38209e0b683e62992696b78151b086c32db19b52f2a572b599528ff9c34f447c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Size

1.8MB
MD5

6708d956e2f6751eb50c3cdeabf5ada7
SHA1

3bcc5ec2d9abb0f7c8f35b04dced81942719c9d1
SHA256

38209e0b683e62992696b78151b086c32db19b52f2a572b599528ff9c34f447c
SHA512

2463f8e9fc556cbc59688fbe2403d5b875f162d7e0fb37982bee23159656025f8c2e34735b8b779f7eeda586139eb62421f0962d2719c040b7eb8bd117280f69
SSDEEP

49152:VEW9+ApwXk1QE1RzsEQPaxHN+8FD5nb2LLPrFmRY:Z93wXmoKm8F1b6TwY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2488	alg.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
2104	fxssvc.exe
2612	elevation_service.exe
3972	elevation_service.exe
4596	maintenanceservice.exe
956	msdtc.exe
3216	OSE.EXE
2068	PerceptionSimulationService.exe
1628	perfhost.exe
4592	locator.exe
4744	SensorDataService.exe
3572	snmptrap.exe
2668	spectrum.exe
2028	ssh-agent.exe
4068	TieringEngineService.exe
548	AgentService.exe
1340	vds.exe
1488	vssvc.exe
2540	wbengine.exe
3508	WmiApSrv.exe
2184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\736bd8e9b4b1389a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027097de4e8b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d940d5e4e8b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000088335e4e8b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000082898e3e8b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fad7a8e3e8b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c393c1e2e8b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe
4512	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeAuditPrivilege	2104	fxssvc.exe
Token: SeRestorePrivilege	4068	TieringEngineService.exe
Token: SeManageVolumePrivilege	4068	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	548	AgentService.exe
Token: SeBackupPrivilege	1488	vssvc.exe
Token: SeRestorePrivilege	1488	vssvc.exe
Token: SeAuditPrivilege	1488	vssvc.exe
Token: SeBackupPrivilege	2540	wbengine.exe
Token: SeRestorePrivilege	2540	wbengine.exe
Token: SeSecurityPrivilege	2540	wbengine.exe
Token: 33	2184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2184	SearchIndexer.exe
Token: SeDebugPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeDebugPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeDebugPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeDebugPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeDebugPrivilege	4772	2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
Token: SeDebugPrivilege	4512	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4912	2184	SearchIndexer.exe	113
PID 2184 wrote to memory of 4912	2184	SearchIndexer.exe	113
PID 2184 wrote to memory of 3044	2184	SearchIndexer.exe	114
PID 2184 wrote to memory of 3044	2184	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6708d956e2f6751eb50c3cdeabf5ada7_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2488

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3972

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2116

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1340

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4912
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
61d5a3560461cd88b232c201ddb3f158

SHA1
13df5548cb05deedf415b71b1ac4574bd1db85a8

SHA256
e410087bbf468cfec8acf8b6dde7acad6b41f9c8a83b94424f4a084219c5dcd8

SHA512
0ff5a6ded503ee5e4e73e7e3e96b0a2b4ad0306049c3679275a68e217deb0c9340dfb892d8adc53a52969a329094ccb52fc58f01e7ec0c90d961d7bf8f99edeb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f73b1006247973c3f8ed4609d51b5b62

SHA1
073adc7853a0641e94c5b2d0d3cb0a581d766330

SHA256
b084a11ba961fec490d8d827999f23d5ae9d2c59ca81005255536ab91a6201ac

SHA512
03cff3ff2728157e2e255fbd16b7604ef08aacedf45d7e096f8a2faa92c4ae3c3e0742d5ee26df7f2c0a792b167818ad59902cdfa1b662bd0373bacb0c4ef48f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8c96be35581e6054aec8699d75cb0048

SHA1
1f1708612163e1ada3cbe73f7b5f85a838ec37c0

SHA256
24cab8d0a7e8bc40651d2223c4aa543908a91e0b75efa5de4af0ff107fce6b68

SHA512
33bc5eb3ed68ed045e9302fa7be6e1d6536515005a9de89ad406bb1837dd19755241cb7b14601919e0330f050594fb803aed7076bf4cf9ca919f15ebe927fc29

