fe4258dd3317e7afd2a98bb48ea0ae8472652574f9ced5b13e23c9778927b1ea

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Size

712KB
MD5

586ddfa75be0d3658cabf87c28dad662
SHA1

2fd18993f95416d84db6a01811df69b8235ccaec
SHA256

fe4258dd3317e7afd2a98bb48ea0ae8472652574f9ced5b13e23c9778927b1ea
SHA512

2eaf4fef1219993e642f8e21e9136b34bdf112f08dd35b6ab25b6de408c97e0936e4c67a6867a77c6621ee5c230c67f5e122ff9cbe905af70dff837ae5fd0fe4
SSDEEP

12288:1tOw6BavMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:/6BfSkQ/7Gb8NLEbeZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2768	alg.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
1948	fxssvc.exe
4260	elevation_service.exe
808	elevation_service.exe
2044	maintenanceservice.exe
2520	msdtc.exe
964	OSE.EXE
2704	PerceptionSimulationService.exe
2292	perfhost.exe
4640	locator.exe
4308	SensorDataService.exe
4264	snmptrap.exe
4972	spectrum.exe
1432	ssh-agent.exe
1716	TieringEngineService.exe
644	AgentService.exe
3936	vds.exe
2992	vssvc.exe
4364	wbengine.exe
3476	WmiApSrv.exe
840	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\97ce9199c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a30af6cb2a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ba09a6bb2a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029827f6cb2a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c21e7d6cb2a3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fdfde6cb2a3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe
4596	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeAuditPrivilege	1948	fxssvc.exe
Token: SeRestorePrivilege	1716	TieringEngineService.exe
Token: SeManageVolumePrivilege	1716	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	644	AgentService.exe
Token: SeBackupPrivilege	2992	vssvc.exe
Token: SeRestorePrivilege	2992	vssvc.exe
Token: SeAuditPrivilege	2992	vssvc.exe
Token: SeBackupPrivilege	4364	wbengine.exe
Token: SeRestorePrivilege	4364	wbengine.exe
Token: SeSecurityPrivilege	4364	wbengine.exe
Token: 33	840	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	840	SearchIndexer.exe
Token: SeDebugPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeDebugPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeDebugPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeDebugPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeDebugPrivilege	3872	2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
Token: SeDebugPrivilege	4596	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 5584	840	SearchIndexer.exe	119
PID 840 wrote to memory of 5584	840	SearchIndexer.exe	119
PID 840 wrote to memory of 5636	840	SearchIndexer.exe	120
PID 840 wrote to memory of 5636	840	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_586ddfa75be0d3658cabf87c28dad662_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3300

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2044

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4972

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5584
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=1280 /prefetch:8
1⤵
PID:5428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
52de92aacaf4fc85ce5b86505fbf74df

SHA1
0f28ff64ebdd026557118a012ced4383bacfb91c

SHA256
9c6a23ab9e012f03cf91d4df32faa786c5936557d093770f81e25a61fda91bad

SHA512
465c2a184fd9cf16de4bc3b7db62440b3111ff20beb68afb49cd0072bc48093092aca832a1bda334dd0731c9d0a6bf83eeff2639cfef24704aae9c1137c4042d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
eabdb838217ab2bbfb34899a26fda600

SHA1
e5bfa1e80b6335d1aafa698a6c94c4d4b0b9894a

SHA256
1c671da129ec96ad041b8e0a1742157613ccaba14949b69984154834bac8b4d6

SHA512
0e8514863d8db591b5cc3071d451c24b867c2f04ac62f7f4a99066a925ea779bd16c854def81223d1eb462369a5d7376821a57b1498ec7fe523f4a5ebc38739d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4f5ecdcde3cddb2f9c607529cbece050

SHA1
603a8aa76f9589541e1564ee92378e3357db4f63

SHA256
ee57dd49849b318677d11a3a692e3e379f7db87d7e700237b964040962c45d18

SHA512
a63d862bb5ff8ace550df0015b5d89455ca59a1f61e657691a45f34f899ce1ee32d95d11cd47e876a8441b119320c000096eb22a2be227457384072e886ea556

