b5943c2c53b95c42ab866649b1df63f537a86cb44862f07698838706eb3fead3889492ee41c18e3c4007e5a75b3b61f4092fe5e95105f57a2146c365df95ef3f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
53025e33fb9d38bba6d90cffad420863

SHA1
b4578da4b311ed10b65e3e44e49f42a4eaf0904a

SHA256
d57236bd82c0b82f5283def267127a68a7d7bb00fd6efdde96531b0f51b6e5a6

SHA512
fc4ce313e419311cdcf53eb3756fe9231401c45ea2582c3bb674760596dcfb381d3ae24fbc2e9b500658eef51e412c9dcacba0694c69ec5cee880198a17e9410

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
1aab6fe39bb8a3929f3f580d4671e9a7

SHA1
9ef046c5cabc624b53ac0efa5644e0cb1d2cea98

SHA256
ebcb5eaad37e1828b507acdd1882d1ab1e79f8badbb0ff6657919ce1db22a9c6

SHA512
68ffb616c1de578cf0aef017ae590753fc375cb219b15a38c057ae590bce6c3d6ff16613fdc2ae5b29f3acbea7dbc37b68baed3ce8e662bb805f542f871e818f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
0a286235f54ec860729624b1efc72c9c

SHA1
17e0a7480412ed51a25e74541ef9327cb2492fdf

SHA256
543dd4f96369130a96149240355e449f8b7166153074c314f24791a91888a69e

SHA512
b90370a7eb36823256b488ba0ec17b79eaf27d9d854cc3aaabcb77eda5e652ce3edba8ac130e1dfbceb5e0a73d1e8aaa2be51cf9bef4906ae109a0f3ddf2dacd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
74894aa9479a56ae2bc433eae7011bbc

SHA1
a84579e404457f35efa2c9ac12e606db751cf4fb

SHA256
dd96cb48064a0ad0fa5c0feeb5365b4cdb4a3bf24e7fb28fe35cea25a693976f

SHA512
a863085c81153f3d50a455d8da6cc7a5a25f6f765db9c5db8212d7af6ff960ded449e0a1b4e0cfed695b8d0dc90759ff8a4d7eb228149c6b3454f90d409f9b3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f537a49af2be7f797cadd87860f04568

SHA1
1ceeeae3c6de35f77c37cb22a91a6d619949357d

SHA256
1fa1538449d41e62c5508e3250d8304f0ce9c66c9449be3caded8f61b3b90a52

SHA512
391a142c7c7a0b704cd3b82b117ea51069fb36828eef8f16dc6e0541b759bd6ea5c9196185aff8c7dc688dbc06077ec10912b90a1bfd5d664b1bdfcd54d25faa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9e603a859f4219196725ec89880651ae

SHA1
3c2242d78df7a138d1266484e4b11d01c0003b14

SHA256
75a4c2ea5287fd30f8bb32f3a1d4e17a72eb7ad45341843e7080c7a90ae200c7

SHA512
4f74abb6ddeff2c626019186fe45084cab64d253f576014fb02899af010d63e4f1552283c8448a0fcf170d05c93b895043820f35abc8f126febf7b94b4477605

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
83adf9152c35f7452a4789dcf1af0f37

SHA1
42b0250f175b6c9e26bee0228cdd7c95db7ec8f9

SHA256
fe235e7d65fdb6914eb1b2817e8cfac2ff5783e178da75ac19680a126a63a430

SHA512
cc3ee8cedabb49f9fb70e16e5fc1b1eb2aec4db6d72c675506c800943ed8b4767aa82aa3c719f1e18b8eb2deb18f88630eb74be5089c1829da70d300b9888d0f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b7ca0a0d7fac47a590e59e045ef24e9c

SHA1
35f393c707d109486a21845434a53f5a5f6a7eb1

SHA256
01efc6fa6cacdf24a64218618b1bd345ba14fbdcc8146ce81819d5577347cb33

SHA512
074667124d86cd1cb8c21e738a3018ec3f01693d841f337a0b3e4cb5b411b003bbca11ad4095dbe4e206d287dd815d5c4fb898495ddf46182dc7ff645099a56f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
4809fff9de0d49b817a1d5e1b7b2eed9