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cc5c13a43ee2d4ca122d04a0ef1ac662

SHA1
4dc2b829e928fac4d084fd7464d82eef32aa7701

SHA256
242dc64b502f5a79c465ff93e108a0bc69c7bdae41f1b258d77e1cb9a4d6cc3d

SHA512
82d3ed91888ba65f19bb2172aa60a6dedd3fd905e2c3767b9b4521bece6aa43d74c79257f0a01112d651de2295ecbc4225cb20dcbd3ff08e3ea4ca408e32891a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c4ba2060dd85601e70683dbde571ffe5

SHA1
1ecc3e5758f982cc0adb0bd4fa2f8e4e9a298700

SHA256
f55aa33a550c8667cfca6615f48377facd0e52f4ed1eb0911a1aca54ce48d180

SHA512
887ae6789ea7a551823ec4127671bba98a41c09d8679cd61fdac5bdc575332bc89e48e7c9bf4c564d2f631b0b97267fee5cca54caaef4dc3c43583f8421a134c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
15ec4962c649ad9f1f48f4bb870b25a8

SHA1
1955eb7b67dcc81923b0ad845e91b6f1e6698153

SHA256
a50b9a15b41ddf2aa9024db00d199a287cf42acb9b5762906d1339c6070fb381

SHA512
8848218e7cfede2d577e1f3544b038cb22db8e299381dad287a9b2abd992613a0a87e71d11a4cb2847311762e3ee68a012917bab1eef53a92e70e84c453e09a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6e7fd6ec9578f944f3b1185e0aa169f9

SHA1
4752e0d42dc4e6f8d06d89f29099a1a2fe4edce4

SHA256
118554ed416c877345f469cc6e06132bcb7cb860892405b9523bbecec4be2ee3

SHA512
7de93a32aa440ae62094e7a58f6fe84d55774fba903827b674ab58f97723659a26a98cbf878518cf23aa900af2bd0604fd1a9254069dd2e44a2a67c400dc38c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a26213aff88df57c0cac6bdad0a26e1

SHA1
f9fdf2266bd098ee2ad5660519b9182fcb65b092

SHA256
b1e29f12cf56ab8ae5386e015de4522d1bc9bbf3827c7c4e7a34f6fb3c50c26b

SHA512
beb51f5d5df46537f19602207c79b9d9e43045f76c1c55523cd379e5fe9c8c41efcd18463523c3e226dba0f661b2328b0ced0d349e07b3d5ece8a3deab4e9807

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b26c3e9ca5aec86c77810032bb62516a

SHA1
7fc6eb89c89ee6c31a1563dcc249f52aaed1f821

SHA256
f025ea48bd1afe0e90b30c31eb7aada57219d7a089dea0bb70ae489e068bac64

SHA512
3fc3ee626b022971986f52ddeac71418caf53dd271c47ea97e456db571949ce21225ee3a8e7a688e5431732ca174e27c42817985b43f4073db09ecd4c5e9b5bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ab99655d0588612492a4d11547c27c9b

SHA1
8b1a5b4d249d3c55fdfb1e3bb13dfe96e5816e5d

SHA256
ec439a0633ac3730290274ac20e4ab3974325511b2aae382c8197c256647fd45

SHA512
31724c9e6512b52a41c6ef7e0a1bf4b1b7324efc08c4d5e9dec8cd5321ae0787ba6c93be4afcd2fe6c13d8220b6ade68f65ac1052d1de9bebac6a9e149be716d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
14b51b2e6fd3e31bb24ea504f1dd792a

SHA1
a64cd4c776bbadc2073eddb14484ac4d46fccd2b

SHA256
cde75a9092ed1e7ff7d8ba484a7da47d378941107da9797ce0021323a31577f3

SHA512
06be80ba7d35184f9166f916f0b067d08c03128e71d079a1d158d32bcc9d2543b59d2bbd7810419ebcde6b2e8587b789e3b6964465834fe506ae588a7986160a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1cdff47e28e834da4f751c91f8196e8d