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
efafef6e080c2811e3412edc3e7e0f1c

SHA1
c84dd90ce988026499436c8c69fbb1f90c96a57a

SHA256
7002ae0e4caeb2dfc07731f24df4a214a6f3b77e8535873cfd836d275943f11c

SHA512
8287b65a51cbe9028a53ba5c52eca0581982d7db3bfd9ec309f072d0a9ff16d5fb81877eebe1183e991979da4c87f63d985b7c8e86cb08318abca5077f33ce7e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
187532beb854ff0ccbeece1cb03f74c2

SHA1
dbf72d1af88288af0c36090b85c4189610396b2e

SHA256
d7ce9a0a0dfe12f8e57f494d980931854aa1235d3d3708f659f2eb72d05757b3

SHA512
1868112a924d5ab5edbabe1f7cfaaf8eafeb9a27d5dca475e0bb2833fcf637e606ce030bc39012a7e7c249d0bfd8bc8c1e4622a18ea1df9e6a4d660d2ff30572

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
92e398745fd8404f7aaadc78c359cb35

SHA1
35c9f9548ac3f7e676935b15413c4c6a2a150ca1

SHA256
7d2d2c7810c7f14180459ca92832c5c92fdee9d25a83c5720af1cbe6d7687a4c

SHA512
5dfef7a4c6837fce3f2a44614840ba54e09a9b176bcd4e7f1f811f77436af380f132d6b08c2b8176ebec77381c96553a83c526b84acd97232297292c87f090cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8635602c817f81a9d71c8b10347726d6

SHA1
5fca70f42f934c50033c59ca1ed9665d8ce83951

SHA256
c423781ab9d6b4094d17496f0abbba52cbad98f5622b907d5030320a32a5706e

SHA512
87917646f7d118403032016ebdef4522bb485b7e04d2dda89063450c2d64e2e74800eb779a31e55682f7d1c5378a367ec78053a89f68ca84ec40ff2c8624d814

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
154c325904bcf474fe7e4798a8d0db42

SHA1
c1296d34a70ca0e72054270175817b7d2666b972

SHA256
6fd94196bb3b794f6b0721320c47402f801b9b5dd0378cf6ef20329db79151bc

SHA512
88fa08d8ed95d986b531fd9fbad1327fb9529fea470ceae0de0f0a7ea78e62699c8567b4a9fda87a50c1ba9959987e5d46cb2a96fbc9e879132358c0ba2106b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a1581555e4b0cb79dee68fda26ac3ad4

SHA1
35be6a0bbc788cae9b2674bbc73e75b0816ee9bb

SHA256
b8031787b8b032db60412e8082b2ff6e0fd79e0e69552c2aa5bfae7093f0cf5a

SHA512
1150e9e5473a9c121cbfd30001239deb04672dd7b8a3b0ddc51a268856bb06d8852b88f7fcf31265b4da51b1b003c8a4e1ba991ba1a1ab9e8c90f6dad3abd5b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
29981d786149858e4f800b36c814ec4a

SHA1
91490161da0b87cf63a65e28fe587c322b41e9fc

SHA256
3a85e569a90d3286002d8117249a401d6215e2365f7aede8a182f3b4076742cc

SHA512
9aac48dd8b1578a457e37eb31792c6cb9ca3748015cd438d8d41c4a4461e1ed540892d85791a4893d64137a32f11631ef10f3855880f640b5eb06e3675f88a14

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f1e70ed58bbffddb75fd04d49244b4dc

SHA1
62f34d12ea117a1031a65388a66c8d0c1dca0825

SHA256
542540bc84cfec3dc2d7e447cad74b8d0da4ca21bb2abc50481bd3206aa5f5ab

SHA512
adf67499d265ae1cc67e5b314cf02cddeac4453e276e63194a7c1a9ec42485d768a928c357d01d48f751f869a10c73b3959233d531d5e48bb4546c33e089d490

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
42cfd9e89397d8040d9ba44bb191a4df