SHA1
1ed727b3de9a6e8f8280a4212509ebeb62e85627

SHA256
6947896611f9bd54f3798bd585d68773f08fb60188c60212a1c3bbe254843175

SHA512
2f475a38d36260a8b842759087b9e392ce19ca097028c9dd509cd5abce8f95d729421bfabb8dec48544223f7da5bc9d30c7767fddec7c8b0b810e90fe3ffac4b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5360e3e090bbb187b7a49e9ca1003312

SHA1
31951c4bb511f8af8ae97da9f8ba2973cde0e23d

SHA256
3e10072f37e252db195accf4b053948b002660d0549d2b98780927884a109cdb

SHA512
90ceadb78136cfd91bd32ab68d84ed955e893852d99ae0e7695cc4b5d69d9ff5c6374d0e61ab82aabf6a209dbfee40101b11f67a97c3e159f0348834aae4fb7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
944b3fbe338ac07da0692ca1554eb71a

SHA1
f3d83d03661b97e544ef56baf215dabe92a8f2f3

SHA256
a8edf802eed4b5716ae3368c275b50ab1296e163ca1949d6bbf80ccf3a22afa5

SHA512
cde2bef54a9fd2ff7f3d2a9318067eb4643abb25d2e893f175c2e888cc99d88ca9ce6ab9a48cf3283276c2fd9a2231ae1e1f1d20e67873a8c0e958aac211f804

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
a2b3d0f65054ae7206988e87fd3a7cb7

SHA1
4fc3950bc251ee82d70ab55105318b084e875da1

SHA256
c40aa634e2f8ec0b1226a1db8bb9d4a4d7d7f1483910d7d6fa60e6daa391be55

SHA512
b55aa85d14493a4df6bc9e356540d49f1241a5db20e8713dea98262c7579f1d1899425b26794a1221852c52a79b353646ef12115787052b0136c1b21be91603b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ece0bc78f6b33e3ad0ed76bbc98a6540

SHA1
c145932bb3e5b1623a617c0032545ecfaa297b93

SHA256
ce9e9a856a5cb596cf733bb5e8983209ea16173a6a7a5f8e15df10ac5fdd5e95

SHA512
b8bd9c22e80686f938860e6e8b47d327b4e6b974f42c8d381b0609a323da82fe968a3f6f74a54ca257ccc93d0ee4622d4e0bc5cb3bf55a26ece3a67719b32df5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
4d08ee81c437da73e59b9c5159ea5cef

SHA1
04fd67cd86f8b292657f4cf520ed898c8493a4a0

SHA256
7956972e9a95ddc098676f23ffbc4b3710624f70dde5aa8040156442fca75605

SHA512
8a92ce018ab1dcc0fac47e233da25f0d8563d2a354f26eb8a0878f4595c0c6293c00c260a279d5f0ebd21a714241f6e9ed09590036ed9ca859bbca6b26dbc475

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
833db6804439b98fa5aee33c2c2fb636

SHA1
3305e64fdda3847504c719a9baebdff9d2f5f3d5

SHA256
bbba88cc5867a144d0891bbdfbdbec90d1087661c01009ee8afa8a1f49e19ac5

SHA512
33ebb6134bbceda798c11e9e85686fd340e3f455079e1196c6908e959997756666fc33f13439917736b645f469a7685e648c69481d4d031e425be55147510040

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ae0860aba97122e3403e2d73ad28c162

SHA1
ba6f2cdfc1934fb3fbfd54f050512f858bb1d1fe

SHA256
c04a51a96a6cd8e6e18e699c72ec6e4a7782f31a0d51d05a8246f955b39270a2

SHA512
e2f1b8cd583212301c4c206a2f91e010b8a0351a46b4323987f0ac2a1241728c62113722e101b59fd3e91a36c335be4da1267c6ae11f129bd3b59e7b6a524020

