96a29296794c50e210bde7c05ea90a1e628cff64ec700ed214172cac4e4c38d6

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 09:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Size

712KB
MD5

5cb7112d86264587678a912e0892d430
SHA1

2e84d689dd4db798bdeeb73389be1f8b8765a7ab
SHA256

96a29296794c50e210bde7c05ea90a1e628cff64ec700ed214172cac4e4c38d6
SHA512

57d8164c7d6de63e1be8995916ffde43dcc1892a574ab8d6c6d29cb5c0665038bf18ab4b685b7b4f9ba44418a3aba96ccf44d8ae1ad7f5f6cfc1dbab96f8b654
SSDEEP

12288:MtOw6Ba5yndwCg6/xjPHFFBwpRDftD7IBUgbScDQCSkb6wjfRMVviOvf7sibN3AS:i6BEe1g6p7HF/w/ftDsBUiScD7WGfWVh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4616	alg.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
4896	fxssvc.exe
4744	elevation_service.exe
5052	elevation_service.exe
1036	maintenanceservice.exe
2356	msdtc.exe
3864	OSE.EXE
1756	PerceptionSimulationService.exe
3348	perfhost.exe
2504	locator.exe
1140	SensorDataService.exe
2180	snmptrap.exe
2560	spectrum.exe
3656	ssh-agent.exe
2088	TieringEngineService.exe
1744	AgentService.exe
5048	vds.exe
4316	vssvc.exe
5108	wbengine.exe
1600	WmiApSrv.exe
400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\733521f2c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eda693cb4bbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a774cb4bbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000281525cc4bbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000123c86ca4bbada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7e350cb4bbada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a3e0dcc4bbada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ce18ecb4bbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c40896cb4bbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096ce7bcb4bbada01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe
2068	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeAuditPrivilege	4896	fxssvc.exe
Token: SeRestorePrivilege	2088	TieringEngineService.exe
Token: SeManageVolumePrivilege	2088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1744	AgentService.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: SeBackupPrivilege	5108	wbengine.exe
Token: SeRestorePrivilege	5108	wbengine.exe
Token: SeSecurityPrivilege	5108	wbengine.exe
Token: 33	400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeDebugPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeDebugPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeDebugPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeDebugPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeDebugPrivilege	3760	2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
Token: SeDebugPrivilege	2068	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 460	400	SearchIndexer.exe	106
PID 400 wrote to memory of 460	400	SearchIndexer.exe	106
PID 400 wrote to memory of 4656	400	SearchIndexer.exe	107
PID 400 wrote to memory of 4656	400	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_5cb7112d86264587678a912e0892d430_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3348

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2560

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9110252242b85ca7502a880635ae9668

SHA1
439058a5c77252b9955935c20cbb3b2e3ea8785a

SHA256
0a0911092681aeefa4a5d061fbe6ed4311b9b13c7fd086ee139be97400acad89

SHA512
f4b7aa3b0233c73d035916d0db850b3985054702b0938b25b206346f9e580cdda86caea8d9d9735528882e3cf5ee68487eff7a31b346a3289d98eeb0b6900de8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
32736a161386d7278b09dde0b169aee5

SHA1
a6f273e4833d0deb7911cc6276cc260192dbeeab

SHA256
f076d7c92bfac1a9bb3d346f5177f97aee0e28c00b9d25db5a7e6fc7f3f6349e

SHA512
045f3191c9ea161dca3b57e82f374787209bf2d0515fd91f7e56e737dfb3e914f59bb076598c405caa5471e5e2f2369c84811666a5ecae5978a0a43b83199393

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8d0c6547b3dac8ec7956c37b0480a547

SHA1
6bf7065cad8452ee6db3134eb35f1031d956cdfb

SHA256
673e8ec6026c153135c31c9d178a14b0cefeb5b2c0bdcdabfa54a3cbbeaaa1d3

SHA512
50a904f7a6dbefec9750f6f9c8eea6424067804f553cc3520a675915d2db901073497160b167d06768623aad868c5c4f0a802e5faea4faf96f2c7985029c485f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4ad18b249e67a6cd5271742107c66055