SHA1
512d305aa680a8d27570f273973c17d48d89f624

SHA256
157f222f108aa58ecd9afcc6dc7827ee2c0e662b5989ecaddfb122d501d9da4d

SHA512
96e09d7c5ddc74afcfd03e0c4f3fc2efe36cb4f4bbbe6683bf14a5d34bde56bc28af871419f262e71ec8978e5e7aeca65a93b4c706549de442e72680685ad482

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7634fb9780b245a42b533f5f8e91c30e

SHA1
ba84c66416177bf929a4d602c616b287256406e6

SHA256
cb9d5ba619d579ba8f46fa893ecfd3591077993c80688c5815654a7f254bee65

SHA512
aa0603ffbaa8ab594285e5a3dcab135d48539074a02144c61952ccf1c9205b31b2a3dd696f5c7df8c3b11a26b014f9a338ab853b89edb3a9a856ac4704e4ca20

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2dcc9c265625f8f8bcce23380f2fae66

SHA1
b269477cbd436e31ee86562a17fc6437bdf1e234

SHA256
6d322f5eea8477bf2b1df4f53d5d15b70ba34d6e71d3fb869497742ca216e0c6

SHA512
c663053a5ac9db0ef9686fc29b7506a116a1be3329ffc1cfb1f60b16f8a60a02c22fb467bc03cf155d3d60747c75fa88db06f1aaea7b4dc8936ba560468f10d5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b8bdf6c354aec34b61c17aaaf9cd41a0

SHA1
997d4c68918a0e1e0aab3de3784fbfd860f9580b

SHA256
ab26c1b9d5337bd9b2d730ada2b0fe06f4ad9f693fb416c4b2a322dda0acd13f

SHA512
fa776ef535903797f4cce6f3e4927e2c6484a832de5c6b70711852dfbf1d5b53967481478e0d39ef4bc77586a82041f98f33d5da684aca6524a94078dbfb8850

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
097c7883d7dd838d64bf28743daf5f06

SHA1
ff86737d68094bad83f7f42411aba9b67e5bf2d1

SHA256
fff06deb70c591037c7f23e1269ebad4d2e4afb113ef83c405657adc9be87602

SHA512
059a81ce9024cb0d5a051d664f17fc83096cf7db0312c5286362cc39b23177fc80b27ff395d3335a3cb189db5669e5d50341995cfedb92cbdb83fdc134c46335

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
151cd106f646512d4162377aca016361

SHA1
cb81d20c3428ee32a2a6117fea9a4ff68a81f1a2

SHA256
0f9e29c32dfe3bdf15dc53e3882939d10ab407db93da12384714723d519e66a4

SHA512
d2de173d5a0da9144a6c35810a09c0234038983134779ce7ced8f5e3126ee0a2102c360ce01e089312718da9c4d82b8ed27ba4d490f2e7add7f2a1da92b63268

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ed3e691dbb516cc087b0b6ad5cbbce87

SHA1
41e86ccf31f29398118ef0145cfdc33f661ea191

SHA256
9f80a12428972ff419b3f128c33f4476ade5ec52f69893be3aac055a85c049bc

SHA512
2fddbf8df429b7df72e4429e31100c3f917bb78026361ebb2238617ac0262eedfbf792c7d125fc6d17f75fb19954408ea0e7afa1b818f84992204daff248ce1b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c066de32a7bb18720638d3ed67b3c676

SHA1
1c52bfab7679457809a4adc319d970921f6f768c

SHA256
a8a1bea13ae5862d00ef2f17403e1728e2b9fd82da3c18e7658c2bd6194db8e5

SHA512
ba529986c0e1323d197535f9be27b699cb4076b420f2fd30345fd7ddfd5f6fe9978e830247c3b7be5a4c3e4cb46cb51527703a4b6e68db66bf1d3471534797e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
084dc8de68d45d55a6c674da802b6406

