d0840a7bf6250401cf9a336116ac7171f1dc8f16454d5c6fe4f2af3b89479467

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Size

1.8MB
MD5

97883ab52cc099de79bbbdb4784480d0
SHA1

851ad674287969263b1254ef8dadef90339405d0
SHA256

d0840a7bf6250401cf9a336116ac7171f1dc8f16454d5c6fe4f2af3b89479467
SHA512

5101c24c3c85a250d64645a95dd4642b409f846cc70b33c5cd6adc41bb76a5f13e62eef924e618be43adc2cc86d94ae4528fb5e51e996140ec08209f9f421105
SSDEEP

49152:IE19+ApwXk1QE1RzsEQPaxHNsXvYMLprznyDSga9:N93wXmoKUXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3668	alg.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1768	fxssvc.exe
376	elevation_service.exe
4516	elevation_service.exe
4876	maintenanceservice.exe
4648	msdtc.exe
2744	OSE.EXE
3952	PerceptionSimulationService.exe
4900	perfhost.exe
1912	locator.exe
4116	SensorDataService.exe
4692	snmptrap.exe
2732	spectrum.exe
3988	ssh-agent.exe
4000	TieringEngineService.exe
4688	AgentService.exe
816	vds.exe
468	vssvc.exe
432	wbengine.exe
3196	WmiApSrv.exe
1020	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\69ec2adcc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009686da6b76abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab8c7d6b76abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a794b6b76abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e9dc6b76abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff66386b76abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001f1416b76abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bf4036b76abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c917496b76abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe
1492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeAuditPrivilege	1768	fxssvc.exe
Token: SeRestorePrivilege	4000	TieringEngineService.exe
Token: SeManageVolumePrivilege	4000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4688	AgentService.exe
Token: SeBackupPrivilege	468	vssvc.exe
Token: SeRestorePrivilege	468	vssvc.exe
Token: SeAuditPrivilege	468	vssvc.exe
Token: SeBackupPrivilege	432	wbengine.exe
Token: SeRestorePrivilege	432	wbengine.exe
Token: SeSecurityPrivilege	432	wbengine.exe
Token: 33	1020	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1020	SearchIndexer.exe
Token: SeDebugPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeDebugPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeDebugPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeDebugPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeDebugPrivilege	1412	2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
Token: SeDebugPrivilege	1492	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3392	1020	SearchIndexer.exe	109
PID 1020 wrote to memory of 3392	1020	SearchIndexer.exe	109
PID 1020 wrote to memory of 4272	1020	SearchIndexer.exe	110
PID 1020 wrote to memory of 4272	1020	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_97883ab52cc099de79bbbdb4784480d0_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1048

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4648

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ecb8ca2896cb6e745e2318346e9a10e8

SHA1
eb06cc6728fb5926b7b1fd0c46f21217472c508f

SHA256
81750c84f455607b3b9485a9a675dab4cf4ca4662d91e4a554eabfd79924fcca

SHA512
e4c31022024ad4d7f7f15ae99b67728edbda7a3fa51b37c5016eefa6d23770f032b853978390407cfa1d134ea8f2df9cd031dfd502f49421cf56af685c140add

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f74c1724edaa1d1bd9fdd3175672d671

SHA1
ed642c92b81ef956474f5b9c0d751c26c4ae9d53

SHA256
c76ad1362246f16558d9322789aaaf3b824771f5b85a08d256c020028d2506ce

SHA512
9556a51c6ea2dfde824e7a3f5e9c8d770d5fcdf801ae137656b6c181683db06c6aabac5ad21c84c1dfe9ca5aa70e8a2acb4fce3e0c0aca9c1faeca444b91bce8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ea66e823f72a33b5f9b57cfae223b50c

SHA1
cc8c71faf7959dbf14f41a5a233b4bda629ff843

SHA256
88902a5824843d4a82e037a47f4dd32923c7dc3d89448a4cc4439f265f324806

SHA512
c5b666cab9127fcda9815e43a41880ed0284698e80fcd7d6c28b5e96439c63ebdeedc8593d475ff73f928523fba613bb7391a94c9a735327e91c203cf10827c7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a8bc8a0e6b48be39f340fb43f2a8b49f