SHA1
47100fc15c60fb43866f6c5afb247538ea533319

SHA256
3d6916cd701aab9d93586776ef1f46026e0eff3e494b77c0c1d00c0b2dd88e9e

SHA512
35d7b85150ae1ae1c39eaa78205614d82be32f4afcb2da112a0b84f0e174b42624090613b19b6134640082d047f1c9321f91c0e9523f82937e18425b3d83f313

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e1074addb8429085a8ceba1dce85ae81

SHA1
cb724379223eac7aafb73b6ade3e188d330438ba

SHA256
31fae12d9521938e0e0c59363d24c916637aaa8f1374f220ec74535f7e943092

SHA512
d6abac0afcac4e8df47a03f35c129e811416c4c8f74b0995ea4927f5bdbb7638757578ec68f66e21c5c6af2e576d66cbb024ec28a6cf3d9705ed07142ef015d2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
15f21b1b64bd2cd90b59337edc0049bd

SHA1
932e3c3cfec639e209337cf5dc858a33e2f7df36

SHA256
1eb9df78acf6bcc33e8af01647abf27f2fdbb6c8e079047547cb324f52cc1134

SHA512
499cf2b3f0cdfcc571b882907e50fa491ab4655ebae52c52dd61c27300eb95ebb08661f20761f02e4568a25d12acd43cf5775735e9982e68a14f0693093b3d3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9673af7675f6c774a3e63bc26adf494b

SHA1
498e81f177a67471075c9043f39555d0807d6278

SHA256
967af106caa3881c752240de2ac9c875377aeac4f89792eded0aff2833585414

SHA512
36456038fb57579b41c9439ce423da516b47f77128b101dfd92b337da8af901ce6cb372fe896577b37427a2a0580fe744f8469a10fd41cdac28d3f814204625b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9fc33edbab481e7d06357ac69b0fe07a

SHA1
5d62d5e62e1c4becbcf3b4daa713bbeb2a9c1042

SHA256
a3920c24138530d86c159bf556783715240eb3ddb2329d6c9f7c90d5ca7fb107

SHA512
a457669e2ffbeeb540abccfbfce82dd6f36bc11f840c4135e0cb65d14ef0e6a91343310ce022efa700717a74d804ba635fc138a47f7bfd711a96ec4447516cd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3cb4df74587d00ff311f83e5bf80c9de

SHA1
8e99e10051501035ae29768e388f2562aee8c003

SHA256
ef944a395d6a114fec5676a5d1ed6136d43752f9844e028e246e91091a9fb0ed

SHA512
a01da0ae5fa286a23f3324fdd15c26269bd21b1369dc2c5446d3fe3bdea77bafb4088fda349907a522fa27ae67df3ddbe11d242d747468d274db042bfaf5b56d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
94a490dcdd17132050395a1413f233d9

SHA1
bc176f466cb34744d8718c64758838bc7b856934

SHA256
2b51ff28d390c288b44bea1460999868886792ed621b570bfe7f2cd750d3de34

SHA512
4851a2311f9ac6af05f5a95a0844725f7b8e2ed872abd678a15124ea1792c44f22e1f16cdcccb94e44c21887f01a72a76e895a58ddb8d1dbb02e636bd0783da4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
41a88cce246f4811fc85ac51a8799ca4

SHA1
df3ace6111ac139ee844c1f375bc5bf141f47274

SHA256
d18db2bb94b375e83338316fb9c39f10cc7147a185b4a485c6927c52e1b09cce

SHA512
5ce0df0c74211614a624a2f22e8b390edb4081d178156afd59fa0d986a0b477adec0cfdbf7b8f2dcb8b2098050a99041f17d7107a711ccfc30eef3099b7fb94f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dbda17bab4bcf5e0532cb98da24e518d