SHA1
0378cc8dbc7d73ed4b09395893c7409acdf145c0

SHA256
241e8e40d95c7f8842b7ac6b5dc7086d59b63dfbff76d3ea9f1020672ad83d6c

SHA512
913717bfc71614acdb17086c01e76973181582f056ca0d9ba236d5ad010857810b209508ca52f52234d532726a9ec0959746bd2b2776d5d5c5ed6a81845815f7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
263ecb819156921fc5e5cd61fc721d6e

SHA1
e7de7ced7d5bdd8ee3562bdb776e4e6f4c29858e

SHA256
75f84a00b9862c6352809a70cee43764f8eee0f90c2a2880d299de7560f41bf5

SHA512
2f0472a50b80051f2b07fba4c5c9dbbb8139ba349de46079249d68158979379dd02d22919027e3216b021cb186e200fcfc7974aa224492aa0b657e0635db5086

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6a2dc4d5d4c49eaa3e3c74bdd4225b52

SHA1
93d0a4d38b6bbe1eb8e9b34adfb1d89b436f98b6

SHA256
b2baedacf5bd8c533f6f9345d14e3705535e0749335575b51830b912fd74095f

SHA512
abdeabf7c66ca482c8f7659b093eb5eb67c7f417e0a81e6e0d532bcf3f71a32d9350c8bba516ea339e73f1c9b2f6862f457130a38dbbffad96a30841c84d49a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5f1f618f39c2c1ca584bed5e7a61622c

SHA1
20faf9fc16d5e688a1b27e977fb65e9f58f52813

SHA256
432c2ddcf9f505e8fb76004530b9b499aaf9c62535b0203b941f6046e4a9b749

SHA512
b8c42d156a1a946555869e425807b65d986d63819828915981812203ac653224091c06449a42a8b923f836c759660d3d37a34668b5c3313d3cd9f3328c73a8a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
09e166efdff4f7b19ff53c4872165b1a

SHA1
42dea0a75db292abf25724e978555092f2ae5bbd

SHA256
291a8406fc979ea39b0e7b31c268587c832c209df5e24a649e31b3f24b9feac1

SHA512
e22291af2943d56c543811479f51b3b393254d9b222fbaea95893586b39f14365203c0c02402aa8376ac6e7f06709270a0b8668a14348c61ef82735643ca63ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
27827d42c1ae15af7970ba5743b0b402

SHA1
591b319da89f3b6bdffe97b4dc89d0d274482c30

SHA256
a0dc2435a2f4f84065aeeb066f0c6c18c56c5d6de72fd2b9fa591a2bbf6413fb

SHA512
265cd2c023bd486e79b6dc4bed4f4f44e2628282d8e18687fbf931bbb074b26dae1a41384c08bbd20bb80216775f897f103ec791e59fcb72aaff9c0427eadb3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
76d1c4f97259370ee3fa7d02086a69f4

SHA1
033c0d5cb685d5e336d638ea6da3e78e1f8d2dca

SHA256
a9e2c57075082e370b0bdb50d096f62243fe0260efafb002de7c697c45f7996d

SHA512
d151854503624cba83628af11ed3deea9375a9e93ca5ce191bac64f3007744ec55dda5a912a2feda0cb964c39fcc933226d377b89a715df16416bd7c611f7f98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b87467a66db39c0b2c27b8311c43e32a

SHA1
35cbca17dc9ee6ad2a4e461f1bf891e109fde9ba

SHA256
c825d85197d73ccd9ac6c1dd274d526f680fb0c1a3cd8e98588bee8a42a8d291

SHA512
464d1b8392e30ab2cd500b0272f3482e65a0c5da8f7ced9a39c5431402d62d5ad200153a95032a6f2c6948720ec447132fa3cf488b6724daf180277706b1bb35

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c302071576a4268f7b79e4f8652d6a8a

