c84a3f16b4a1cf7f8294d29a1aa966206903de7533bfc150db437266ed892189

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Size

1.8MB
MD5

5c92a8dfcffb2c4effe07a9a5ab3fcd2
SHA1

346174df758cafdbbafc9338aab44a3891d4a94e
SHA256

c84a3f16b4a1cf7f8294d29a1aa966206903de7533bfc150db437266ed892189
SHA512

66888615c4c68c479fbb212b1f3748eebfe3c1c4618e7eae19dcd37abe4042e34d6a2ce6bf9614616b290f0fe60ddcbb2bca6c0e15c154e43cc871debdf61f7b
SSDEEP

49152:lEy9+ApwXk1QE1RzsEQPaxHNGxlMPdlR8v4UC0Eg6ET7M/I:993wXmoK6l2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5056	alg.exe
3380	DiagnosticsHub.StandardCollector.Service.exe
3632	fxssvc.exe
4540	elevation_service.exe
1612	elevation_service.exe
1940	maintenanceservice.exe
3160	msdtc.exe
3452	OSE.EXE
1712	PerceptionSimulationService.exe
1344	perfhost.exe
432	locator.exe
864	SensorDataService.exe
2344	snmptrap.exe
396	spectrum.exe
2036	ssh-agent.exe
2844	TieringEngineService.exe
2388	AgentService.exe
1052	vds.exe
1368	vssvc.exe
3992	wbengine.exe
1548	WmiApSrv.exe
740	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\628183b54ba38143.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_108875\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068b43f3f32c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000533e493f32c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ebfed3f32c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007746164032c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffae9c3f32c3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeAuditPrivilege	3632	fxssvc.exe
Token: SeRestorePrivilege	2844	TieringEngineService.exe
Token: SeManageVolumePrivilege	2844	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2388	AgentService.exe
Token: SeBackupPrivilege	1368	vssvc.exe
Token: SeRestorePrivilege	1368	vssvc.exe
Token: SeAuditPrivilege	1368	vssvc.exe
Token: SeBackupPrivilege	3992	wbengine.exe
Token: SeRestorePrivilege	3992	wbengine.exe
Token: SeSecurityPrivilege	3992	wbengine.exe
Token: 33	740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	740	SearchIndexer.exe
Token: SeDebugPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeDebugPrivilege	1388	2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe
Token: SeDebugPrivilege	5056	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1104	740	SearchIndexer.exe	116
PID 740 wrote to memory of 1104	740	SearchIndexer.exe	116
PID 740 wrote to memory of 3716	740	SearchIndexer.exe	117
PID 740 wrote to memory of 3716	740	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_5c92a8dfcffb2c4effe07a9a5ab3fcd2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3380

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3680

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1612

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3160

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1104
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6eaf61bce9ff46c7bca02c1d21dfaeb6

SHA1
11bec09e0565363862036f4825c7d92b4b34d85c

SHA256
2d07e94c83eb23bd70a0abd311bbbc204eb1f84801057520c6a564c0ee61d80c

SHA512
0196e55a7f486235508552e7d90576fc96b32873f915f7fa22bbdd6713c7cdd807f26d6c7d2e7e41708e5547111679f2b7d2994168d2da8aca29ea876aeaca75

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
00a76e6a5903643aad37f6857a1c95fd

SHA1
d21ed7ed2d6af8ea440746dfdf2445309b9c1bd5

SHA256
030f62ff12dc3274e8cc5ddaf212ca63b42b3433f558166d5aa391fc231f7921

SHA512
af949f1a1646ecc2e752ab83d6aa806bf5d764788901a71697b1d23e8d729a676f280b4344335a39848e96a37b4543f2693a61bdeeae00eae12813aff121e45d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
33bda13a687670c3e6d6f6018b18a24a

SHA1
11d364839ff59d77be4ec760e10b940eb5de83c1

SHA256
b88e624210e3b73d9804ca4b94de05de5d41480b0f6e96186ac410ca473148e6

SHA512
688bc7c3a1430dca9a7c660fc722c114acf31cac41319fad5da4ca920145aaceeb31c170633afced7f7a137565f6be0e2cead73f63d1d3e95c74a5b8e53feb91