SHA1
c8c7f7f8b40a90a57a8a3d10078bc290af6bd020

SHA256
1b7a20300c46055ce025cdea6c7b4826899ed0d61d8351aac144ef173f08df1f

SHA512
7dd349987869edb71370c0e936858227acd0ffcf22ebd88cee0a280f11fdad19f7a7bdb47739142c0310b4ee946bc150c16e53f213d4049f309854ef7a2c7bb5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eac9e1db382e0df3317b22d063af4042

SHA1
15ec1b554dcc886ff4a79b3aeb0a3bfdd7a03d07

SHA256
ada1d3cbc8ac773c85933fba9125456e8ba1409e68bfcb191b48bc034bce155c

SHA512
425f678878f526d173ec80b91e2c971bddc6fd5da2fbdfb39aec3fc065f12ef22884ec929701898c1c9c490ac85854b0a1866c315aab35327469ce42b6114aef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e397445fad69fa5dfc545c4e71c63f3d

SHA1
660b85b8287445e552c65211cc6c1648b0d821bb

SHA256
4dee751d4322358081d1056b00239c9cbf7666514fbdc753244912ae1a2f377d

SHA512
247f1568bac73e022cac4aa15e21f5f6ce7f4384acd9d96ced29510aa468b5f0686bbd33b3915756123980a1c28d84669987fee8112f9ab09303158ddc6ef61b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
324d361708a6943849d959928f2a69c4

SHA1
84354453128f190fb10c510222241f483ceeb0b8

SHA256
ad52482267ea2e8457cffdef6b265d629eef9b953008be9686c5d1e7e8a528b2

SHA512
c3e4c19f3f4706b4cb6f64cc807fad68241687eec39b5392ce39225d1a54ab35053e63b62efaf4e3e2caa4af2812e4655b5a05f30b7f72acda3dccfc227155f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0ad0c4faec57ab32088035bf2b83d8bf

SHA1
9bfd8ff3570b6104962b898d62277b9890738d46

SHA256
6295947a2619ddc23dc08b15fb67f4389e7d9d02d96788264005737d58b30a76

SHA512
f51292572976202688b1b2b96c4e7445ca2b7e3598e187cc1b16209c99a0260262b40d9e23077bc75032ba0a3d44494f21d64a813c1153e4ca74d1d192f5e4bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
67ca2621c4647192c23322fe9abae56f

SHA1
479422794e492a92181fa85f83a853ec7c18fabd

SHA256
b2e62dc96504d51c5c083fb789b9f8eba2aa1c37d935a72c9b7c3cc573549c92

SHA512
4607a75db76a9880a3582a6cfe51642062aa4c65d8781ee79f4eff8470bb9bb08db26ee096e0c4a0b5e763c52482c06824a7c2802d0200cbe959e4499698dbcd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b6b41e2052b1b949054b2cc865d023f7

SHA1
2fd58876ec3871e64e475713a91f634ba60f7b5a

SHA256
72c2bc2ad224f2751de3609cf4003439080822c1dd7a541447e956fa5377ebda

SHA512
d75baeae409fbba4903b3f9b4a56443a3a7d62103640f315a503106178a845245fe679e1e7b1df6a03d4bc0d36a54d655e74b85647e7956e84f8ac9b738ad355

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ddcb73584376469167d077e16ab0062d

SHA1
477512353f827f7beef2547f4b9bef775341bf6e

SHA256
5a127da1e38a05d7f96d161a9bb1f46ecbbcd84587bfebfb415b1d47dc2e27a4

SHA512
0e784a6bb680e33adde2685cd640aa52f4fe9e8e764a549f00bbf68e505aecd4b17ffd57dff2a033018919d736082472c5eda0f0415b137d3e81c799d3bdac6a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
00897d91d01321fa9e1ac3a215c8867c