SHA1
ef33b02ff773bd95348d4ce175f5badcb4be14fe

SHA256
a8b20dbbd5ecdc9f4b5f33190f0a551d6befe455173d8cf3454176ea1d48bbd9

SHA512
25b3566ef5551d10be6ad494ece474533153fc3f2ecc687b50dd130ca5dced761c180bdf182be14d078fc8d66d29397336943028e5c85f02dd971e1d0ba86629

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0c9f32694b2109887eeb11841b8abf8f

SHA1
638d746be081efb7ea6945d886c872ed02ec9eef

SHA256
07dcb90f3a6037afc3cc63712f22c150c3267dc77bbbd3ef815f13335f3a2137

SHA512
055f321675f1d0275b5a96e56189c3dd116d5c1ed256bd6fd5891cb898e77cffbfadf4860cdd5fdc9e9e8c8a11036def0014bfd4dfdc43b8577430ebc863a2bb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a72162cb58ac55dcc22cdd62bb6a65f0

SHA1
8d63a4ed8a94bc62981e01a6a584dcc2440da4fc

SHA256
7105ea4571454f9ff31f2b8e33f5a7bccd961551b2d4f5f80c6a211525af51ca

SHA512
b5d59a79d870fb2f14464e7212ba6821e8f469d601ab480e2c95cce174b7fd2494eff7231d97cc182eaa857e5ccc34469304eea6c6c0c8084e8844828aa687e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
97151c5e67d8ce7fb66b0f8a50b7f594

SHA1
f7fd70221596d4e037268d5e3c6ac67c8a9a252c

SHA256
fa511747aac0cc625bf3f498ad4c2bb79daa6e5ab95eccc8d41bc4846a4601bd

SHA512
563d28c3d1286833d524c3582fd1d51e26a69206ac5774594866a44011b3349027068b3d704d2e2b1526c85fbe670e83b8e0a891690f82f8e1cd267615ed3571

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9ca6adae0a64f93c11c57f0461efe041

SHA1
ce1f24b0f415aa432ce8cfa81e1163fde3ea5779

SHA256
3ed8fcbcfefbdf9046fdf5784ffa4b0768bdfcc026b51f6640496993e9e3e6fd

SHA512
300b75e0c161783b10e0e6fa348891ef876081fbb56720d542edf25004787d93cd9c13e3b43a0523ced771d95c1ebb2ed21b7341a847867079babdad0efaebfe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9ac256255296be05aac410b83a24b345

SHA1
4c701d7f9e0b80def2535fef447e85228ea900fe

SHA256
fb1969f5cf75d65f57df4939c26051bcf4a994c7e25c8fadadbab5825c3965b3

SHA512
aeef3a4e2a9e9717ab267484c4a54fc534f986d65a125da091f3ec11bd54c49bc493b7f512daf37e5e2f082089f39b8174cc8564da6e929551e04b6213a79a9d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5f885ee5713475d00c8338c104467e00

SHA1
e8bf2b806f3d23e3fe545c1df51d08d82c0f82e8

SHA256
9c83f8381b6a71c4daf67685398213ede25e8df9654651209e0519accdf139d0

SHA512
e4a9529a0eb0724d11fde5a46fd4cc2c0546551ddade095fbc2d45739cc5b9756a0a3c209180c19d0d252efd90b43ac74f4c9f69965f5b48a0c1e8964ad405d7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
df6bd13d38f56dfada5758f2b3c30395

SHA1
49aba6f68c3f99f950da5cf74a444c57a6440fad

SHA256
1d7a431d5bc8cf421f472bfac24f4ab8f8884d94e36a9194821a1a3f34b7ca19

SHA512
5acf0ea2f6f12db2ce5da05a1f2d7d72544f950074dd230e2a43ae4c81caa3f4986fd360196d1b4841857e425f7a3edc127dfcdc2d20864ea6890c5c7db35f1c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
64f9cf3092644ccae08bf45dbb4eff33