SHA1
446755e4f8de535f7f5e38ecc3c26ab59dd14d6f

SHA256
21e0c989ea73c67d4ecd21b2725dea9b89236018eb1b7692b344ef9f31d6b32c

SHA512
3c8124d4feb37dfebc2a388dbbd1058fc176ecc108bd0d3c87dc520882b02800c3eed04875ab974f7a0c5b349e98dd4ee0be78a0c07f56856243d3f29a5b9f8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f2ff3a222f8e06623b20309b927eaef5

SHA1
e8198bccd2042e50c31de922ababe54716fb31d4

SHA256
f521faa1bd08163a4a904486701aca418784c7bbaff7d297b7189f73530d1bb9

SHA512
99c55b13ae999a45650e4c0212c5853a3b5cf935df4d3be455a53d6b83a0ae7913c704b0383de5920e650eb4f2514aba361f0213e7de7e5ae661d7ae025b79a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2c6ffd5758828106d2cd0a58b298d3cd

SHA1
134ff3f1f8b3225cf5c0604a0c8fcf16828e15ba

SHA256
ea43602f46fc394e58133aaa03bc2baf8fd4fdf25ca8cd627aecc1c196ec32b5

SHA512
415ff158cc6e03d743dc069ea09f3a78fb8fbffc9d1ea9587bb5c8768f1a05efde672af5216dcdaf8cb25db7c4e1ed6ef3085914119915fcb9ec81215fb10e47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c8425a9dc2edc0d27b4266c30f8456a3

SHA1
197c9df0cfb470102896851ad6c68305076ffe95

SHA256
4a772e7dc3bc383ef689776c3c92133d4bac3ed56f1bb2fe9941573d746317a6

SHA512
5ad8f66c23ca131738d0e98039a362aa64cae0adca836418f6d3863d4d3987bd33938ad7a7487d8482d4ddf8f434d50efc47ff262722c3ec0c6f1613ea7918af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2f720c16d587c25198f95c706845f210

SHA1
76f2640543c1b8bfbe17e73a333563e1c5cd08ac

SHA256
39c7b8a608b50d311a701af5e0e0c81be00857bb82a6fa0be7637f8c48dcbe3c

SHA512
d5362cbd2862de6fcf723fa627cb68c3b8a8e034c9b1d4dec90a4cd746752ea304beacd1751a12c907635c346683b946e8778bc491fb94ad72bd2158611758d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ed89453b4e2ba2ec838fc1cb92d081b3

SHA1
a3a0fe3d8a810926025f835ee770a2a2b2b5548e

SHA256
a3cb2221bfeba2c3285a3c4041ed0e678b124f7d28fd821dea3432ce1a73ccda

SHA512
80e480508fb05be47e18ad129b68ec6cbb52a0e32144476af56a0c2df2cfa1c7716f32bed94c327d2f6063586eb64882d6d2ecbcb110bd7376ff2151ff10dae0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
3793e9803dd02cf4e68a0f6039154c4f

SHA1
9c82ff6c992c7aab75c0708c0fca21e5d30bed9a

SHA256
94d19f317e4b6faabff14f1794756af68c24a5776c34d3d1b5e073ae7ef285cb

SHA512
aa1f27cfec76ca9234a6f22156b4fee138630b467689105aa42b1dae3311013a4a9474cdf3cc1fe4f7e8f7186f096c9697d67318d359697ea05bf8b4a12abd1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9e6679d2d0fdb085f6e676a918c5503c

SHA1
092617e63e85b2810270ea005b8251d848148027

SHA256
6c2dfe0fa0ebe832ca00238854dfe01b67e910f5945106bd2f1eb89bb44423d1

SHA512
4ed2ea1002244c82b7bd7ae2bdf8408f142efaad028ca03fe63eb0367cfb84f1e13d7d92ada82355d8c6026110325295f69c4b71e9a1a95b34ba9ccfc14ca075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e6e64464f0b04c5c1ed618e1e1137ad1

SHA1
eab24f8aafefa9c42209be47b38a945dfece381f

SHA256
36e7a7810460ab2f801762cfb3970abbfc959a8f9c00d739f9bd6bbb7ff59131

SHA512
269cd9a4db66d174cfd20327641bc043347e9b6bdb84044bd27219239aa18e3d4d5d5805001ce8750e74d9044723f85899e1fcd986bf23ec999960c85be3f103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2cc82c4a9d89a3bea9829bcaf1e8aabd