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
d5800a29c7b889ed0937f2c43fc332a8

SHA1
155bc41c5d7121f2bcf0f443b8040b1653358cdd

SHA256
a33839df7f34a4033d22770165fcfdf76b047d73bb3cbd99706e54ec8130aa8a

SHA512
583f7b280751293e28f5610f6f1e753ab63e64446dbf8c001c812804ade94078fbe0c74a64ff7957ab38a95c54a218ee45c73fde7532ccef9ed54c15afb2cf52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b52b846c1428c447f8317ab17e66c6a3

SHA1
19c7c8dc1c4a864f6a102ba9f934413c1ce7526f

SHA256
61830a7a58ee227a7ec32e708e624dca0095f042a8d45ef0fd56b813ab1354ab

SHA512
3d8a1aebf4af569dc66de5a3e7d9200aa1888c5c3e42b2c68dd53706a947e08b838c24b06b35a3dd4f1de2e4be1a0b76b0059099014da350fa58e856c3aad6af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
232c05a69cc7fb7d10d80c891442d074

SHA1
20cc54828c5302b39b8dd89d1a998ad4e7d4b3a8

SHA256
b93173000312be40f8fae6b5773a230abe1c8f121b578e674c345d09de1b67e7

SHA512
c118030aa06b7041aea6f481e4c35d2ab36d6b8a7d75829cd486503201a51e8d470e79ae9a33a3c0ddf0efc26bb0d136bf2d6d0cc599ef86c5c37170096457dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
66cf492997cfb85171f79cb3ef495fb5

SHA1
d4ae84aba60b8e598e6e97742136b059d6aa16b5

SHA256
72bad0b8810997836c4a311b99759463ef5b40b101cdfc55fea448bbd901c375

SHA512
72450e10198a6ccdfdf858c6762841b47d9c18813e06f8467391a315eeac8e4c9f33309fff03ce1ba632c543836d1570903b8356b3eba4a44489039bdd869756

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
adbdb0a1f18fee7c54ed21b46202fe78

SHA1
fc6d644be03e0dc1089af02349969704636e540d

SHA256
c5ca4c18da82fc26d4c8360cca301cf41dff844013c7396cc0c5926c421aba92

SHA512
9ab5e7ad50c6f88e5e7b8e348da5bec165033cb96ef75b7df54234963f1f2b1c9447dc2b6971195c457a62240ec712037dbcc6291d549eece26887fa83e83c3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1fd8e61c85172026fbdc0f3b326cc22d

SHA1
11d400a47e9bd3f209eda46aa94d9fb6ed9b6ce8

SHA256
117896ce90caf3bb55ae771e9fceb65be1e2bb2011a7564dfce63ae65ba1a287

SHA512
a7743ab3351a7aca4dafd69eb07d09d3a3ec755e758ba7f95f0c7138794dfd13042533d078b488574b1fbc0cb2961f3543627259d4055df123471d8bc3d3ac1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
470bf287f429d9fc99989bed9a8f47b1

SHA1
1259ceee9ad439b387efc9abff6ac4b181a87991

SHA256
e85d0cf0352fe55585639a5f307c83abe042daa9378c273a90622cf640cc3a13

SHA512
ea82628b5ae898ecf16bb67323f5c44fc8c5c578977cf9e2ed470fb7b2de96f96d2a5285764a76daa62262d32486931a33ad708553d393e330271e86dd7a1550

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
8c47725bb93bd14dbe958f74076fa836

SHA1
503138fca78a17f1f551e1f35e3a2ed32529093f

SHA256
60c9e16f8ad3cd8af8bdb128789ad060278f6147957b0123e78a9d5e4ba9f24e

SHA512
e6b0b97d2c599c7689bcf12cd0b09ff2063030c91c49a397b3c956886dffa76cd056e17ddb128a75fb92e0eb31d55680fa62d55c1cc1416c463d50d559207005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
2c427beb8768349f1d1ba8728d4fed8c