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63dede05bd1d131bd03199594d82cf70

SHA1
c4ad7ae3db8c74ec9865147cb68c0ae95a740d44

SHA256
97753bcd115971b5d1fe10542cbba913c623756347b1402c2380762d8a783340

SHA512
b1574bda9471fb8c23f24be547c4b29da71f24868cffebc14367021bc5d81566258191ad3e393229c6796f6dbae8649e28ebf3de6974fec0712923e8c88ab9d0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8e880bc8a999523795776fada2810a5a

SHA1
cdb2547f64e5558e75bd04739667d687779d9d03

SHA256
e9a3e086743ae8d92c3d64cfa9a5f9a74918b97a96c929f68ff0ff5e3c9e45ab

SHA512
f294db25d7437f64234e4d401923d30161c9ee3c1adf0b1de53218aeb6d2724d2540b9e35fde0101e772fe85df30a62b4a626a120183cd36a0cc63dde5b9ea72

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
bac52ca8d6a9cf75bb5d47e4a317df01

SHA1
d334a531d60ecdac99c5223a689cf574d5994c2b

SHA256
42680fea05640f94a0d2dd36de8796654dcc25971cd910f94619efa8b62e6601

SHA512
7f20b0ebcdbca202e93ea9ca1eedca402419380a07597ddbbfb0d136168c237df591ea433276cdbbe5ff06d331705a6632542a842d5ea62cd89dea382c9bcfc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
6e2dbb41d625b0017ac6ab6aaae1823f

SHA1
8dba864dd1c5f81a08711e84e570d058c2201b40

SHA256
7dce7922dd508a8434917dda181155f3d340d3fbb1144ee8e6f9946bb1bf8ec0

SHA512
731e8da8d8850e72c397747451cb0a5cc89673d744e85397b419ab9e360531bbbc3de4835e71ff50819e34f020c371a5c015da2e5b76dba6d47ffe3cc319c159

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1df571a9f2bd0c201d31d3c39ae4a2fb

SHA1
82b474bad645402375c29c669dc351ff386ae1ce

SHA256
244858d349dd2ba3a2c268254115aee3fa8d215ba380f0f96dddcfe1e1da91b9

SHA512
89d8c0f4cb7aa0bc619dae3d77652db571f5d315028b7e6a85faeba776a5b2939276eaaf4c481e17b89a379390c9bf5753c86275bfe65eb45e859cd0370e907f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
9cb0fb3a326a6cdc8d8898f6671915eb

SHA1
7ea6d362dbfc78c626cd49a133fc31ffc0e5a832

SHA256
37ba8dc4ce9bcbb9ddf2d7cecb82723a1f95293941ca0190e138c04331b5a505

SHA512
6627942c4425bcd5037b087f81fa82ddbcda45bfed653206a29bbe1a31bc5fb5c20d3af36e95ed8bd67857249f13d511dd9e67599f8c4c117cf6ede35bee9b8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4c6d0cb9fddd9e2c532f064409c75c0c

SHA1
c901d3a49ed7d1a38f2f6afba93abcfdd2c00cc4

SHA256
401145b5ab89c7b38fb8882e5a0b2a93139e25de7fdb6d1e67c6cbdbe6640d36

SHA512
f19afef981c09978070a4b89ba929d2ffadbf8c0909c4f9f2bb9a25b92286dd72bcd0cd4829cc2c42a0af0ba3d9e2c083b2435976bc0bbfb837a450a07176e99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bfb90440eb9097bae4c8b80df46455e2

SHA1
043808a316d990988d295c8d3fe3532b8205df52

SHA256
6873e792fee70ce020de8473fada9910544809728aadebffc95fe68693638f99

SHA512
7cfdf4974a1c56b3b626aa2631770b2ad8bfa1ce088e0ecf43f3a52e5399c6ef7880274dc6a8aea8990cac975beda150bf3b33f6b5d09d05240365601bc7698c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
41bacc1996798756b44bd93a51a77c29