SHA1
950540b0c4b10a15b3adcdafb7af01c8dde33a0d

SHA256
85eae905dca3286a90a06239738b8f623909c28ae839f0414f53d023fa0e7fcf

SHA512
20084631cf98ea5490c7402d52e64efff23877141a46c2b1373f3ea3569ee5d23b574219230c3c89522c795b9f972660cfb2e359ef4b6c9cdad412f51c2103ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5f785c6734f2ddb0e78448729a2c5a8a

SHA1
0aa34ca4a53ecafc8590b69e84e214b01c081fe5

SHA256
4a11fec4234e81462b2e8eb2ef7a61d681d8b129134da92370125d4dc99baa64

SHA512
895062952ceacb19b2e5c8eb35ac663734c68e792760f994a557ab88302fb8ba2a17815324330f504b49cfe9b02a2eb83e8f40d53c2bca819b060f876e5f3cba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5710d9630c13508ae618adbe2e263d0c

SHA1
1f831cdfdd7c26961db6b4bd15c344eb6a3291a8

SHA256
da8ea752c3a1cf401c9dfa5951e3e2bd092c0a45dd5e08844ea3ac4efb8d3d5e

SHA512
efc6dc3a0a3822a1e9629ba36a0924c0c601a77f6581c67b496f907aa815d984cc73249bccd6c0884b25cfdd4079bcefb8a0a5dfbee4bc913ef44b24af1d3c91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
184e674127662ce35dc10880b5743bde

SHA1
5db111adca6b3da3d804b51075d598fb760e7695

SHA256
a85f5df6ff9e6369ba89e57a4aaf664b825c061208f0c8e7e8569868dad32525

SHA512
7c490ea2f1456d5fa10eac53625d974c6ae207edb91ff69c2af1b24550b19d45bfc44b0c0bc3a2497ab548c3a314922ab32c4201323245560f5fd1b75bdcba66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
038f92f8ea811d77f009bebb087477be

SHA1
4a5d0b1424a10c0737f0b205b2fbfef4df8ec570

SHA256
7432c56836ae17c7be2653bb795dd9c6928bc4adc5afcd8269777815304db39d

SHA512
b9cd0b3b92f122e403369c3840b8223d16e45f82f9821416712bc3f92b05dcc44bbf4424eac8b5fc5331bdefa938393c776f318af0cfb96171b16d459755138f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
045d370c2e807bd845e8bfb7e7b77be1

SHA1
3dc501600230ee486d8189eda8fb900749e5cf3c

SHA256
2e5174799e87fd654a3257f87fe4810414c28addb7da4591bf8f231504d2b525

SHA512
26f42184de914a4d626f16243b17934a94ca3f452b92e77a8f2a7cc9f3455e13e122cf96b4d558a37c804da0ebc37f43950ce060b7d286c3719d29680b8954c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
454474254c36228c33f12c44945e926f

SHA1
26a2709adc8e85f6c45c57a918d24d992978a9eb

SHA256
dd10dbd40664d20312eab46350df235568bc6a8ab7b82cf1d82fe5a242fb8c8d

SHA512
f548464c49ee27d0c647c8fc81bc0b9a34e54a494493c3a156dd3cc76c5ed4555552d8a922cb586603fc996929d16139afd8174db8ac951cba0b376895a63712

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
81b752cb32e0e7626865dcc716041e6d

SHA1
88d0cfb6c0acbbf90946dd80ce7be2fe726452f6

SHA256
5389be870d3bd56a582f9bcc80ef4eaab2e095a92dde7737c3841bed5e5fab67

SHA512
c82399fcba4a4d65b24c6edc03b9b86ccd6940b14c177f5aff5f426230dd8c60b0f6012da054253688cf9533ad325947e60b09484362e79e70088caf1c7482ee

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5f8ab10a54fe82183b23b2eff713193f