SHA1
1a6099bedd4c387ee8fc5fbf58bd8ccf074a9352

SHA256
f8e78c30be65d9b48147169994b814af77008f5b1ce63383d5e6ac86a14a7287

SHA512
c3a0c2749477ed898d3c4f63f727ce2b13f05d9fca047b7cfd015f82e90285e06866937ec6ffd7834f8b575e89744d2f8575e2a4b93dd4f1a31db4fa91fcef44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
12175f0fd9746eec0c7d1e2611dccec9

SHA1
1b9fb037a3b3e7c240396bcedab930be77f7177d

SHA256
89f837781c0434c0c7e33ead28a9cda5adf59a2f9ac3011d7aa9137abe80e70a

SHA512
dc4a368ab6666142a238b9162b4226055203aea4f987e06718610a492d2212d7825361a19efe2114c6b285eff0d2c545ca4cea67fffcf2a83c7749b8df2ef9ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
474efe3165e5fd7fe955eeb07f86cada

SHA1
d03ad6085a709972d4368a59357e899e28ecba2b

SHA256
65ee0af04e3916250eace4107600acfa042039f5eaa6ede0bfd205e6fcf31ab9

SHA512
2bdf367cff6a8cbca15e881659fd5a227e3d0188ed3910f9d994f094444930242c1e848e801d00bb49ce863169e77592bfe715717ec65d704fe86e4107cef5b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
766a3525ac6eb65bd6a9c9fc4e7a997d

SHA1
eb45705f96c910e4c052e2cbce216dfa4c517e3f

SHA256
2769dfd5d307f7dfe4f20a6ac49128febeaf0cc9599e657c1703579349fae842

SHA512
242a5e571b61417cfdeba405866fe1ff13a49c7f85c1d7ea08be0ed4d30912c2035fe780e06a59983f436bee91269414256a5c431d2d34215463ab884480749c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eedd7c83fff9d5717a5e3450d11b89ec

SHA1
21393538b039a67b6731af65112ca73b17bec57a

SHA256
2e6dc3800e2f6d1ac7844d89b46bc9a3b86dbdf7f3f30eb229b359b9c95702b2

SHA512
09e948da6b635b6fbf7deb6d8eceba2bd25e47c4aa0d1d9de1d5a99aeef31bb6d1064964ed980d32565f6bf214b5e8a9068538923d790aaba9ef06e3109068e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
524eb25987978cba5de112697c141a08

SHA1
0f680f0290137a2c5037bc5a95c775f0271e9f6a

SHA256
4a5d7fdeb1f61346e4f3eb40df3528f050a83f9d19cb324ccf47a710e8347925

SHA512
65ccaac64050f2da332509700984ddafd7d7fe54b141ef84cdebd5d40194bff1c9bb65ae90b87ab5fc3c7a7de05e1b845220f6d90d215d927b8abed6a315443e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
30f95a936eaffd62359698653cec4245

SHA1
d253b83401d886c9fa744e9cb6e4ca9014f034d0

SHA256
e42305b044757aae1cefc0d4320a0de4e091775a73fef212ba0e8ac7080716ca

SHA512
bf6341959863e429ce662f976f665afbc0cc35ebe30732c1beb37474964bdd94a9ae7f76fe9cb6ac46b3680cb5374a4369616ca6b7c62b4da9f2cf835fc0a6f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2780efeaf3284a97d90682954d8ecb17

SHA1
ef10a0453eb31b27a2592ddad103d88b119e7401

SHA256
8479f6257d98f8f447f6831bce3c3deab55c82083fa41ad7f099f6a7b1d63a7e

SHA512
fece27a9b02947b2ee1f1e4a0d2e322d2ba57424a022342ed77304f0a4a16cf03004c20170c3bf75bf95673d9b7c7d14dc0533544e4850879c0caa22a0336a6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8e3e898732e38ee277dcb687aa8a4976