SHA1
c3f3c68a7ef2d44a17c48c5a80b73db217cfe453

SHA256
d3b1c983f99cf5fb3895be709492f572609adb8c2995c07e4653381051aae7d1

SHA512
65cde2a3f6601f8a1601fff852b70af2fda9989c2042382a407cd8fdc8aef3d7a0ab2c224daa3301a779713813774d9fdd1f8dfacfd94b30f860646167297719

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
a6f1abd630d92118e029a5f21ec463b7

SHA1
0a660e871a3b8c24aa272de7c05a3eac56b0f89a

SHA256
f9381f1724f9678dd6176f319f652fe18d0c4e8c4af34a18b72e0b1d0d52732d

SHA512
028138f808f5d57f69458ea6e4e9e4e1811334cc96d9dc8795305b065a7005f9949e3a02959cad7aaf0ed81f30ff09bd6955fed7bc78ea9acc2db3ff8b037f08

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3cc3d0f4ca1b44ec57d453bad666f4b8

SHA1
94fa8a452aa9dac55c432277008f642ce5844a39

SHA256
2d5862067fd0c1de50cb77fefea494375268435baa33336d7e407f8b2fd8ba05

SHA512
5751add745b76b9127e3a53b6dce98ff618950f5667e8486a3185e045bac0ed569c62577aaaf62ad16a233c3c72251069d6318bfb92e7aaaecfe3e0d9b250574

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4fe955e6accd66957d5d33f2d40c61d7

SHA1
e85b470dcc0f4ea9ae737977ae81068e20c2dd71

SHA256
c0abf34ff72562b7911b62bc552c5e28270bf977ea946278767dd2d465b7414b

SHA512
e02516a038f70e036a56d28b518aad8521b61564dad0f538d2a3b4ff640758021d82e1b5c06e50ac788e47b3a01dba704eda703c9cde5b9c80c3f63c0a85f35d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ceab02e522063cbd2de9998ed1b0d12e

SHA1
7d74a04b150e2f153b2ac73249567fa93d6b8be7

SHA256
f41452dc8cb0fbcb35e672593ba8270495d4958b5a77de10419ba9d2beb87f02

SHA512
32d2b62e604f38d21c4dd5666e5455d75efe7b305cab29f5ba600bc9e4a14bff2167619e627a0527fbd8905716f06e3ac0e415655f8896b5ab44fd63505b2fad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
297352639d3f6aed5fd7c393a3e1b93a

SHA1
85556bfccf72f038ab87e389348639c8f6c8b656

SHA256
876e4c4e13759e2295ffd305ea336fd75be3ba5675adc59b61e29bf5efa0083a

SHA512
783f42c1ebea1c4b20a6cff337b8d8665952abee241cb69814acdbc04f8a9eb75ec63cc6e080859abe51d126dc846b24cf6e1184a37b57b7377ebc589ecbeeeb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ce719ce6485b35e74fa3d8bfba861b36

SHA1
4a25bb32b4298a674c6f666224c6d257fcdc528f

SHA256
3da6277fff1a64d1f8b4b3fa461fa1106ca778f83977216236fd079c73f74892

SHA512
445a6e19eb51396ab39149f61937c09d42a7cc129b9a8a5d807651a65f4490eea088f8abd8a32e41dee3bfbb3cea7ab4e6353630a29a0436bc6d50b42cd10afd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d2fb1d5d93b2efb70c6bd83ba3270c67

SHA1
f61a7bbfc0441754d90f98df8820fd1be7417fb8

SHA256
e0b2d71d3dc75877c95e0d97e4ff1bb1e1dee67ab2666f6a7505299f034123bd

SHA512
a98606172176a2e629636fbc517b25eef094bc489a6074b6eca6d2b1b8ec33d5c0af7921f5498833c66bb1cef7fa34673712f3ac9400a715cb69ed4b961aa804

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fd41c9846d88152521d3c9209e70b950