SHA1
85731d2b3e6d0679d89376701b74e199271743a5

SHA256
b407a3628c234b47a09eca7646859ca8031f501dc355f4085607c53de54f82a0

SHA512
2672a0f00875ca2d63f619707ef9aadb3330e87b7d5c1f7940e28a942c2ebf2c5bb157d4f07564cc0119780360d9a09d6b8fd9c25d34a5ec6c792eae6a8fefd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3bc9e0cda94e824ec0101c82d3175189

SHA1
3f18466bda9f97cf2d980ae26e49ec5b35111887

SHA256
cb48fc6b4d530f4082af302f85860868288b9066889fdd2ed02767b73039bc6b

SHA512
46a3775ef50a9f55277cde90ee15c3608c4a1f924a6f1dc50c6cedcf001b7056457a62d1c163d8c09f4e3c409c9f944437c3c8b240529dffaeaaa2a1dd3d5421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
3d8152e6f5edfa859ddf440706880c9f

SHA1
237fec87bcebe74032c8f4840955e9429dc941e3

SHA256
7015e1e69276120a4c6e5c898c826c19e48a3608718951e9693d9f8a484a9ded

SHA512
70293ae49e03cdb6d1cc31ab472530df9fedaf4e5589fe21bc81cc606e668fd208eb4185bb326e933c5a7298b50813bf478b304359e63527f2dc6a5293c03a88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
b37ac058bc2a3ab61f6e939d4daec61f

SHA1
ad6fd63a575d33336ddee824103f4a9cb666f827

SHA256
a2b45dda47ce9d2ad734a69288e6b805e180d66606a5264109ee82f3e222879e

SHA512
16873e7e3154ffaeed71e78c1b3d63a25ebab8e374919c7c62681a8e5831691826d3863a7d4c7cddb4b1239c6dd16e0f610c028f5a1683e98aacc3638f67c3c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
aad88da7392f858b8f48361f5f3f8766

SHA1
ffb719c3d35f03bf61e008fa78db199c505df49c

SHA256
ac0282cd2382c8b5057a6770302c3573a022ab27c21579a4370ada7ba0fb60c6

SHA512
c379c39fdab6742b61c1333d3da78812613206b46a28b2e28419f2d97776a40e5b405970e2f9cb4e9071a9a8b6dbce365164fa011f8cd68a15b36546fa602d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
69ed3f4a31fa7c898d18b1bde5e11d5b

SHA1
e38e884cb863f7bbb3c13fbfdc8d5d25a4330978

SHA256
01a6f3150e5268f5519a2ab0918572b0e2334abf7178200317ac5a07afbcefc4

SHA512
82c3896b3b1ce5933266952716fdf324cb3edb20ef9db6965fc900b955afcfe5cafb981b14a2bbfa9c01aae23401780ec7a437fef9c6f8d439a354886ed8ce61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
83ec4c8d2e4278f2db0b0e0b9d7b64e8

SHA1
e7dfc25c600643deb79f08648a701d293c6700c1

SHA256
d5e1ff81afdc1ada80a02286ae48a2c16209c76c87c8e366739dee11424633be

SHA512
96ef19893576de0133900c14b5124e4e9862d5a818f6e0be6a80fcd1da4641a47de24b797ca75cecd9aad383d7a0cf91ab5f4b6e47e94fb9c30d85c340136eb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
646b5a1239d6e9cacad335a065884a09

SHA1
da44282f02961e6fcc01a233b89cbee08a608601

SHA256
c9804441427968ebbb2020e47fc4344498519624dacc672cb158f10e28cac7ad

SHA512
5d2ccf73f2218502423539a2b2ae9b26c2ea63d8be40862ca6083f78957c965823c66a5cedb138795bcd083afcd6705d381124af073b571e829a9f2bf694b7a3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dace3f017ca22d5e592ca329dd31ba39