SHA1
d5199767dee5e0fc79fe3e6d920780011e3f197a

SHA256
4cba0a8d183796e4b9fed3ed79adc726000b4a7cef3183239b216868f9c4a72b

SHA512
958e9b746c8313310d2324513d5d205b3088a63de2c5354f893dfab7b86231bef8d88f37f6624885c3b0f20842e6f6fdb88acb8392af0f00f178698b7131bec0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b65f72a1c4c1277b733f276503bf75a8

SHA1
75a05e7beb55f939e96a10bd7ca67a830a7638f8

SHA256
c763a0f292c0c8989d1bbfd34efe154ef14b49f68098478f7ad2638b783461c7

SHA512
84e3c08647339621e8cea3bce28a310ac3228c25b60237bec70d252b9d0dfcd37a7f5755cc33072fc874fb5b2f33f27179063b27aa5641d0cb6a1ac5d7b76f44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d104c83a04620937c6fdb265806a32f4

SHA1
ca42bbe0fb883b7e77eaaff763ac9e00fad757a8

SHA256
3afbf4dcb019589d6be3b446e584d49dbdf4b5960a86fc4a1b75775705fb60f5

SHA512
25713a78a9c80653caa4be15bbde3c5a26c6cd31335112db793c7408559df4fde2d83a8e96e99fa86e0155c6e3d5d52e0c2f01fcfff37cc46d7ac9e2d3309745

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7530695fa45a39f3358ea746377bdc7f

SHA1
df923a3f4443aaff45843a2d8826a923063a7547

SHA256
34f4c26f81a76c64290d18e95c263e85627f5c9a7a1d52909167ca14d4d0e141

SHA512
edd38bb21661cd23c72a2d5c96b84ef64f41ba1408038f6fcf52a5d6d2160b7871f66da32501e145ef39455e228bd3e02b0bd974d2127c84a9508cc9d2153944

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
918f26c6b895a969f6f63ae2b49bb6ff

SHA1
1b31dc794914227749e3b1f66673fa29f48eac55

SHA256
e02887f3a92c8c445dd56c56eff78be1c529e885f37a00e3271aaa7a3227ec7a

SHA512
2bb53ff0072ea12cc056d0124b5ce679b746007c1f110253b0ea9274103689cd524d77be3f3d9d3e59dcf45eb7f317f923822ebe0f42bb3941fd451c6eaf2a40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
18d5213b42dd42af2e0d0eaea99f6a89

SHA1
14f31216245a1319d70de7981f5cf0101a8dc052

SHA256
66ad0ac2802a8849b9de4e891e3fd8f7453795cecb377a0230499209fa430e87

SHA512
54b5a2da964df260d92cef428fa6b92a3539037afd3b377648355ed3f6b26a6266215006c1774651faacedd00ba7de2a04e24a99af97d4c8c7d9c62b07303fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bca32093703dcb6859c753a836db1f59

SHA1
51ce13b923d7e1a43dd4a27c126640f25ef572d7

SHA256
2a124ad1096b39384bbdbe2be2322ffc3dc36126e8662d1efa864534e809fea3

SHA512
9e9c66645ecc76a24052a26814860a7393c458f98980cf3a00ae662d0d6adbf57973d946e0465cbc9971d6cd1e31f6817be9a241aaee98fc37ce61c62c19e093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f8b09a37322e43728f9a8100dc3d10e1

SHA1
e93832b7956e2f3a7443597b13847775042be37a

SHA256
984b0f2aea90f2a0f661a5f88a114d8110e71d06d08db92a0eb74d214e500f8a

SHA512
ce5be19fb76a59ff8fa2402f10b456937056aadc788956bb40b8be8bf4893cc5f0043dcfa55e03f7113abfce26e8d79576ddcbdde090561f7cc28ae5f521bb47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
bd328004201c1b3aae356256909830e8