SHA1
5dcbf4830b9e5ce26cebdf13675efa576c223feb

SHA256
c95e74a9ead3116ed96e9ea901574ab6fbfdc12e327484ceb1d8e1f890ded596

SHA512
bf622cef2825eb015eb7039c36baa562d6ca8b7bbffbe63513397b450de3b169b954778f0085298ba63fa89f0c2d510aec3346d8b399374eaa5efb3d52bbe82f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e931550f1468ae043faa99c5bd75364e

SHA1
1ee18a49e3c26c7d093e0dd6b4a7c2390f169568

SHA256
770e9aa06770168b3a7cfc0a72ef9f3455455cd25420476ee23e8b49b0b5c2d3

SHA512
6b1dc9f4aef131eb3f217f4990f92eca091dc61777e593e89479cc68089b49ad73c0b91b2921cb7f4dd66943a17b13179537a39019a76ea8accfaf8777f86207

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e89a0d8b71994c7460331ca672084520

SHA1
0a6a7f10a60c3be8d8ffb7635ab6117f94c99811

SHA256
bf4d229a51230d26360e154b5b8b7bbdb9c1100a6826324608805ef75aa0bd3d

SHA512
d32626b6c8f808a0f234d0d3f3eeb0730cda4d4e618e25a03678a23d11dd583dc0c8b3055aaf8db3f3d0b3145de914be36c54be6b98ce37596163d506e863ba0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
99583aa8c11e59b1df559e774ec9f461

SHA1
34aebb8cbf07fda7708060e19cf224bcf65e984f

SHA256
2bd426e598d8a45a9a606b21ab89c2ea39cffa191f95429e0ddbaa674777126b

SHA512
7e936fa85460e34ff0cd4e39f664ee35b9208207b63b2d46d72bc3e84f9686e9621e49ead660003b7183d6d4670aaffe618a2639df991390e445f4b23d35ed0d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8845be5a354817bb1d811447f3242e23

SHA1
087d4557a41f79c9bafcde3ccb0656b53af727fb

SHA256
0681caa2ce8f864fd44b341619d30d4bd0be4347ecd7e99d8a11b49cf04739e2

SHA512
bd193c7fa7be9a6d3e83207d597be550e136282216129918a17ad16e1f6311adabbaf62cbdc0de1a03ced13790efd111380dfb4ed25e5ebc2477ad6cfc8ccaaa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
50989004edae417aa3b53c2349089dff

SHA1
5fa3bffd4bd34fcfff9fcc1a15394d28f43fcbcf

SHA256
d03dc00b976d7d5a3e30b088aa3442e4aad3491788bf58e2f2d2738ee8a133c0

SHA512
93eca10e642b1fbae7cfe875d5de44b3dc6e5268cebad6594a72f2b37c90a560c3362973d923bee72950a0e3954df8ff16220cdec2bf7d2a3257b5a9163a6c39

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
41849c4bd6f5279de303b4c4828970d6

SHA1
3ac6e007acae426216c0f9f7f5f697daf2d78320

SHA256
13283c27b42a4a410264f0545fb181f0d602792786e76d71a9ac8a34431efdb9

SHA512
131890196817810632737cdde4600d32a0f73edeb325d62d8fe13174b288a79f9e270c09a65182dc7dafb5414c99cb60a0aec9cb5017c45f53095093063bdc4c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
54e13b2fdc340899c1e36b8fc762e6e0

SHA1
a18b7dc8e2be87fb01e8ce9bc054ce4bb3183e5d

SHA256
8f6f34ebbe592e77e5e0234ee785cd51f435e31056e502cac2f5655398ca7165

SHA512
b7684555074228e8c2f068dd44a6d060ceecef7fe70169dc7296451bdb51219b763b714a1fa5ed5c907c0d53c0527673fb6029a3fc761983cf09dee785dac2c4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
643e546a97f6f10c0c9be4c8614f8443