SHA1
6e9840bbfa1f7ed035f6b7f489a5c94a86089359

SHA256
37c756bc66f8b3426be05ca95a1782a0174bdffadb044100cfbacc37b984d4f8

SHA512
d2c4cfd62ec11cc535949a3e048bc1a3104d15c623b63171ce0ee2741ab24f4e744b0ad7e09d51548f200cbb80f784c33e0c99e354ca824e87b99f7567ba969a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
ac17f0eae2fe9365003673c2a5a908a6

SHA1
6578ea82e74d0aa4e981f80c19ed327d8b562cc2

SHA256
da5a8693e57f666aaed2d3e2cbaacc8068db0488255ff77fb19ef6981373b7a0

SHA512
f1a1ee5ff8007938a67f2a2f3edbae4256732b34c935179cccff1a268e38a30b961fe21400a5ef70d291895b7ae28bb0c9d0d82f91b51926ae37a7618d94f698

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
183649f67bfac09dd6e6ed7c204f5116

SHA1
6fc3b67781b0f7a0ccd70241a87cae5abb4a98b6

SHA256
e43e3c805d4f174c2c63013cc19be0299ee0ccdfab38843b28d0b495ac9b26b4

SHA512
12d6f7c2031452411fe0307967a7fd1e38900581a2a51bca42c6d0043073858580a17106972e6bcf602bc29fd23c19b2ad1204b1c68188de1fbcc8c524f8d470

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27f69627ddd9e952db1a4e6113a4a8ad

SHA1
f329e8e8f3890211b7e3850364d128fceba98c9b

SHA256
8eabbe32e4cf678eea23748c7b0e6db1c9f61a18e5a78c7d700158843de53010

SHA512
995ea3e63e38672d471123e3b374bb313856cd7cb369cad6f92969439385590ddbd1f121ae346f38448d4d5e7db7981d68225ddeca7d28af17dad54332580af0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
0c079e632faff40fd0c5a04a1b5f3b42

SHA1
13ba192d75596249d1054dfcdd3e9d3267a9d447

SHA256
1fb6cc82df42043f4ef023561533d669192f66896f39bef2f50ed026be478647

SHA512
6bcdd9c65c5c221bb1200d89529bb6d03762a5a0739de4bddceeff84cee9cf3a1f0c621570c184dbf43147491c7398f2255a46321e166164fba05ac5bf77dfec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6fae70eb5e2465a9b70d99ae9843a68f

SHA1
48bd46202ca48ab9c2b565140120fcfe61fea7f7

SHA256
16b8cf0ef40a3cee005486f33966d6a3072a897aefaeab936b73d896ba9d00ad

SHA512
3ec3a55b53980e2e58075f888a3a2f3e65b22a3b23a943a5b7f22488f752675817d63a996c45b1610d98e11a3fd3c30513049d4738e56eb582ddcfa0049b950a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8aefaf87137774a12482ff9caee5e534

SHA1
8ea5f40e62671317afcfd83b790bb7717b9ec8fe

SHA256
caf6e2884401bfddef57ed300d00638d2a6103dcaabfd4d6e3360d1746579367

SHA512
3e249fad7edcdad0d5d79a1f5120c1e8c65d297602b92a89d144663e1ab7bb5837b4711c25f856edd23d67adfc01eea04e550304232559c7340378adc52bf88b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3a076665ba212a81356e46894d3e4c43

SHA1
edab0d0df76657a2c3078cd9564877e6b17a41fa

SHA256
83e0fd91ed7ed2223c3ae2d1c6e2f4e31f10345040ed4c12fca9708ba28a6cdc

SHA512
c3fd349d287bb2a9793c7c1b54cb2ab192e06d9159645a97783ed5a7993462f51c6b21f1e7306df48f721a36c429289caa9ee5aef0daea217f4d43414c9e0895

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
66d14fac7cf6f7e80e6230697df1bfc7

SHA1
e89973827c1e4fb62c90c9046dccd37ab3a76b6b

SHA256
ad07102db47801a5eda545d05ffae53eb0988db39060da464fb2493a7622b089

SHA512
938723579ae1162a58f84758fc8e253159514e5b06e7c00f0b2edf32d53fb02f632dc6df4d83fc78cc0b1b3b748cf10ec944b3b10c80e59e0425afabbf5ab5c1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c34551aa0bc17aafeaa7960c110dabd0