SHA1
5f8a5b2afea69664535825d447aa10b68d2acef0

SHA256
d3d9864fa8d2d99a990c34319b4be88d445471317a4b47880e322ba233b20e4d

SHA512
11bfb8c950e7e6f904ddc9762467189d997f0507728f8ab6211697782f844921c48ecac5336aa0979c66241d41b587f29759f2a5197bbe4cbcb27c964b51a691

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
382f6dee0bdcc0b050f23514fb1cd68f

SHA1
64c6bd4b7eba29af03bfab250bb408773b007563

SHA256
bebc318d85191594430d4771b5612781345f213f3e408809fa2405971672b2cd

SHA512
ab09a08f5ac282691eae68fa45b2ae1d7ac852af8c86da63b52450226485c1d5d0545d2a47997ecd056f09d82b40d9320234f23e6f01e3d439b2dbe57f37683a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
9d5db1e79935b8157d20af0367f316b2

SHA1
e7f5102ee4c5905c584cbceddd1048f67648f156

SHA256
260b897b4f94b57810a49506ccc5d927cda1c194c1b966de37bd8e8acc026ab6

SHA512
8368d7d8612aeda75766225fdb663548247297f499218a6840ee823cf00588d885a13c3824b1b97d93a0d3c6beec6c5505fb2faa02c673ff2a6ae803cdcc8bdb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2fc02fd79ef8406517fe4fee63daea6d

SHA1
b0a162c3cad58d6859f2f07608ce3bda70db61dd

SHA256
9055185c507fb27b67a2f031abbd95618b4d7a432ff6dfdff6c0ab7aa1f4276b

SHA512
4d7d9dfb6f4b9c0a7b7f221f1f9a27f5c1188d3fd4d43cbda0a520b446215eb6138dc1b9da1a5d58a5c599a0ac3613725eabb7307442e3772124f8f17db27e68

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
283eb40f292d8ce40123300efbe46e7f

SHA1
6646fd0a79135b11b12a75fbb6e2deaf5a03262f

SHA256
f1a27ca2f849d331951618f456630fa5e5b2a47ed9f8236a113138b2d503ae8e

SHA512
c631ab76405ddee8ae85b591fc8aa9f0121371e94d83eb795b9eccd3ad96d32e0d221f65bce83b7b3bdefb72584a8ca63a0880acd630e69a460bf4467127f714

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1c0d07f40b32b38ab10303cd9675f244

SHA1
5df85cbba71d7d0dc851a834091cdd038850cd97

SHA256
87393a6f89e2516169e746d972c996409f2f2d91bb1e05099e394d762394d0ae

SHA512
fdfd7bec0a2ed07dbfb15f0afcd48c7f7772ba948741456a3832d38447a27e3570e6661774719438929791af1aeaeb4f861f12395c4677c442842f9ce4eb7e0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b7343c7ac8cd7549010480ddb9e2a8e2

SHA1
5524ca0e990754ce0bbd4045dc11b329177a64ce

SHA256
bbcc1afd6ab2c1c0f49abb037210c8622ebc6e6e43e75b7f9ab205599d6ba0c6

SHA512
0ee9d49ada683e15146179848db646c52a4b1ea679f21461c090e1173d33411e8756132c9d32fb44bfa9466101d001dd84da6dbbb143d1c5e8761ba03d9a4727

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1e99d363ed87349e5c5a13f17855196b

SHA1
5c66ba42dd41eb00b90e2451d508e55c92039ae8

SHA256
5202700ac7ec384a0f5effd8a0f64e8b9e99064c0fd4fe880d3e6bf560706086

SHA512
6ba7eea7939b843d8ea83bc348777224bb7ceaa777767bd23da7af808a0a01d6702fa1ac2bec816ec0aca032df99c79d515ad256dd695e08d1c4053e715be82d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1bbffcef93708c9f862b9cabee815ca7