SHA1
8174817d6ea60d34653349fee8e75a0a2d6c17f0

SHA256
5e9697e5736fd834477aa1c29b20cd356e80806d217a04243aad4cb44f23c818

SHA512
57749e8d6fdb4c0eb585a2648d1934070979c572373f983a36479f524f0a5fd084c42dace250fe99de9e218521ad3d83cb793f027406fcd929523f77ea537612

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f5c7fff87afdd8121a26a667975db9cd

SHA1
785fab89a9d1294543c07de4714500885ad6ecfa

SHA256
b12c6bd9d32f7eeb0ed5a5e4e82d5013d206d8d49c3d063afdfabb2df375c5f2

SHA512
1c240ba46fbba25ea6e728d3a8b0d9d3f9d5763b3c32d51573d5f069d4d89170095010568ec06a526ee394f1cc3be24a71415b24555f9f1f54fc25eba1dcf1fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a3f845875366fc7e0c3202c5a39dd9d1

SHA1
ec48e1d8ed433bda644a2d43c82faf4fa3819752

SHA256
13325ed98151bdf24cbd1abe58f378cd7107e5bc286defbcee7cffdd67ba8eab

SHA512
366e4a0a28c150ec5db455da3339b3a5b20126e78ece2f75a5281208ee687b8e3d5884881c0629d184ceb50e1f86ca25f50158dffe61172ae6bcf0010b1d7699

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
e98950e4fb0ab36795b768fbdb1a3834

SHA1
d9f0ff3490c5e816593016eb8e2a0bce1e55d6fe

SHA256
37b4a4c83e1691360e6842cea44d32902e2228c38269a23ec78669248e8a2404

SHA512
6fc1c64362cf8cbd86e66006e1281c081a7fc2233841c942d9d58cb9be063bf46f32791652efaa8e5ca6b6146ba7eb4e63ced6749e06ed1b53f32c3095d630a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e340fdf237d5c79b10a1358d3a18a153

SHA1
9c338dc7cfc2b52f73e2d23e62a49debf4beea0f

SHA256
802dbee8f28228794203036349f761261859fbc8ebebcd302282391bcfc1691b

SHA512
19c50917704f2034112d6e7053a63872fcb97263268acf274b9dc7695261d27bd339efd0bfab9e81e35c153ab818f8e35f0c6154b3b88e997a387d6dbc2d721f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f6695b7b4931b16eb627524e72407f4c

SHA1
6e44f16d83ad59d9f7b2ed62a7fbd155c5ca09c6

SHA256
caea360e8f284830c11377c17990d1554f18e191da6b1f3670a7c2ed1cb410ea

SHA512
b48a7ac225da7b11c2f82824e51c65b8d3e62623f12f832cd779021208cb21ec6d752949a368a3c4adf21e66f9d1dd8293d6105f42713ff503c0401641ae85f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
58e7e8c79d8ce4dae2822253ed94d416

SHA1
da1bf4e832ff9f7e6deb387d1154117a609f58c7

SHA256
e5cfb4ca8d1de3a0fee14feac7d3efd8d520f00c2c157ecc2ce212691cfd2418

SHA512
bbf3ba1f4392721aac0b6302848563a1330a06640d4d3063332ffceb47dbe042b08141f99d5d4068b0ca0f136e40b93d0b953fa44f8279d7965821d0e13b682a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ba593103f1bb09be7976da228483a45c

SHA1
cedde2c67fb1c494f7d19a364c3866703745117e

SHA256
0a79fbf84c8334e48da25e9e5308ce92163017588c786fe08a30c18a018d6465

SHA512
d3cbc4fc5807f5ac0cc8fe1abc01665dc08fb2ad5e49a2c9020258f3c7ebb8d4d5f88c54c0552cef0e8470f898bea23f2286f834a7f2d6a615061e7212f97bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
b40c0624423fbc43bec4fcd360af2e11