SHA1
6f1d7374f2a9fbd6233330e44d631d5d00fb151b

SHA256
05ff58f064f5c6e7058f7f6c8c5b0179c6c627b6d41c97d7ab49e40eb2ecec62

SHA512
9a2a4d423bce4aed7c6dab77119e746961a9cc23fc2394862e7ca5a6b41f780938e3884b16b8251b2ab20af92f8d0fa73ba6e4a295a3d241f46b39ad55168acf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8ed0d17e25529b31b9470b7771340465

SHA1
78fd6bc00231127463547b7f437f35e26f24cf54

SHA256
737b3fc4fed28d07a4bf9173a8909f72e7419d98facbe8574f9a517909e34e4a

SHA512
f9ff53fe962acff7a7fab79a82569c378783182b85eadfcabf625c0d765c8feb5b08fdc108746467a64a50508c160db8945800af2833eb149808408191b80cdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
dd98d4774b8bc37df075a439b56f054b

SHA1
621834d46c8a24090823eaa35631860d5e1dcfd5

SHA256
af9b836d018acc8dc73c8733820bd0295c3ef99e9f73427767e6e9af27b357e0

SHA512
87260dea16f85d29f09856205cde2b0e2805c041346bd27877a88b456583d17ad1d8be8c453db5089860731845d67c4e9febceddacc9c2f64d0ef44e815270ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
f83a31885d0b104b2193809f094abe8a

SHA1
b8d460078d031196afdc469223fc5b67e684b80a

SHA256
ee88ba2da64a7b0fffb8e1d219f9cc9507da9c65a9d0e6f45aadde1fe56b961b

SHA512
95a6f0eeb44d6b781b5f63dd6c6763a3f2c01c9d1039bb601ab85105c8cf23e01a2169630387d89dfd8b2cd548136e83afdf5f4c9e20057847f7010542041009

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
dc01625a283c4cf1b3fc997134375b99

SHA1
5a428bc1d6215a66892f08c513481dc3fceadf9a

SHA256
69b896ffb5c73cd2559a891d21be6a73c049828478f08e4d62aa96d384aff4d8

SHA512
1283c95bd7604afea7a6ffd30110922c6bd362dd07391682b6ca13a64fbe5f878528703de79d48776842e8755ef74668522362243252bb864fc0f98967a5605a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9d63cbf5031226867d21f570ef29a783

SHA1
176383d815b11983e272a7dc471816e1d3cad6ab

SHA256
16b9cc757b2f398f5799cce7580bbdc09e30be3b6bba7650fe4238ffc14ab240

SHA512
ca46fa88101fdc30aaf4d952d231fd9c31a404281b65007a11e4580beced9802acd2d81d3d5f046968dc69255d3819504c0c733a5d5fd0950b41e6cdc3d9820d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d97a230667551746d11a4778db2e11de

SHA1
2c3bfcfd50777d07e6c011e46932d2c77034faff

SHA256
22a720b6ad9527f528ce6c0022ffd0e824bcabe5f7315ecf4a0c19dd7bbefc8e

SHA512
8b94d675273c96d8f7c04dc75e12796692af3768453e9b49773cfedc5306874dbc52e42cf972972f074c2d8fcf67a6813dc81c14c3a9e6185065605345a1056b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
75d61ef0f10d6c440b2e085ab4b53ba0

SHA1
150f250df9cde3530b54d7852097fdadf3fb864e

SHA256
1c44b14bcd47f9b566cf4d591e6813780fcdab451b8c432b3d53a044218dcfcc

SHA512
aaf4254b6a20dd4b14b620c9f46852f4d48ea7426cbfac9de542cd628e4ba73e41a7f5ded6ad277cee36362359ab8c5309b8a1bbd0efce5de6e46695e60d44ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4738a80fe67ebdb5162253b53efbd547

SHA1
66ef5d9729753c0e4c340d47d32e847ec0bbcebf

SHA256
fc537633d1266b0c43af4c5f4a7f079ce392c742ed28ee4fd800429b5863ba0e

SHA512
4e1dc4eae2b8cd776c714609fc1dadaee62567dce84f605ee0522a35141922e1b4c690c70454ce6144078101d0ba0fb428652123fae5e0cc883211a84f63bf64