SHA1
6cf4f659ab380cbd35c98a4fdd0eedc514bb6107

SHA256
bca530bfa893bb1b41e045c9ff3c6a206426424a007cd021d29034cd5f415a21

SHA512
40668f326d149af090567493ac09014c4d106a1ad00b2f0d73922bfdd7d4a2cb838c777612b9be99537095c3f40642f5d23f5294a8d87efbafa62c00002ac83c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
64ca1f2e871d5add8c74c4c3754b3db5

SHA1
c7e67193b9ae23c7d28ac3276c72360b1c55ed5d

SHA256
ee10e4626ff517b8550cf84cb7922be95075a1884715d9c037b0dd561ee64892

SHA512
a1fe28d8f9833d31509334b285e517608f2c026917b4258c516de09f9eec8054cc01e55743fd9ead7c17b3e678df635c0385367e11db5fb3baa3d2236d2d5e31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
f83e757ae26d874508fc8181261ad96b

SHA1
7d84885257ca003f25c161dc8ffc3520bef6def6

SHA256
a055a93daf151129fb36b09983d9ff9adb8b22aa1713b9c590eba225d2569a51

SHA512
b24b1a8a30b1bd70379bfb08c4ce7737cb221e6a6d976a1735ba70dae5db5a4dcebc8f90972fb931309fa8899764b83bae34d8517545acff7f0c990c70830f6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
1e1710bb598c62e2b3553591d969dc25

SHA1
ba01c33ba01833653d98f0263435ac9992a12421

SHA256
8f2fa720ef1cec840d4cb2f9f38f30371193fe6d691542feac73f0467244c4c2

SHA512
6276f84dee8c2f57f18a561509af84abda62c0fbd6141c204858c21cd85bcb352cc5292eba86a4aa06552f1dd709846801c68f30d342828bda37b6976df7556a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
1191a0c7343af7f2fb1b0a07becc98ca

SHA1
5a0468f495726d0341b0f409a3e9cdf1d487eb7d

SHA256
e0ada3f9c532aae7c51bf45ccf577bac8b15088de346904fff96e415dfd61336

SHA512
b648531e473faa7caa2c6b102b53b7cb61e952b4cb66571ef2159c5c249a747660a39b9d98594ddf44f2573cea0d3bb1c02e5d98a112593232851108e230abe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
baec0bd03ce630ea674e80d11dd08da1

SHA1
8774b8ccb14e8ad606ea0a49cbf6744ff8ba591e

SHA256
7a914b759ee5430017e612d28e5c6bce8f05844032dc841bbd326474df02cffe

SHA512
e98509a10b089717e5aef8c24bbc4d52c61719d79744880db82fa41b6b4389a7e74e90dd13996ab00ddfcf3f9053f6b73dabe1d97915f54690f7624b6f9fd434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
ecf1ff08eb663347c5c2b442ce790250

SHA1
546eeafe29df916de4a797447f8b9a5a57c8d3e1

SHA256
699a00950410513f6e46270fde898b401ffef02af5f1d43dfd0903b2248b8d27

SHA512
e7ea97dd0af7fb4b337f726f0ec07b6b92f194a4a2a105d997e2294ba1edae5f4071a2687e4ef1c4b36fe791152e88b381b0c56fabe5aa01a53512b97b9c2b74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
eef2cecff91e7b0f38e2012a37f181e8

SHA1
5bd641c01024b25778fc5e5093a162e854da12fe

SHA256
d93fab2a80dfd0da5f9ad02c1a9295e80f45f855d98c58a8d20a5442843f7359

SHA512
8f120c3f3baec3246b4910d8b11e014f594c1ca13c8faa870905643cdad88240eda227802427f1ed51113e23ec8b8af7ba629701ee3cffcb18a440c62602125b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
bbd5a2c7b10eb67b3ad2b98d5e0f7263

SHA1
f87f4c6973447240b89ad330978d82154619f6c7

SHA256
0b70832d9a604d3002e23572e109a67c7ff535cd7bbc05385d999c7533004aa6

SHA512
1edac588048db7bd23166951b256264b9a2966e616eef72cf0150903365805ad447532157425302727a3703583df356e7f3d50ab61932ec751660ad6daea936e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
f6bff43f0ec5b24a32e4ab73800cdaa6