SHA1
dc549e566e5cf3da860d480cdfab450ba541ccec

SHA256
9d1494642d9bd6f45a33f1659e4fc85bc005a215be69555b7b29527a9b4764e4

SHA512
76bbe60d442c673d3f4cd7951b95d4dfc8681bd9ed7d04b91409c3eb43c78b5a9598c0f03ac9fa3a5595db65f89accf9ff8cb62e0969f905d46bbfa41b50065f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7c4761468522dfcfd31575b07be3afdc

SHA1
d6e9739166e1ccb9b48d6e2ea1e629b209529b9f

SHA256
eff47d2e92e197f033a75dea0dbb67afac51815d42b70f59601cbc30c7a1f665

SHA512
fc7174f69e6d2d225b7b81e98eae1709537cfbe9107a51242d441c259896544bb323c20dbd15a0a9b9211d867100a2419c482b83747c367e499c0b0a15c84e88

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bc7fb76a940599a52f94d27c06b25a95

SHA1
04bddd16c73247abbb6846b26dc986cac2819712

SHA256
fed3b7c164cebe2962d76310eaff4d000e1e16fb9dc04763ea9569abcb52c760

SHA512
6049110915e0bbf0466ce66b8436c15edd6b0443ddceaf90e71dd2e2569755e567aa9551a9e2f9c356b194bbab71b9588f460eb9437cb4d65b668f183216f97f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
17cabbaf840ae9d7350b34dd95025d9d

SHA1
24f6584e36de33fc4bdad1362b587910096af25d

SHA256
f53b494225291b05130f3c2cf4b31179a14f1f0a4644d1a99409f5d75bbdf0ad

SHA512
e768aa92013af1c06b946d397f7d22aa0b387b44bdc9090a660178839ab92a9181f09b73e79fcbeba8957635673702614a5cbd4a039f887fd48696c4b520e48a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c425085a49c8e896adf84d839ce6e34e

SHA1
9b862011d857c4ebc403dae13139683ce3c572ad

SHA256
9ee88dd6f5f37249a416f7e7a546cfb3cae09df3e9fc9e39df9c68ff9e507335

SHA512
caf9e4075dece37a44fb07bafb42b8c688c0c53eb124e8e35e8cf4dedc73a10a1c4c068391e7fb0754584e26da7d8be49d306ac7a12877c799af81c329e4a025

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
987475d569ba10370f4d9f35725ac920

SHA1
2a015b50e69da07cea44800bf81b09d1965ded95

SHA256
76f3b9a3ecf6549d88d1d98aa03c9df19892a3c8e8d62b76c50199b08c0f55c9

SHA512
ec0cb8e7bac2d5c477d8d28312137916ac9c328c7290d816d3bdc842173cb3acb6b1398d88f7863f28cdf98b99aef79eab6ae45757979572f4452636b5b7301f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
2839ae9accc3de55df6d274885d9a509

SHA1
9f09fff7548abdfd84ea53fee106cfb25456b311

SHA256
0279715896506244e126a14814c2278098e61d0cb4ebf3c4fdc4121cd146f75b

SHA512
5470cfc5080393f539e06ae5ccf46ee40ec1af57493d080951025d670210b699ceb60d58a1ecef0a55fb35d770bbc33213d81209c749434803e15b96525ec716

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a2a33daa2acecc40c17c5ec0ee437432

SHA1
59d5ee43be2b2567aa08ebe8f06c0a3218c90080

SHA256
7aefbc19cec3e465f07f0e59fff6c21fc296801dc8be1f5f89cb9afd889979e6

SHA512
568cad1cb65bed84cfa40306a9736a4322e46f5a5d28f9bba26bc9f539562a4369fcbd9dc18e165053a4ecb3d1976abf2bface3be22bc7966148c68b47205a2f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1a49f198b3a5cb159f27c249e438daf4