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c79cbc10f5f23b56d2848faa5ec580a5

SHA1
620c4aa056d048ccb8d625080c02dfe80d9de018

SHA256
249fa30b68aeccce6452718c39da518dc06b6a75542999a29bb77eb0b9eaa0af

SHA512
6841b9857f1fdc56da1b0c014fdb8e506c02230502081b8ea727fe49085e9a10f1a45d2afeeef7238c913948489729b320abd151f91173b3e999e7541d0b3190

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c93e5918f12067b81d406ef155cfbbca

SHA1
e0c284e793c54dd76da421ec8d00a291048f7c14

SHA256
48521e93779c405f61ada2cabfc8600f63b950e791a62e8b39f5ae0eee05b029

SHA512
2b05d0d90d0b5d03f63f4beaa6b8a23b7e5b432ce88ed27d38530ec40578bd41f657ee5cad8c5e403be289af978d5aed216b97b9a5845a016360622ff1196bd7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
58659102aa651f4ce9e23191a16d844d

SHA1
c296b7e7fa87e19ae87b9f07888243ba9a50a778

SHA256
8555f3d0c3e210d6ff19d67974ec663aab2c2495efde87b023047f6a703c35e0

SHA512
9d2e72302b3b84e77202dd093572711eb0c8a333829eaa14b7f1053eec36a0c898ee06940ad99328118964517c6ec5d71d5131ee115bfda71199a5d4d2f0aca4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7010ad117f4053be9fabe3839feb45ee

SHA1
484f43642c57cc99690ebae337548e4d5ef5734d

SHA256
0da4d29fe7625b2d6ac16358309e76a0bc05c9c7b0df45a6c5a72761f62dd7d9

SHA512
85ed39ae83f0db65badfb12580fc78c2ee56059bb2a5ddb7ea369a831592814ac40852db35a52f0619d53407ef83422bbb600f85289f0d8a6bdc912b8ecf7d98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
709640afe5d5c9a0035b1f84568a6952

SHA1
2621e8301e290f47db973370a78c041d9ed0b98b

SHA256
5bb8d6c41a231e63b7f5585b0a9213809d06a3e953c702829eeb9157108b8b79

SHA512
454729c668c8d052f76f10c649f7e302ac3fd6ff5d2987d26deb9d9afc22e35ff3f4364f0de3c05178397d26e10739368ddf29a4a6f9ab409087a138cf932df5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b0d99d02f5972d1fae18a5adc2017de9

SHA1
e4bac16c799f8533d8699bd2447dfd53a54bc2d8

SHA256
49b7088cf1ce06029b41d49e03c7665c700a4ab50286864858fb0090fa9c665f

SHA512
458bd4848a38d3986c2577428067979eab7953072a50019aadd9e925e76650ee6cb392b5f24ef56c4dd4ec160c9cc89a0599a9ddc9a554ca4b4957a1a1930db7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8d2e45e40eab09b605f4e4b814562f1d

SHA1
4f62a8bf1d97d4f7e726893e89cc5f1ba526c466

SHA256
be4647f5c93d7111162b3a654ae224305111aeb3b060262887f14995c436e6a6

SHA512
a7b7411b318256f99fa2d9a2424cf93e3c7cd529bba5e077b0178a57d852ef7842a995444519f822d618f980aa8b7f0e33af6c500d99e79afa5e6b7f6120331d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5b15ffcd6e9111510177cc5e52ff00d3

SHA1
c025d2ad346a8f5faa32cbca7e0102191379977f

SHA256
e63cf5d95bc101eee2d0ec7aaa8135bc19352fe3c80c902a301ece078b329ff7

SHA512
81c79f2e11133d7aca75f83375b6fe354645882e2dd72dbcdcdb808ba1e30fb64d1e1c4163964cd766f4006ba8e5d31c134e29a485be2fe08825dc4c5bddbc3c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c8f5520880185d07c63aba14701c9b57