SHA1
6b462908565858149e262bc7eb89d78732b407dd

SHA256
fd9613550087e57c79cc88be062ecef8c08c6476a6856d43d097248ff53c4b8d

SHA512
e2c5f8ef00d0f9e0508a4f528c49bb2e34887cb9cf2f2562704bef34a14cc20543b154fc02fbc33c05100f3e684a0007a42a4e5ad476fc4527bfc294aa1550d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b6b41f014eb1f5c1555574625dc7a840

SHA1
5e39ae83417fe4fb9ab13bb0ec62539ae30e2c29

SHA256
a60fe416372b85f5d9b958b25f6bc3c02ec68f9f4614ec9a47d316c93a6d8605

SHA512
18fe63a60761a829f00b3ba44b7abf985a44d1869630857ada39b58070d9f87612dac1ff033302dec584cbaa0b92e8b4f3982d1f7721f4dee120d62ebb732c49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a84e54ea230577b4aef573e02d394856

SHA1
129a1e9063aba03c7fbf6fe88b3ec54bc16948cd

SHA256
bbe5249fff3be806f3b13bb734cbbed4c85987af1fcf9d0cd7df7f4be8139c3c

SHA512
8a223f9338d565d776c7f8854c28b3f82cd4f8a63fbd1caf146a8c7be15021272826513395d684216501dfc13f447292209e81c8dd4137da52bf3405c009feac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
eb7f35924a31d599dfb794ca339b3dc4

SHA1
bd7c1d80b970266b3048fa9daaf9d62f56fb35b3

SHA256
30ead213d3e5925a26d0eaf9f6abd4a3a8dde687db714ecc3223890178a9de8a

SHA512
5cf45346a7e67780463a10477f03fbd4319f140b7d2d16c7f10d1603217dda319de95eba2d532b1b02ee58314cf717edb74733490a8ae739a3763bc34b2f3028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
53bdd5c38c90558e0bbff5683c103e55

SHA1
e1b4f3951aa0074267d124e25a726f7e61936fc1

SHA256
c3e0282e75ed099fc9bebc598b51e0f29acd084c54e90abdb62a1ee7f1299180

SHA512
e317b4b4467adb53ee11b4e67d0ff944bbb1dfcc2236d2ddd4a5079d7f55ccfc03fb209fb2e5b8a31e9341c079855d026606468a34fbf96e856dfa42a168e4d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7d56d21c1fba62cab6f2dba8fc829665

SHA1
3c7330ade8c19d2b73dfd0effd72e3e439d45678

SHA256
71c047dc0ed77bb52b8554a78ffed41020abbe21270e24fee4690d15fe1b7476

SHA512
b8ea001e1c9782373092ce5b1a28db86340d2db3bc9ae23c13e2fde6bda2e17b509291ed61ac4d9c523589b0c4be88b83c2474e47bf511a260bb4f68d80116f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
28a2016cec9f861312260cbdd253d971

SHA1
62c8e7f8011e177d44775369266f73cc99e03759

SHA256
e2b4d7c1d9eb9a55c1b0516a02611dd2594255c949d2609d64a5b530c62fd149

SHA512
3aa8242ac6b0f68b934740f72169ea10b1ab71e762f3f4d3e74ac6dfd3f46756860e3acbd7733f3e95d48c9f42626750e398b7001583d40ee36f3e9fd248d8a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
fda313df921ef0d67537a13ceea0dc50

SHA1
7d68672a4b1dc1c483760be1ac9603cc7e33f611

SHA256
d37f2346111d91bc9194b62140b37cadba42d2ce74e045beb07fba83a376a318

SHA512
2981d2c9e6859894d48b482b1d35748080e55e86395f65b22776de12b883e5d140e16e8be2b680b73ec589809141c6a51c719cab801158f812c1cb686e1fea77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
009fd6da561db985a40f6f598478312a

SHA1
6b3d92654a72dc64ee1032803607ca2985e20e78

SHA256
fe68c50bdaed1f5fd33ac0a49d6380b23286d95d46da2943bbbbe6df3d3e399e

SHA512
85456278c04fbfd1ba4c7b015c1cf524b188e3219ad909b11bbf7077447b6da1629171d33617149fa441bf7cd5258df9cf345c8e9b88b4b5a3e6a1368ce913b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f2eace844db1872e3b92e9b72b1af58f