SHA1
00600bf3d3cc6381e60dd7e46f575baf5ac60d6b

SHA256
9177f1a23c2237ed217130f8d245fbfe9c7918b201c1361680c69a90e65be1fb

SHA512
af2897aba46b3fd93c686fe6426c65f6fbdad0b57e5c6e81ee7900c5c050c67cb8c2418ad28d555cb53b09b26b4f7988a25591ffa555841d20b501cede0c1b5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
782fc3aa3295fa6baa53bc7e60113b20

SHA1
4f709a9b0c42c0cac3ab029580609b512a558a1c

SHA256
589e9254542d5667c00f7e44d3d3c2f88972e0a22454577d67e832760c3d47f2

SHA512
842accaef4232c5c4581f54185e7ef5d14108bc957dc76758e5841fb5b4d999a7d984d3d94bfdf855f9e85cd65770bcd4e7bafab6fb73d3187db2d60f1a996b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
bf949a47034c150c87262139894f3be1

SHA1
3a7f75f85f7e470d7ba035ed9a2c5564501ab3b9

SHA256
23d18ebd3dd386bfb2bab3adc0ff456be3e123be92de1d0fd479ef212dcb7727

SHA512
a9b993facae9a387c24a1768024527de652aaca39a9ba6c268b0302e77876feec4ca9b69c962f061f7c40a64dd1c6c25e5c0527f01e5c6f8975dae4476a782aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
4e8c52aee118fa1c2ca9cc7d4b5611d7

SHA1
ec9b092b0961c9e1f8401ef0c46ced90bb47f949

SHA256
08ad62e991a10c441ac6fd2aabec1861795ebaabbe2bb013457b0ca15d3a40b0

SHA512
af9da896bc2d5585a041e8704226b62f582fec6ef43e091da3c52d238ac0a7ff892a36b4f04488a12f57248372a49cb541084ab6b2ced07582c95718057e963d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
1f202cb452bade7b2a8ab750088a48a6

SHA1
35252be3dde8b3536827b296c2f2f2ff4cf2c458

SHA256
8dbe3439a72236b084a883931a68b9be5deba65e866b94169858b0cfb2aca74a

SHA512
d58121b2e5909c1c733e1ad85da7c628ae3fd1e9eca398517c04ede882d3dd4966d6a550ef1e39cfe2e3f91d3458bcec67bf234ae8187e34eac9d1ae2c42636e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
6349e5c82a264cba6d6d18826049df18

SHA1
1be6d9de1fdd0be92bd7c8f6611b37e2380ab6cf

SHA256
d0eb41a5664a508aabbbe3b2e0464d40b90db81fd43e0f424fdc649d6a1832c2

SHA512
0150d9fa88e940291cab0d64fa3d814d314a9ab3a24e74c415eba26ab39ab425c89ec11fd92e24da0aaf97df5f897192a923e3dad9f472e3f0886e9a07baf9a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
75156fe2e6342cd7fd8fad95a14f69ea

SHA1
f3a9413708da24893a299d56fb549cdd4c7d800b

SHA256
37f4a9a53c0dddcb752fe8728baeea18466c908810e7ea1269e778f99b96832d

SHA512
414f3b21e6abf436de0cc74f38d64bc949d56713b228688400036ee1a19b41d71da882962ed07ecfc2a78a85b4f3ce0e8e8474285816bab9725f1af888b2a468

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
1fdf56d743da6e56d29e0af12d186f45

SHA1
bd0bc6e2ba6a60fd763cf70c9145d940d6648470

SHA256
e66f3179e7b8b3b056fe3829a3968687aa6ebb4d73772a958eca63dd9d524442

SHA512
a57ddfad537dddff7bfbd86a67034dc686f2998408e87fb4ec363143455165cbaa61d5d2967748db7d4e41e89a6f4f4e94aa82b736f80f3a7837d213c400a244

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
af53f6371bc984a1e27da83d40fa52e5