SHA1
d4723988c43807629893277f13ca307daae6bc4c

SHA256
0fcecb8b1d741482cebb5166397cacb2f6acb5508642d3de9ebd84189b48f415

SHA512
906bfc437c65a89b4c278832404880b17776cf5a9d46840d9995c9c62f6bc3ffeaedb2d3149fa678ac4a1dabc95eecc74086dd60809e08af7974804f720e7930

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
87a62b556ef0c02dd77d1d5eb9eb275c

SHA1
0e5c1d4bb3c64197c0d2630c5550e3f3549357ca

SHA256
6cb2021f181c10d9899bbe68ba83e972ce03c9360be5be262076efa52660e8c5

SHA512
e7b247c8bcf4840cb15bcdec636d63d8874366a2c900962f6b769dee69953cde6d7dccd582e6e66d7958fcb32517dc1b061e71d8b4bd775ae1ac082b65736b22

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
14f2868ffd675beac1617354a5b6a2ea

SHA1
d7c30eb199dccffc84ddadb298a69b34d9ce52c3

SHA256
c5aa13a31f5441a2ae502ceefde2dcd7a09202a4ca4d91e49b5623b555766bde

SHA512
65e2ccb5cfc0d48169a4747a5539cd6c33e0cc2304d52d06a9db104adec5f1442f8f6a983dadd67f0abc62d8c9c22a1935214687f9040530570b8f04d73705ea

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c600d1cb84f7de6d74dc7ba7beac4460

SHA1
00048bd702114694921fca16624b1e63d6e7c42b

SHA256
994397ed80104654f5d24b5cbaf189521e6ab93bf5db33e8e4fa7198ac2d30f4

SHA512
cedcb6fe4839d103b6fa390686ff89aaeef6856f710bb103608292c83302d2e3822d5f18472be326eafb4b874ad4b43f1b2b0378c6c3691ec9deeb1285cd286b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cd56ff5eb316de8fbd514969f72f52a7

SHA1
6f3002552e62fb3a6325fd53cb01c59e75382f5f

SHA256
38eb1653c0710c78f1b02e74d97fb5f9ac6fe8e8b762fdea61cf38d31400fb3e

SHA512
f0adfe18edeb5f7ad2b68885c6c151fca8f0b9e888c4155b35b50008395dbd6d10ee515360ff9e993d0c53f35f4237ae2530b89b92247eeda4584bc497f0e1b5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8f60b73e9387ad0af1aef7e187614ef7

SHA1
f4e1078ec4b0e4ec8069077e3f8e361ccd247d27

SHA256
0dc8664fce1af2d6213d719c97ee26036ea88b20888749db31251372bb0fba30

SHA512
728ee538e9b6d93d6930f061eb74107ea0454ec1ab40a8b9309e3f89ff07136d443f21b719dba982c6e61a285da93f1cac6b34965d2b433bc1795cda7cadf945

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
aeed9808a912744097663447bcca88d6

SHA1
d94bbb3c043e040912c7a784949a0262676ea5d0

SHA256
653f7f8f145ad60ab0df1005ba57d406b4b33aa418ba2c01e5047b9a65a007ab

SHA512
6eaa326e077ffd59058abd3d3ab91b4fb4df66b6b9c06710c2f842886a3ed26150e831afc8dc9f7c505081850d2d1156a14672a5d69d36453beb7eed6e93aa27

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f96445af7a23bc172d54603176cccc50

SHA1
c7d842c81e50ad51424b213ec05d8b6419ccd013

SHA256
0e694a74a89c4fc0b4ae89daf38062630f5d890516ce355e961666a55295fba6

SHA512
2f51924140f391646d7c5e0114c6c9549d07166c9e2237b6b1fd488d1cbcc90af9dbc0eef00d9ff31d7562c232059051b9fe404520ef530fefefe64adc5655b8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2b43b7d03a41f770aba8c78bc308cbeb