SHA1
5779cc65481bc5225187cc2ce3e0217c89021f0f

SHA256
88b7b6c23b66bba9e5802065bd12663122d21523761ab47688349301820a510a

SHA512
b5e2bfc16b0772185126ffe7c5f225fcf403815508cb56200d2a9c195aeb1a1d37528909d88d2859a795aa2d487d25e5dff9835066c5d4e9450e99fdddf877da

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2b47b8f5bd7d271e31190dcbe8e4d1d1

SHA1
d5827e4b0a4da96668080056a2c71c8dfd422de2

SHA256
fe14ace21679f42c9975ea29202933c8d1761d9c6bf901bf317a1724dfcec3cc

SHA512
8d844ff43b246cc92e85c483423be0932f0893fa6131e4d8406554a4b0d47104f0669ab63b210a35cb704f4e4d1eaa551bcf3e3da78a02f0134caa75c8b3283f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1c6985d6cac711cc1cf053f2bb5ed4d2

SHA1
7d2be1a18595ef6cb6da16e31af891d2025dfe5d

SHA256
e540ba57505ebaa16922c96645d5cb008e7bc81a63de7bc3fdc5212c9b124216

SHA512
c0edda16cc7e81b02daf212744b8635c65ecc8753587db2e43697cc63455d787ca1f716e62b0f4e7cef7dcfa17981375cade354f24f618d20301d67a26134dd8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9ffcf4ee305ef63e67f604975565487a

SHA1
4baf2ce2f6820ee512dc53fb256696e8748dcdd0

SHA256
6953406e2e3ba5ed6ac3eb59d52930358c55ee8ec2e9ad1d1a323f8f9cf19e40

SHA512
cafa7eba0029f3fa41a25461008cfecb48d141f0321681527d9ff42d75243a3f5f0b6aa75ed2ce0673e978b25a62986a4fbc159bcf2260c30367c2e6ee912f8a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
be3579ee8f0aa391784f5c29c9e1bb8f

SHA1
88b8e92d1de6afacf1896c02c66af27378760daf

SHA256
f855703d4566866ebb0a61769fe09c01aa164ed0bc8b1a4d156d727a00a3aaba

SHA512
c38e081159e296a09d569bfd915be6ed888d53212e4e095e96c31cbe49ce3b82301056fd2c336ef716714bef7f7e115ed0bf439dea36b3337c7221982675f67e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac568cc296a079d21f67792c39a6a48f

SHA1
93730fb5ee237d52de5cf1c35843a0909a34547b

SHA256
d7420d50ff94efb461b930e6c73803a660f7ce6efedc936993483b4fd9b98035

SHA512
07825dba45db93a4f6ecb7a24037367f3268380fcfd95587f622e1f013d9a29d1a680b088eb88c640078c1877703fd58de854b2154435ba3ee720682870d1313

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
259d979a175d122eda42df0a883d1df6

SHA1
1aad9f5678372819c883057d30140fda91e4314d

SHA256
e1079046854083d81d675be511e6c2aed3311f865a9792ab04f5784cadfc527f

SHA512
cf5cfa9de1c11ad4b4c357554a581157a3a8995d8379cbf1c7329eac24b6cec0c4c0d1cb2b3b68f808d89e288e9dae45c8858cca8e5d01b8e1542066f6efca57

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4444376270b5baee8be70f27c448bd99

SHA1
5de94848370dfaf3ff4d145f86a1b0f61f2ec3df

SHA256
e564b12a943087d58656ab22437636481feea51a43e91ebd6b673b36b62dfbac

SHA512
a29e047231e5032460bf6c72e3759484f7a188f9b7331cdd5e50a1778b9f66d1abf283aae9e96fde37da0ea240042016d83105ee3d8fe014debee2546dbce2d6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
515e2d7bfa9677306c2e3434cd4d665e