SHA1
8f361987890224661582c090a84daa63725820b8

SHA256
4054e9a53db30bc6999bb963a1f614d1f90ea8e67b640f4ea73125f5b8d7c54e

SHA512
1d3c8db45d85b8a1884271614b6829385023588c61f29901da0a836824ba13395562caa1805ab369958a7a145560d7e980d5b07d2388e783da3721dd00a682fc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
4fbd1de96e1123bcb43515ec98c27d63

SHA1
8fa5b89fe9110e916c4e93d0155e6f71d6234dbc

SHA256
07f294eb93baf28db74f06e543441229abeed1a91f743ef52ef22b9d064d470d

SHA512
86ed9abc20bec5cd0824d2844a867f37e91149bf73f876eac4bf7e05ecdfa34a5625c54b0caaf18107b1e392fa3656ec15969b718a28f723986f5fa57cc6ddea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
85e922d02afbf4a86b27d89ff9dc753c

SHA1
9ad00fcc18a4a3be75f3f4dcf6bf5e72eb77b50e

SHA256
417a849e8b25a5631f1672888071ba5e4e9e4d1793f32057283ec61946554689

SHA512
928f63ed12d75a584d48b661b6ee27941f7c6b3d9683c2de1373e4df5617538576c98d932e1f933da81ad03cdb6a08195048854c2b152413df8ba5e48f23662c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
88bd44f5a33d047211ba8d618fda461b

SHA1
c993d143b768a4fd8ac3648f0e82889d48783651

SHA256
52ec29179fff1c52665e3e40a694e2410e56b094c4b038b5a776cf31dfe8e6fc

SHA512
3126f351bb9c8317835afeba73d3f9ad6b63044c5e43038a246177cc29cb8edfcb1c364de3507548092e1dd2c918a75d9570459c700eebe4d9237475eede7b1c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
9e6f8ad967e52c9301efe1f0f64cc16b

SHA1
2bdcd5bfd42aa2c0ba7b8a0e32ece4b5c09aaf33

SHA256
3a555ede39d1bfe6987791542cf886ebffd5045c20ef074ca27b15a4d5a700de

SHA512
d5be6214a4ab221d04c0f7d2abb4093981d48702a943ab0b95f562391f32d72292f6c300f8f3f2a748c1c2c16d49861b5ad0f0fb87640dc5b803bd05b448dbf3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9303515b9e78cb5da33db323d94dd478

SHA1
150b2fe0bab29b0db7740e48f3a4be71ec3f2aee

SHA256
137306d28791b4a2ee03accf04ae0e1c643e14655ec342d8cd0f8ce273c30007

SHA512
77630b5568ecf5a49db18b9b4178a129d0a9a4707115790ac0b3e460ce62f478e68e0d965faa2c886f1acb83749f89d865df1ca4b5ef4d0122150a290e8cae29

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
ef73d6741ed8c23c9ef367575a269b2e

SHA1
72c63944e13166da1db7bcf8cca042dd4a3300a6

SHA256
0960748bc5d4586511e2d1e305e7aa17d85e13452c8ce162411c886d58df0c7a

SHA512
9b7d104fcd681f870f08e47fed5a729695a7ac19726a3a682838e55485d00a2e3c544a0ff3d4932b9c453bbd029167b8d2dc39addb3f59ef60084bf7db82dff3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
0fcfd683d1cc3cae61c583299f8cf042

SHA1
f341644bd39c2058f939adac3847978c4957d1f1

SHA256
56d8fe552c0dfc6b9ef3ce4eec3d712bf2b8ab2dd5abb240a7bc5dcd9ec990c2

SHA512
356172b708289bb08e14bae7c55a4535ff83d52265720f8c5ba0c38524bbac480a0f983173143b1078876beeb08bf0d5eaac159df25a0dbdbb16641c6093fb97

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
34dbb8c99f6f82be1ee52665657a9fb1