SHA1
82dc7d18636eb4af16176845c2693ad06f1746b3

SHA256
ab7e3b160c39692e1eeea82956d26d1b6c7ff8194ee2d2e8066f6cf478cdf652

SHA512
0973e1f7d8f342bc6e834f58b1ac1ff3b7d5c83fcfd341f27879d87f9dd0d394f749ab96287f77a191051cbedade648162310858ecd8f1a184a22e85f5f6f57f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b6a7b8e950c84b61b56bc06225e242a5

SHA1
f8a0015fc2b6a593a2d4bb7d9a87190bad2b80d6

SHA256
1d81d9a34fa288db5c8ded16db44b3f97da5fe2685d7dbf5f6c9e2137345e1b3

SHA512
3cb73a129e6553620e08b70541c72f2f04dca89b3c23dca94e90547608345ad7d4189f8b85588dc64b144fcf9ab08e0b7f9d1eb2f5e1e4b6d87895edc30edf06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
54f41e7eed4d3dd96de1561377659bcf

SHA1
f64b0b3c232670196569b5d9b24ddb7fa848b82d

SHA256
a4e6e245a6acd06286fd6a28c75dd99d646fe7f54b18bd81d5f5660eadb054b0

SHA512
62cb7bec469b5c053093362cc903e62a501bf4a42937e27e166a5dd02c7bffca6e0f351692dc7e52eb99c06bb663e6e7830d4b39c72bd1ae07450de918ea18af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8d4533f62dd0f858e872c4ca623a5812

SHA1
61ccdc54c3e18ca4a80efeda35482e71856172ee

SHA256
86f6ffc6c5767d0289f65fb5339d81fc3c010b289c76a0cef2942ac0ae4fc8c7

SHA512
c1714beccf707eca7db8df0360d7bcbe91c78222b7d50d593bbd9713ef4d2d34de4ec4fa71ad2f4d549f9966e6f9ca12fb7d51973b6a4fea3cdad35119738dbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ff045213e7e6c7488473df9654e0ac86

SHA1
b891f21d41985fc53b9c26e6bd6eab0e7ce89fd8

SHA256
aaf6e1925d1916c12d2a3c4eb3e455b90cd442504d906d65ce81fed1f8a69393

SHA512
6a3c3e70d1421016063f29e5a29ee553a9c57767db497d57bbaf48eab0e99ac7032d202714b5782d1b6440fbd178f3bc7141669f6f3a296ca4798c55f1e53480

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
06754f0ddd2867adc21d053f501c98c8

SHA1
0b8a3afc205e9a48fd45f505f6716d4755180fca

SHA256
9f988baece77bd77787ee0cfa18b668cf97e7248322d69107f4fa03284c91a17

SHA512
3b0313570957452a99f7ec7e7bb2e2288b4b3f67bf57e48cbe054ecf23216c0ba102f903f3eb271a6c868a619f2a8b0c2b2bc1f484b329e5ab1249ee345715e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
6ea73529d54c3da781fccac2c5bffef0

SHA1
0ecd098587501f6a7d40d4fb184c4939d0363258

SHA256
c2e2ce4cb6065a1d02d8b061b0da9d0dfd8b1ba37b347634ffcd2609c1a6ce2e

SHA512
92f6d89f089d7d6665f3107f13b9413150dfcf3ebccc26f1da799cbd77c2e761797fa16f37da4bcd529e51edd887b795b319cae4ec6b242f3149f339481d915b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3dc9567cc4bd8a984d26960343f2e94c

SHA1
b389d1c569886afba802db547d16c76ada08bf1e

SHA256
1a223598670ea6d26a3b8d3f3c386653ca82baf862f825986b0973a44280461b

SHA512
bb10a059c3270258306e9f77bebaf67dc621ddbfbb105d2f131b16a4640ef25794714d5b7dc3bcbf3766462ab7591f7a45758838cb39973b99e59d378e02b62f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8fc49b2115d59e9399f0596cb4c45b05

SHA1
f54f9fe132041d1e779cdcd307a75cdcc980dd01

SHA256
1b13a6bf3ec14784c05e9a12de37d3d7da49d880ff1644c9be0e4475dd3073fe

SHA512
bd993fbea254e346d579b24cff6bd4a286b70429d4aeb8cc2bcc4d72dea256b33b8b6bcdba6d3b8b8fa60f96b97c229af1d2623a981209b4bf710122f6ce58ed