SHA1
c5150334a4962a3ef11efd716bd3fa88a87f7793

SHA256
a0feabb884d164ae84bcd31094377672bc4cb0718b22209534878a90ef368a19

SHA512
232dbda229ec7a69a5eebce3ae3bf69bd792b1f2d459afb7739c7e1b4e58579d0fec7ec4ec342fe54819f60ea0686533afd3b65f6c9b7b3d7f4baa70dd664cf7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
446eaf480958953b186c5a799ed2c3af

SHA1
c4a5c4240183eeccf4618c205b113dc2f67ad88b

SHA256
490f8381103f98ffd2c1ff1a2bd15a04a7cb0c48f7f30443a8f1a095789d6e9a

SHA512
f8e82b45018cc798d01377614b81b7ef5e949f14759667ce9d9e3efde4d2cacb011f545dc7c999e49265d8e4a7a02de9b3824de7d02a83965fddc2c2707a2acf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
90b6856ff00452d15bc0a1e43c233078

SHA1
143c6d8b67e25505b969953224f8bbda004ee4b8

SHA256
7284ff085d1d251e9bdfcafee7409fb004055502295396efe85f13eef4fd3acc

SHA512
30df6ea79cf105c56545d3c661c7337b96d87f1dc6834f886397ed09978db132895ab7461db5b9f461e567d984700eb43a22fbd7900e0c175e4fc42b4072ecd6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bebd093777af80d9fd4228c3fe3990b9

SHA1
9d8df275ef3f41cc0edd97cb0e2bf71e1ee3ad24

SHA256
4e39120c78aa566109a4260f1fdc0c9c278b1113d79a4228b82850676f29c9dd

SHA512
bb472ca895919092b52bf6e4c577aab2b25ad9fd8a1cc1cd962bccd0bb8f6bb240d67f2747c51109d100866b1686c0c0e2b7b32dad3ffeae5d44cf8fb8eb4555

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
630ba069b8f3b6ea7aede8d820dc4ad5

SHA1
36b481b861045960631a3f2fc2b53ae91d0fad9c

SHA256
eb0438dc4274334f79d97ee7db37ecb73a2e5bee0851c1fd1e20a2236964832c

SHA512
f225f23d046581bde19f621aab647be54a7e8ec7b7513cc1daec1ffa7208531e314a6ee9eec8d667cd6949a93c9eefd7a15a056d70a9ab6c8397571a50c192b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5d08046b57836ec39c6db920ec84cf61

SHA1
cf05b8c6af5b46f8be608eb65a40ec55a3b3f0f3

SHA256
d59cb78846151131603f42f37371accf4637c2d724a1110c089e76eba3ffd2e5

SHA512
2311c0dcbf658092e9f6998d75c60018f5dbfcd55dd0b8fad1cb102a75445e3257208e50615e5250351939aa69518053de1c263bf50879446be65ed1a12e18da

Download Submit
memory/216-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/216-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/216-157-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/216-83-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/228-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/228-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/228-25-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/628-98-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/628-87-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/628-161-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/628-93-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1340-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1340-503-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1748-165-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/1748-100-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/1748-105-0x00000000006E0000-0x0000000000747000-memory.dmp

Filesize
412KB

Download
memory/1748-108-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/2012-63-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2012-68-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2012-65-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2012-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2012-55-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2068-114-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/2540-70-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2540-153-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/2588-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3104-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3104-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3124-119-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3484-113-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3484-12-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3504-508-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3504-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3980-142-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3980-415-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4208-501-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4208-146-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4360-121-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4360-350-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4376-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4376-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4376-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4376-133-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4388-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4388-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4424-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4424-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4424-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4424-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4700-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4700-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-507-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4796-166-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4824-502-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4824-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-8-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/4920-97-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4920-0-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4920-6-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download
memory/4920-1-0x00000000009A0000-0x0000000000A07000-memory.dmp

Filesize
412KB

Download