SHA1
95a2bf016ddb1cd04054926f972f0650dbeec275

SHA256
d993f42dc085885689536e2ca62d51089c5c8ed91c32b386e04460d8abefe568

SHA512
4fff7fc6ee240a1cad7cec8314b7cb8bb5ab7b205a58040c4da6979a20e979141d12ce92b1a6475a3a11deaff4a3f9dd2300e55060a1a6824c74d96ef2af993f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aece7e74e7c93d01ac764e070274e966

SHA1
d60f1471df891aa15e71413420cf6acabd836df7

SHA256
422275ff45d7c66754045480966e30d542cf0ca93497b1f09530680c1bb9a3b6

SHA512
e69ec47a832af211b2b0a2980efaea9fc115a7aa54bd58b832d37e98f066fc7bfd1b4595d6ac3d891ee70681c22900ec2361998a0d70457eca5f26f024a3707a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
adfb79eb5962926183cf7c8cc880fe6c

SHA1
e308cc7d7450bfbd5b62d52893d5a043576f0cab

SHA256
76b23155c996f5a710ccb94b2bee980196fdab902bf842d1a67fbeaeb57751bf

SHA512
b190f88735c91792153bf183b181aa78c90f8c1ff18093db6fd7c513e81bc97c19396b6a2bb92cc13b4f9871b3c3409018f9629d5ff5e0d690a2b7117adc6c07

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
571762de1d612e1728eac55d1b1b12c9

SHA1
f19b1ce5ddd3a2f3307dbd4c97de168ec0dd0c86

SHA256
1ffc2092e5d876abb82ebbe8aa3d7f8681599c0d9373415d8a0978baa39805e6

SHA512
e7c5241b7b35a868c9a9f8cc9cc6db58eb9c9a74574441f7511764b027d7573e8f114d2986124d335f90c3568518cb2504d785d731cce0ecf87bebde5463bc11

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
5d0b6f8cc82f248aa54c89cddb3823dc

SHA1
1ec71a675f8b59372b8ba2966614b32f97b02ffe

SHA256
bd0560dfa0f0e7c96a655eefa1bbf63d8acddb701337c71c792b1bf80efdfdd3

SHA512
f35f131081af2bf698abb2cf259c3454d9e2f740f78812e6104afc0e6bbbcbd1662476a1b99f9e21cfda0e2d6708cced57ddb83a1f3259bf8ed57a08b0ef6024

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ce276b635a92d2554b58dd171b39a1f6

SHA1
4b5dab035b86f013de24c0f2e2764522f59cdfc7

SHA256
7956598c0131db4c4a5e1976cf2bc6c1f3f9bd2f22f2d85c6809ea8760e5a3a0

SHA512
0de4a803d006c088559dfdceeedba78dccd1f6949d61aa688659d53dec1100385f7d8f622d1bb3aee7181a2bf97ec3ad0b7f7d5b83936ff2fc0883491c4df779

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
aad4bf0292a07f18fce152af7024a91d

SHA1
5e1155ab2785ff9c1cc62cc7592907fa3801d4e8

SHA256
4d3636678efb100d9aef2bfa75e6d82c351a05456c0af18e5ddad50d9931b144

SHA512
e5d9390b78a4d72db0d5aabda6d7d5ab78abccdb8b2d4606581a9f41613f4c5a60c1173f987c384537b9c96070292dfb8ca2f1ec74016b489e8287f07ef3b306

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
116958a9b105e22ac309a16cdd10694a

SHA1
7662353fc8c6bbcf834a03a129c254ea6c6cd749

SHA256
7fd48fef378c3345dc31efc752b83ebb58e3ffc38de6bad49431ae7db4af241a

SHA512
7ba03ec1554489185e8e253d66077413f41cba8d3974985523674c0b2f2960ca123d374aaa0b4ff2a6039296b727b8a62411c4ff7e9b0451b1cbab64da704262

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
5861de52a9a3d0f5ba7228eb0018389a

SHA1
7049a723db9fa953d3691067757769c00c2bfb14

SHA256
1dd0f53e33e25c616a821bdd9416e096c9ef7b0057e5614943068afc188d8776

SHA512
b1368d3df92765fdd1187b88b591f6f116f6d1f86cc116d6ede574a85deec8013d363ab4fb2a49712693546efc0cae74c0c5a2303672ad03456e215ea2ded64e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2feb19222a5b5ed06419bd43a4bc75dd