SHA1
77de00471b18ef05d69300019896cf65fed2ba0e

SHA256
c0a04b56d284cc9356743cd3a45689a21022664de574e81a31013b5a305f924a

SHA512
21f6717eea16a0b1552abaf5056dec29d1c3f511a91f1bf3970063e11f4704e723f1d5dba730a7aa94d107f7d64a5c2787f49fcd4d9f932a5171fdf0f59ad7eb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c48e007a3a9a821a70627f5201fc7bc6

SHA1
56322e34a9a80bedc2967fbd66b667aeb4e4b08e

SHA256
892e9963342932c521cbcecfe0e2869fe9e0b3ff2bfb95de993acfff3924e854

SHA512
7d5fc78e447d3e8f60a9a79cecc8238c710663fd873b83b91ce4efb44b44f178152347f97b5d3fc1cbe68c75f0381514cb70d33b884ef1dee8c9c57cff039a90

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ac81b6069ac5d555b4b48bca49021eb0

SHA1
36b93a1b5a42fc1e4ff0b8e68f25c5f0ab43f887

SHA256
946eadb12addb4ea1acd3541c0a5e778c11bac5cddfbdf4d685c177eb122e6a6

SHA512
6feec3045c7d08b2590a1b48d0326ffa8efced5294eafae69203d48a04d4e13a4edf0d6b3d3b00cd818e2295bab89a81d7dcfadf37f86f8243dcd76bf150559a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9d155f214a6c12220ab4f14005fea44d

SHA1
1882d6fa6eef8212f084f7335603bd8fe31d526f

SHA256
2b9f77b2e6ab7d4d8aece34559e17643593473653b5a9195c830655fe99e4c9e

SHA512
e1294d1378c76922bd904e0400c8efbd27938cd12bd28e35e3bf5fac436ca5025afb14a24e8651c922d811d1c6044333353958757b1a5595c09959c1539cf25a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b06c74db71259a3ad9ac4903e7b2dcce

SHA1
57af5979df63f787669a9e157e806c9a1bd19dec

SHA256
f16fd755650453bca3a37269a7317c1e64a002510d326bd1e41b97858902fe6f

SHA512
447d48e872c08626411300938f3ba350b3671c7fc802485878a8409fe686eeb1818ea8e9a6e499bcfa477e033fc2e1b6a06cbac0cb3baa99412b6de53be86f67

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f147097f5f06fe8aaa70b2518f4c153b

SHA1
a4d16caabb8d649b7a3450e04948378e4ea89eab

SHA256
87f23480dacd650625f8a11432e1376fc554509a2fb974fb8d0acf78c87a39fb

SHA512
1e4e19176f9d9a82459c60ddaf4b16c6e81871d0440b0ba569cb62a6d6cf8e252434dd6a73086f5839bf135fcd67817023e9a177805dd62a98895ad42d8ec0b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d056203454fd7f62d882f1eea9266817

SHA1
cea46bfa51b8c27e6b369d7207857f09bf2f8ec8

SHA256
507053c91d3c0c5408d8c0299c9ffbbfe255d2688e72dd994deb1094ee4bc3b9

SHA512
86a5e405187820c2fb758d5bc41d20bfa969d798a041331856b9ab2b0875a76e400d32cc283fdc38402cb2823033a3fc1745bd5e9b351ee1032929caaa567ee2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
fc86b883564c43b5ddf4d0cd12686462

SHA1
64e376a661b03cf85d7120f6bb6e59e7901721b6

SHA256
749a090369076a2f2a13d97a1ec9a5d12e6595749d857c7e3935d7f2b3f75416

SHA512
b4f99f8a59a8409fe42ca14cfd2083c15d355ed6abbdc8dc96f2ed27484d12ce27409c249fd794b4a48719343ac7ca74609ef05630b132462dd71f0c7948bee5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
921497552ebc7a7f7dabbad129650b1a