SHA1
addd25fe008ca465d750e47647930e1d1f8f70ef

SHA256
cb63ff174d02a93b9d8e1d67f58a71c803629db4129708585cebb6bb3935e3b0

SHA512
896a4969869c4b8cdd174a2317c2c623ec20037a51c1b40e5b3db9926860212f769509024d99b4cda55d92b15181ab002fdaab8a45a56250ec8e2f79a7d265c7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f92f7be1667128e2669753ca9ee1eb3b

SHA1
5b50baa5552a5bbb9fc3ea60574c7e380cc7588a

SHA256
cca1bd4417e72041df4eeb96d2f031311651c443e1f234d2498ae58150824a2f

SHA512
5dd07fb5c0e6c89742bc5a1d388d78e48e1a9cfa8b12b19810d4fe70e4977019a84bdf4f8da07d1eea5229b70f95b1ea7ba7c919b3b15b07652f82b8f4702e1f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
06acddd4e2639923e7315baf4e381ed4

SHA1
a4c7577cf0b7109ff0de5d12e058324e7d731a6c

SHA256
bbfdca3f2311fdaaaadffb0442eb91e8e50b0ecef42011c811ec17b6581a61bd

SHA512
30a808a4aa1a6c079cd357fd0d17b18c96f5f0608bd81d2cc8500d54e21fd336e4c291a0d930646ca3144da21cd1d00f9c7fd08f79ddab4135b0a48ef7c83f44

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1247298501e6801b26d4883707a4f069

SHA1
c3e8459f03a3bb642cdffa295a17b18013552829

SHA256
154f8fe10c0de6e98f4d29279970e737e4e986fa4b514f5d97886e9c61385dfa

SHA512
c51b24b8268b086d7df47baa1e198125e2812f8c40c51ffcddc44b0998fa805a8f641a3dc98af8a9ec04c332b1dcb6712e44d1b635598d2b797a1370d438bb32

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
03ce2aafe50f22999264780b02c9f943

SHA1
815ca7bb81931b7bbae5b619c2d7b954c1d264f6

SHA256
9792548fc659e3a48124b0871a170b90f47321950c1ea4301d20634fe0ca5640

SHA512
270342ca09c0fc60eb18f06360942b9f9474a25fd681ec29c063e7fc121fc2a25733b77728d37f882ec6397fb35926e5acdc4a62049b495e8de74fd990933634

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5a50ed9d2ba6352b133d73d9b3ae7fce

SHA1
b148a00dfeeb8b6eb2c577feada72752719f5d9e

SHA256
d42dfd4c91d07a00122e3684b4dde66a039afa0b85042f315aabb1c74a114b99

SHA512
c027ab0100d7d17171cf76a4a26469f49e5d2fd98017b3a0d042d33d33a15c4736e86d3c5faee292d265f7f8cba3aabcb5cf86be7f9776a91a10f4843a1d6958

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fbf7421b88a0fdf121c7bba310fedbcb

SHA1
41b184737a8e50aba707888c01be6b439fef173d

SHA256
8bda76e31bbbadd4575d980675065dd3bdaa40ff2dd5127629299a125f6e637c

SHA512
0f9b6275103c8c10e7375cc9fe5c1f7177bd0e0eb4bb6021096be3d26099c6bce852f8376d9623034349f55923df09f97173cd6d574fb6ff4f73f984a8c83ad3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
861c5f5d6f64e341ed2b2d98b2bedad8

SHA1
cc9dc420783f5d960d17cc7d1602bfb3fba33477

SHA256
b93c9807a6d6c363bdd90f30536b508cc0df9c18ea9a54abb4322662ba57d4a4

SHA512
0ba813e979ad8c25714eac1b7541a4017165ddfba9613c8d7f0a146dc3dfe05bc94ceca21d554104434858c9777aafc7dc223a6306a72b97bc45d53b4157917e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b01eb78235cadf1e5d51c275610cfb01

SHA1
9bac98189a8b6250d088b18a89833381dae3aadb

SHA256
f01d441b085b476683cf324263b8b8757174592a83ab96018528a4bfb2590515

SHA512
467a9137845a632c206b7b90a78092e0be72a47a83fb1e40db0960b9e52f61303a19fe30c6ac554abd274be189fc167f5422896f1d0f4eec9a6d986d37024466