SHA1
d21d4930e36a7238208e9ae511fc843bc323c7b1

SHA256
237650e64c1bd609a1a77c34573d81e64116aa92990222259da390034cca0a2c

SHA512
81e6c4b7f2a7742fa81d1c6291ac6146225b70a1cf23a48f187a75de52ca24400486db54e6648b9b73ac631645dac22427b9dd7794b2f24d6f41c8164b0c8a79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
12e190acaaa299bd60177ad9d677559f

SHA1
92ae6011c05ea168cf3d4a3516d47f86a809f47f

SHA256
47801d105cd5edb33dd2468213fbaf8a94824ee472438ad74000948e8d727387

SHA512
25e0e9404183e842f8cb0011a4eb1bb8ead70ec32dffdf201f414fef848d1dc180fcb7ad07c38e9fe180b9f38e981cc81332d33837d010144e2d4d7b7f90271a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f15d90e29112d13eba943cb06873e2d

SHA1
426ae76f63ade60127615921333cb570a3e9c231

SHA256
f26a22531aa125b5bfb4f23155018043fd519d0ab6c9f477c2c1eea302bd5737

SHA512
ed48e85b5921c6ec1d93989984a56fa593d4024b4496e3c57b1c1d6ecbc2512ada677602d9f074a05e4137560db464a488dc04deb807601d196812788474d2f4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
63b08b8d1e15b4f8a0b9ac1dc10ee457

SHA1
a0aba83e58986e8b37a50c66882d3c1e42da20aa

SHA256
0ea2777a36b3058b521dcd353082018e940a764a80e7aa6347559143c826ae31

SHA512
0897cfd4fdbf69fab0fe76c161ccba90448b66246d6d9d879119d3332dac4861bd184058af87c6e5380a9f9934254a225bde0e4f2ed237b26e30e7c2da1f3c8d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
37f714893070a6ae995e7674c7ccc93b

SHA1
4914a5c26e1f6e7109c3bb69d72a666c25d6f2c4

SHA256
18a12d7875ec5cde72ba471ee4b7920475888a6320ed919cbd5808c16a402a2e

SHA512
d6bee97fe132bcc0c4cac8e6f2f590c4a85cce5ae68c565d7610f9d8537cafa626bbf2fc8c8dba7e578a4c7ddd1d4e70f61bb33968b9e4118ea41e5655839172

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
5fdfd934c61ad90536867ecda70f1521

SHA1
f7531071a94d108fcd6b1a2592e401400fc908f8

SHA256
9591d02574b9479100307d823b2cdf1ff6df3e4a83e545871eaa157cd77b32c9

SHA512
2c602f9f8f997e81492f37bc801d3dbbe534969b02258075e481553af091eb5f381c4a033428dc32e63cf81e4569b3c8cd056e5695e062ced041c4398fee29b1

Download Submit
memory/396-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/396-435-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/432-132-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/432-258-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/740-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/740-564-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/864-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/864-521-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/864-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1052-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1052-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1344-240-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1344-129-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/1368-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1368-560-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1388-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1388-2-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/1388-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1388-89-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1548-259-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1548-563-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1612-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1612-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1612-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1612-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1712-126-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/1940-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1940-82-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1940-88-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1940-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2036-180-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2036-531-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2344-358-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2344-163-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2388-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2388-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2844-191-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2844-551-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3160-91-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3160-90-0x0000000140000000-0x000000014017A000-memory.dmp

Filesize
1.5MB

Download
memory/3160-202-0x0000000140000000-0x000000014017A000-memory.dmp

Filesize
1.5MB

Download
memory/3380-26-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3380-25-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/3380-128-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/3380-32-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3380-33-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3452-113-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3452-225-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3632-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3632-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3632-60-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3632-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3632-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3992-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3992-561-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4540-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4540-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4540-54-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/5056-125-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/5056-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5056-19-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/5056-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download