SHA1
4601613766be06832e7b37c442ae1ccd2ab8c48c

SHA256
c9505fa6670b699198b2c5b53a6a0517ef870f5c5af0ad53a9ee6900c34f50e5

SHA512
e8fd12087465396d7d42f3401ffa57e417414ada50a98a5148f1a314c0ab0a23684d8d6abe5c0a4496dc6fac43d545a05d666a23dcc0b5f69a47b689660b9925

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
db29a294258946cbfe26638df04f3033

SHA1
d7635ddaff6f55b0b47b5edbc821b8a261831358

SHA256
6e35654644e56088cb05883fa5998803398362e55f56fa49b5740c2d94c38e24

SHA512
b10b0150748b0d557ca217ec1bb6fdd02577041d34202f5da49d952d01f0e7f2fcd21b6023afc01db2487fd13d02d4aa25f344af440d121843fa39a0d84cd71d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4ed14062d3d594be8f5f21ed4353a24c

SHA1
5884f79c4058fd95623fe7ca55d8ec3f520a2d7a

SHA256
c5208a9b03d13134d8dd19e3864337560797ba5c5e2767f1d38dff624a2a0ece

SHA512
b985b98b52c457350a9c9d3f9c6d04b93033e67d496a7e8b85c7a6a4c31a21f85bf89b4acc0978f787a023ac488017b20aec16c0e4ba9a68eaeabdd44bb55faf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bbfb0ae5061d02e7d13b0af3afbca3ea

SHA1
1bc9535b0aad59aec4a758a3d1cbe39663e04779

SHA256
1b7f8c7212f139414de17a1380a3c135c9ae728d7250864bbcf494672dfe1fd5

SHA512
7352c400bab2834f9ce3faf8705d88371311dcd0d95089797f1bb1390ced87c601fa35a2d252f5a206e8c9327ad308e838a6293a1652d54408939a9d490eb26a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
322ce2dde3ac5eb09150eac1cfd00ac6

SHA1
cd8c029d3b5d018a93192b8e33fb2d5842a6c81c

SHA256
816226e7a13903f98c12950da98abc9745a2c89f7270021d6e6868b9e7f65174

SHA512
5822e5994bfed3c0f54623cc2fc4ca12b65f7dfbcf39113ce8740a1054d5719a9953c6c216ffab912f8ceb7eda620c7e212f83fcf3acb2691aee4734875771f4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0ec59aee55d4c8f1f58fa5a3d42b04be

SHA1
b2abbe308582a798c21423f277b06f5b8196dc26

SHA256
59afb39c8df582793a19bad3637dcfa52e907c59ec8ba5ceccd918f5ea04f516

SHA512
73b82869fed9aa8de83bd575bcbe1078ba40debe5bee259b70cdcb736e6900d344667b9cc60ffeaf9bb97eab1618d8643ced0f6ed5d141b2f955021b91d1feb5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fabecb16a0bc6a5509576f802e53f8d8

SHA1
602170b2feabd0740806d6194b9ecfcf52441958

SHA256
8c2974a527fa3e1dfc2d128d9e97d3cbdddc8921cc0f49bed2780000b5c7e9f3

SHA512
875ff3c07c94be547b8517538a4f7ce70c98e94286c79bf2c6e8779896a8c5168eab2100d2c6f3026556573b508c4786a8ee28bfd030e4feb9db7b22b101f3af

Download Submit
memory/376-458-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/376-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/376-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/376-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/432-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/468-461-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/468-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/816-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1020-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1020-463-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1412-451-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1412-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1412-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1492-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1492-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1492-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1768-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1768-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1912-155-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2732-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2744-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2744-71-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2744-77-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3196-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3196-462-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3668-453-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3668-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3952-153-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3952-81-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3952-90-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3988-161-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4000-162-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4116-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4116-434-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4516-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4516-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-460-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4516-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4648-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4688-134-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4692-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4876-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4876-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4876-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4876-54-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4900-94-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/4900-99-0x0000000000550000-0x00000000005B7000-memory.dmp

Filesize
412KB

Download
memory/4900-154-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download