SHA1
7b7874054edc95ebb3fe78feeb1c5d87b0965b4a

SHA256
b671c50204a6cf8f40cc90cea5067a7290cf6b7d29a156e0453927954c7f33db

SHA512
b0fd4e3491cb4b65293e457d2a34efb5421ee1cf5676644fb9be99cbf4ea8c257c83f19f823b86ed820402ff6d91243219f2bd2bf2e4103f14c3530671917765

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2c12dc40b294b129fd063885b887ce48

SHA1
9f7648070c320c4dd1f00d2f9ab3c30b91ca0ce9

SHA256
82c51562fb2ffcbc47be43f9363c2135e2af58f8d139ca69a93d5d150019ae42

SHA512
408e9a04a7e75e54b78cf4ebb2c356e7122f1838c4e840b34df729e0f6733c2760689add7337b8a2a7c393833f94a9cb1a325a9110c25ef1b55fac34a60230c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
398946b18cab0a02b9987f0f01e5d5c8

SHA1
0e1c913ed7d2eecbeb19ae5b0b6ef7f1c301d5f9

SHA256
99c753d53553ca0dbc1ff09dc17fb5cec1dafb1f979b4d0482e31733c5774f74

SHA512
e683c1c8abbf68decb5540fc81510b0fd2a859787a53bc7ecc48698f48d99ba2965d3967d5180c3328f9ee86576b8055bab8f50b6b2706e26f17b2f02c199585

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17699ccf0bf0e474016e9b13fbd3613e

SHA1
35a0a31f91f32570ad995c0e7b3d041413da2936

SHA256
76bf98d91fa9cc2e2484b20904696ce1fd16826d32d079659370e3ce30f79049

SHA512
9a381b470b23f85f977fa9658970d5827489c2c3c8f02f7193316993de99841c6e9cd71b7926044dcb879c7ab0315a97ef72293930a4139d0e1d0bf010992266

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
48248ae57475fa8120a2d3a16cb86a50

SHA1
8fd1c2cacd1b906d3a8a09d79a538a76de90392f

SHA256
30e3be5249ee3ca99e34f1c783e3c4c2db77e2b176d5c90ac4d6255dc6357d93

SHA512
fb132dce2ae77a56c8c9309b36058067fafaafb85c007cf4e2fd101c2cb3ed79f27902b8c57f145c9743732b341cc7bf6f56c095e62d9a7f32088d59d0567e8f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ca86ea773311a2aa1a4fe26fa69852dc

SHA1
049a7e2f243ad2c8c2c8fe167cbb975c721e616b

SHA256
b9aaad4b2e07bbfc0ab97d6ffb13b1894343be9d739ce3c23da71f0bbcaf8706

SHA512
a64c46abe582695aa91a0b26c597330d18ad795484f3118a68c074173c039c1ef115454141c64e1aedcb0d06851e0932d62a66b0a682598ac741a32e51520be1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9b398bc4949ef49fc8234010a2bd25c0

SHA1
063c112ff2782004ca9ee62d330e4ac06cec3305

SHA256
2eb1cd3cd08d08ed0aa8f0a8fd890d3dc28885730e09dde65711abb5f7c35120

SHA512
75fa04a6120403acc0cd285ca50f124c5d6d26261a2c1ef5df01fc54564d14d61ab0e5c78ed4ceeab31c83876682f3980cf56f8067c70b648ec7ddff57069aed

Download Submit
memory/400-483-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/400-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1036-66-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1036-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1036-55-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1036-139-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1036-61-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1140-146-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1140-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1600-169-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1600-484-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1744-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1756-88-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1756-82-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1756-143-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2068-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2068-22-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2068-476-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2088-150-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2180-147-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2356-141-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2504-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2560-148-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2560-482-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3348-144-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3348-97-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3348-92-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3656-149-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3760-8-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3760-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/3760-336-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3760-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3864-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3864-78-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4316-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4616-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4616-475-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4744-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4744-39-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4744-477-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4744-32-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4896-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4896-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5048-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-481-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5052-478-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5052-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5052-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5108-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download