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b02009f389544d523315542c5a4bd5d8

SHA1
e022426019f46287400a394830a898cab7bbccff

SHA256
205b8e2011dae8477d562d0e9c51cb7b7124aab375525ebe5a68ab4cac777c05

SHA512
e5d0f29a8ce5ad7d9b5469f815634fff1fe87d5f442c4e31c54b7ecb62553fc32226530a3e53f39dea36ffd7a98004fe4cdb958e49336ac7e4994d8fb6821205

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9994c4a7b51e21b62df21667dc253116

SHA1
b71a4757391c90f12d73e70d79dcffdc6002e356

SHA256
39d237aa7d24082cd1a109ab827212a70b788a0c66fa4ab0767590bbde1915c3

SHA512
11e9113ee31e06b5605d19e0ed476a7a27d293f09321a02c47e73f97fe547e9b1fe4711f1098f835d210f3c0f86a2de9b3ed8448c0b587c704670e0ba9a669e3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
98cf718f03742e5e040a41a9623c4b6f

SHA1
2971c612c280e59e2f6c3f8db532931309780b48

SHA256
028b53683c864fd2778014ae91c7d819853c1c246c6692ec747eec5b02b749f6

SHA512
d6572ee07821020c429ab026cc7528dd182eb79e7a34ef24d052deedcde1400a0c2709be08a299283e03b1395bde50f61c87dc2eb2a89288fff6fd4a2b73da07

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c284f3fbbf39d367a88fe0fd9c834b59

SHA1
ec60f483bd9870cf449862464c7ab2d0047b8453

SHA256
d17ffdd16cee9dfacdfeb2facfbc17e8b73e5a955bdb62a05f1c339dc4523242

SHA512
8b43d4eb197fab0e3e248cb36ceb575ea76a1ab92c98d9d4dfc962a5a09438ebc9e982c4873bfc067fc7148cc303a7b032080f2367c72c481bfefac8e0366f0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b9a01a96c2db8d1a14bca6d3473593a0

SHA1
033aeb90a39575ff7a86cff6f0462abee8dd5a20

SHA256
8ad7aeaa1bd2798c4a812705912defd21e814d7a15649ce7924227d1f4f75f61

SHA512
e7840e55060b5162d1bbf670d38c28d9ffbe203763e12d8a65f2022ae0326e0e19b8e5de55355a7cf4b4ee7ad87cb656c30a580aacfdacbdb87559f239b36e69

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e2a34b14efc418f3427217de5bf5562d

SHA1
26afad2325703a2e289df2f49171458fef007cee

SHA256
1de1c80b91688c247d116e058e336c88c1b4ce9ae0aa85817226cabfe3d0f780

SHA512
7540ac7a6699308e5e5edaabc16e5a4b5efe4f1e63e18f9b51e5ee18726965056635da84200f4f285507cbf52db4031046ebfb3dba87cd8351a9aa98ad922851

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1fdb4257bdcfce6ff014ce8e689101fb

SHA1
abceb908ac03a565f528af334d31f42fb2973250

SHA256
4d2262ba795801277b9b3ce8f0956e289d7e5b338f9801e250bfb1a0ba593456

SHA512
63f39b06cd5fb3d5cf5ff0727043fecdd6b726b7ee5ac62c329a3175d82167ecaa646861b8069873b2116d47743044ccbbb05981b0584e08a834d5af3a812e8f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8d40cb630dc59d5bb0b1fd464c6411db

SHA1
77d9a09c99df2eef6ade6bac6b45239f4b7da8f0

SHA256
bbe0ec3642fa68f35629c0c9e3840ce3cf185b41408eeb7bc6960a4391af70ed

SHA512
a57cbde1e021f4b718773d376847641cdb9a259dabf32cc760e70d586e91d17c4292a0e01bb13da66484943e972e64f13940c00749a615da91fc66841651b504