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7a74639c65adb885aa1b0caa72f94246

SHA1
daddb901f2408141022e78861ca3ef98e385c450

SHA256
db8b89224a77b43ff063769820139bb7f97b1bc868008f7883cb646b56b4702e

SHA512
c4329083b46c295c420aedbc8232f10588e328459098131191211710d18db1b138768120701e94d9b3bd14c78c3388dcabb692b7dbf53111ecc2dafc0f2a7d90

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
fc7dea3af9be8e47c1d033a72bab2ed6

SHA1
7ef1f5b8901d13c3b3ed1217f2d71f5643ed6c4a

SHA256
805f6f01c74354f3e5c2cd2221d8c066530ee16c73ab0c8d4a71826f944eb06e

SHA512
4c75024863e981bca61a176301a915684f4dab1209a762a2ca03bee58c67389964c805a124dc5410f1faec038c5866903ccda768157d61e9bfdc0a858e8d2ece

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d4a02482e3c1e08917ffbc4e3bb44b1d

SHA1
131d513be74b1f0efeaf2e814ad95e16f0f6c6fd

SHA256
eb6d35508cea58669893c7cef57cecc72b073eb421c6c905fbb5dd27c4ef94a7

SHA512
e60e48625b0f4e00a70e4a8eaa2c6e37e10f63ce2ec8884c9320d541578cb72df1929fde5d1eb15ce9bfc6e98fd4e19d282b3327f504a8310c0f2fb83a2597e2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
93b92e757e8782393ed347592e86f76d

SHA1
6162f6357f33d0a17860a598ec4f8664338e8d06

SHA256
6856596bf85370eeac9738a12504a92abe93176719eb6e13f2236d88aa360deb

SHA512
a6698b9e971a90e59588427099b69df86d84a19313ee178ab4f1f51b847c328723a94a737816e60552d3395f43a5d362a7f83a239ac05f43a66fb889c58ffdb8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4cf8137d2e956e39ea909aec6dc4bb92

SHA1
769bbc407afe31a05e292dcb5009f9f74b8250e5

SHA256
78f1fb9d92ab9bf888928b6f2161678eb7bd87ad44ec859af0bad364bce35b04

SHA512
e5eb80e12dfd7272677403973a2a87fedd9186c4768574e536d48911773c28dffc123c7de4f12370104afe38ae9aeb5816794e0e3649b73eab8791ea4ce7df55

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
3b7165291bc65a34d56a39189647839c

SHA1
04255d6a70dbcdfb3fe15723351ab1e1b45e952d

SHA256
d2a0fb873e18fe8c935a77157c4ff2151edf212b064168ae6e476205b86662f6

SHA512
9aa1810c2576666cc57933a1b54948c4d3f4ac069fc9a0b1225e413d4af4ee015f7071a09de8a911102c0976c097f0894f45fa8fd5ab3e0d1fd8b7e11dd2feb1

Download Submit
memory/644-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/644-564-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/808-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/808-146-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/808-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/808-51-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/840-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/840-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/964-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/964-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/964-73-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/964-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1432-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1432-545-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1716-563-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1716-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1948-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1948-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2044-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2044-65-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2044-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2044-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2044-55-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2292-164-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2292-107-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2292-105-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/2292-99-0x0000000000710000-0x0000000000776000-memory.dmp

Filesize
408KB

Download
memory/2520-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2520-152-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2704-160-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2704-94-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2704-95-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2704-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2768-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2768-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2992-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2992-566-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3476-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3476-570-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3872-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3872-2-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/3872-6-0x0000000000650000-0x00000000006B6000-memory.dmp

Filesize
408KB

Download
memory/3872-81-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3936-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3936-565-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-133-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4260-37-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4260-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4260-31-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4264-342-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4264-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4308-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4308-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4308-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4364-569-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4364-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4596-112-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4596-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4596-24-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4596-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4640-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4972-407-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4972-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download