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e0df4b27b4e9eb806f13a1338cc6fb7a

SHA1
bb566dc614a381a73a0c3b8f5bdc7673143ecb9a

SHA256
ed699426c492e9f322e03fc6eb7078534254112e00b1571873a5773bc5c57c63

SHA512
7cfc4596ad27f3dfc345c2daaa2a071cee3b5d35d720eaa1c02be39e47cb3f030ee0c045aa3089f82a2ee72b66663d494ac4e5e52aacceff724c4afd39cf87e4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7b8a5b7c6f5b1cc441fce0ef3b6262bb

SHA1
9b6caf77aabcd659e7bac4192b9a0b6918a56555

SHA256
bf382492eda766610dac9de3728a5963f274aba0d00eb94384271674e8e36316

SHA512
6ecf4193adaf987124bd2fbed386a2e26310c6aec29af09beaa0fbcf619d956a668e70846d1defa63f058f19aaf59c83f0c452d8eabe3168e0c7507feb222e08

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f0eeaed3b0b3fe3f4cff3c3a50c41087

SHA1
aa95f7fbfa1611be02c0e5732926931b2a7477fe

SHA256
3f739aede59262f5ee4987121607c065de9fa97cf7dae52548154b1bf6454f56

SHA512
30913f815df719d8d2bca32e947c76ddf62795bee06301b4dafc7ae5b38c339f2bd45681c24dcd21318a81b7087eac3ba532c6b21c0c739106aa09715ff48318

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b66d522b9cef609fbb32cef74eac3653

SHA1
74695f7d5e7fe616a0893e17b500a6c6e64338de

SHA256
b6381c1927d5b330682caaee44a0b3a006fd90f6aa9f22602c0d29f7750e44bb

SHA512
62828332eefac3e75ccdd04c44cf1a713d9300b7a08ccbc939772894a04a0b92b80800f9fcb01a06bcc7d43e89708c0aa6831e514cfd2c06d59eab0706d7a554

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
73c424db6d42778fa7edd17bd8728057

SHA1
a2fcd373c04d35f73dd77f5463ccc911f6123869

SHA256
a6ef51aabc66b4f32e26a3727bc3dc9959d1ab42ceb1faa7b712d758f53857f2

SHA512
91ab11ec1617be169cc6ac0ed6a45c60ee2bb2c10040b2dbc340797e41284c6b04ea12eebe042b41098db2a7e5a8b6413e0b1fe6eb05da1b8a0cc2c7edb0fced

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a786fb52994e18cfdaea7d8ec76e4e3a

SHA1
013b04636d976be5739cb727004210f016ed595a

SHA256
78ae37007da07dbfacd20207419badc191c56c419124ec9b844d84fb0967b923

SHA512
9685349a37e67bd4ad9214dec4474762991da69761d1dc7deb164df95e180dac044d8fcdb4324b5a9879f6655f9d0a92c5e98fb6118cdae68da39050f09165af

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5915b90b142f04ceb2382a59610f7387

SHA1
e6c8b3223df7e06225e6b942b6b8e2d6fdc1c37d

SHA256
a98a1af65917a67470279776364cfd70336b6e9c0ef5a7d6b2c21e55b934e39b

SHA512
ef53b239ad99e04e48bc3b157378b2ce700ff04db16b29f2fe1d9fb887aba8d9e4d209ff03407d43a85c68913d97628b27b0865606b947dd7c52f6e02de8758c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bee41f13214247e8fb12b9a612ca5155

SHA1
bc960fcecae8674d8d61fb80cf0f23e1f35656bd

SHA256
281ea84da0f46929b918e526b02390efd62b904061ea71710d6779f52cf56517

SHA512
f50d8a5fdbbed87c1f1c97e6d8238745a1898a87fedb8045c852d60a3e5df2f1dba4520034fa7135edc29a4b3624c544565311960a2793b438c5dbc20e7fd50d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d14d04eea0c140c4d59d48e6237b3faa

SHA1
2ffbf4a46af0a4adde50a3360c5362f547edc4bb

SHA256
da30b1959080377841f2783eb83da5d48006d6b3bb74eba48d74a802403b9aa4

SHA512
4e82370513e8f324ea0f4ab15ff05f7434d339b2b6ebe575a0a2d82959c46108e989f64fab021d45fea200d87f795ba1f356fc21198e68542376d559b64f068d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cf461f2c150c44a315840836406777e3

SHA1
40ad47136955d02575eb9aee79e5def9d3de26c6

SHA256
d6b99eda62975d193f2862cd48ecbdeade60169a62bb420f5301e987c2a618ed

SHA512
4142b70f209b7dc21357cc8c7090c918b3849036024d0d5415c1e15e6e73bab96fd5cedc8cf34adc34fbb462993f2d96791216549258e72ce070ea9f4732bf31

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
c1daca42fdf5e2ffb1d607fc17341804

SHA1
5d9b3bbe5df648a8a23a79be74e51c1454d74f90

SHA256
96ed916c8725f36eda993de059b44be2da5e4035c2a30c8b689d1d174c1e24cb

SHA512
c2c182f94c2fa590b1590111e19b073139c8929beddd1c06ab52dd9734ca84497acd1a563ffee8c4efcfae572e804bc5ad1f1fb41be8726ec6af6dbfb70cd59d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e4112a538103a6b152ad8d82491d532b

SHA1
c9f93dd2b168076ef4302fb6970f6c34cb7491b6

SHA256
75de82511610010202135851d82a9ae4fe2b578a98d8bba648181f33f3af2759

SHA512
ffaccb364a169f2846116aa2a131fe213751815b75c9ec0e9ec102fe3de11bceec6798ec6766a7b37450a0f5677f9b1b559376f3074a447c1257e5a7a87745e2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c468a7f6acdbf59d472badc3eaf2dcba

SHA1
16b874cd0cd780135cd303f3bce6ec6c9970c333

SHA256
3b436dc3407d7b15ecdc42aca1a5abd23c28343fd488dfc2d17aa148a48734a3

SHA512
929620d3b03d1041c77ea20d14c0463d9bbcfb60fb6c685d21d13cee1a5bfeee2c193129c4d858f655e03dad77204e233c3a5fc298581f83fc8a4fbe0f4bead5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
915620e55b3898c7c413167f7fd3dd0f

SHA1
bc70fdb10742e58910b470bf16cfd8e4a662cbea

SHA256
4378251ffb43518ed143100d19a8b1eb999249df989bb8534d646b1884bb94e2

SHA512
5ebc0f9132961c75e55fc3240044374c78ea2914991c9c3968b0fa644de8b29f5d5dd1fe254e102bcecd077a47cc2c736af67419b7edb1f89399ee6c31525b47

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
648e0b87c8e846cadfe50a7fa2b2b9bc

SHA1
173cd17577e10f8457ea95e7504efd060f93ca4b

SHA256
a7d21a9998a43af4d2cac6c8fd2242de097b7415b488876ee4d7cdc75c62ad71

SHA512
ae7eb5f8d45ab7097fb17aa8c5fd6040ab53e7c2ea35a56577d97f6e530de6beb754dcc49c7d53ac4602a16ca646a9f53aef7063415227a71a8108c2f6fc053e

Download Submit
memory/548-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/956-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/956-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1340-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1340-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1488-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1488-409-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1628-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1628-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1628-106-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2028-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2028-403-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2068-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2068-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2068-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2068-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2104-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2104-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-411-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2184-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2488-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2488-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2540-171-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2612-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2612-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2612-37-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2612-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2668-402-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2668-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3216-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3216-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3216-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3216-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3508-410-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3508-172-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3572-400-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3572-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3972-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3972-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3972-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3972-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4068-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4068-404-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4512-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4512-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4512-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4512-23-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4592-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4596-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4596-55-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4596-64-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4596-61-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4596-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-399-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4772-69-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4772-0-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/4772-7-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4772-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download