9009d8b39fcab16be07497a385e1846f5147540ae94bfea0c3bb5e3e29dbd306

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Size

1.8MB
MD5

be05380948967e7352eec6bb3141f96a
SHA1

d1566a8e8bdcbfb8d0a52dc75a920ce2de61ab29
SHA256

9009d8b39fcab16be07497a385e1846f5147540ae94bfea0c3bb5e3e29dbd306
SHA512

d1abbd1775c21daad5f073708ab6812fb4a61699d9dabc013abb9c7050c166ef65d1b532679cae7d9757e9f18935e8c1c9f9b1053a823d864bd7794815e31765
SSDEEP

49152:qE19+ApwXk1QE1RzsEQPaxHNd7DcMlQpRQQMKMZ:v93wXmoKF3zlQpRQQY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1524	alg.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
1332	fxssvc.exe
1380	elevation_service.exe
824	elevation_service.exe
3692	maintenanceservice.exe
376	msdtc.exe
3936	OSE.EXE
1620	PerceptionSimulationService.exe
1240	perfhost.exe
1388	locator.exe
4896	SensorDataService.exe
1928	snmptrap.exe
5052	spectrum.exe
4604	ssh-agent.exe
1968	TieringEngineService.exe
4476	AgentService.exe
556	vds.exe
2224	vssvc.exe
1932	wbengine.exe
4596	WmiApSrv.exe
3744	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6cdc94bb293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0315898e3cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acd21798e3cbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003934c099e3cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d107b99e3cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000132fe99e3cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe
4992	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeAuditPrivilege	1332	fxssvc.exe
Token: SeRestorePrivilege	1968	TieringEngineService.exe
Token: SeManageVolumePrivilege	1968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4476	AgentService.exe
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe
Token: SeBackupPrivilege	1932	wbengine.exe
Token: SeRestorePrivilege	1932	wbengine.exe
Token: SeSecurityPrivilege	1932	wbengine.exe
Token: 33	3744	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3744	SearchIndexer.exe
Token: SeDebugPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeDebugPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeDebugPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeDebugPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeDebugPrivilege	2116	2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
Token: SeDebugPrivilege	4992	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 4716	3744	SearchIndexer.exe	107
PID 3744 wrote to memory of 4716	3744	SearchIndexer.exe	107
PID 3744 wrote to memory of 5116	3744	SearchIndexer.exe	108
PID 3744 wrote to memory of 5116	3744	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_be05380948967e7352eec6bb3141f96a_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1052

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:824

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4896

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5052

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1636

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 788 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ad4811803f4f39b58d0d4c273cf058d9

SHA1
a70e9a9be6ebfac0b42dd9aaaa2d4c55c2ffdb62

SHA256
cc02bf3870315bda49d270a247fea4282f762a84a4cff7a3e9db237c27eb72c5

SHA512
55aa43b1ed6a30b0b77e8e4634df810dc1589cd98b53c68e4d04324bdfe286feb49f1ab994c108b3f82c4436dd2a0b0697745210d1ba99f3a33a19b9490ecf8c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7de8264ea157c8bdd81a54674d1c2c73

SHA1
6d712b533ea67bf6cb11ebf763b5ac8f158df950

SHA256
dbcee0b0829c2942ff449b8174c8d35b2afcf1a28edaeb48387030744488ecf7

SHA512
aec36de11469ee4a08f4fc99da07c723473dc048e39ce1ca1f692df6c4bc9a1ff8c2c1f68656e8a565049658ddf4240d1d7347582b4f975a01294135d4c7dedf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
058b815198d7939cc55511e2deb8fcf3

SHA1
5de862025c807f18806c6491ec3fdff8eee1b24a

SHA256
e2f416983622eb18a499a508a93d2c0e6e4d5bbd6377ac22311c721e132dc29f

SHA512
0a36e407753f046f44f10e11528bdfd70533d3fb74b41ef2989f8fc80ca878736bbbd8a265c6877dd42e6a5636cc6b4a19e9f9b594d7bef9552bb666be8517cd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
427b53e58a1163b39a89c8d3d200dd02

SHA1
5c453e9e4b15a0fc62dec9593f17a06835920bdf

SHA256
ed1add8367d276406cbecfaee15a8888fb4dc60aec98879faa3020f6b924312a

SHA512
b78a7ed27d272323fc4539ba0ddf69de3436ba1adbea40bbfd07ab906d11036aa0939a8a214ef8270be921ade6d59658eb3a2122c3b0ef9c7ee0b505f578d55b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a47fb31cb1738f7d2fd7767a8bff5d9f

SHA1
05b8b70afd71e2f83f1dc3151c7b9967500b0ac9

SHA256
4873c04f3ad15a8c8488880f873df9cb588759b07a246134fa59205fd21a9967

SHA512
693981d0e04dbf9a3bd19cf0e8256bf20a4b6d000b2e307e89dfc64f7fd2a5510fb8a04f995eb9a7b090fe221ce84ba6750253d88a9f90bcda5f85abbd72ad20

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c0c6393a5ebb7b8b24ae9ef760401184

SHA1
987a1edb1c4403df1cf33a25e34503c8bb22010c

SHA256
8b6d8a269694e4fde1689366bf909bb0f533ab9feb14b5ea9a02388a29181ebf

SHA512
372a788ab1eaf01070bb7f8ba9fe376f512c11cb4bb43a764cfa505b371e8eab3ac2a966e8455c20521eb7a8537cd54058df7b72968c1ec5c5ba5c23424d2c8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
beca9647dffcacf189fc2290bd7ada5e

SHA1
8014e9c9a599d0bdf2d8c358d479dc45b7d882cf

SHA256
94a98b36bf4264db19a567618b2b9e73a31554533e9837f8c35582571f28a366

SHA512
6e31cff6c8f734745af7eb7c3d146fa277170ad1748bfbd966628e3b40fe5998892f3ea35c04e288a73b54c3c46aa37377537e69b18c3b094579e9a6d9d5f8d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9b31c9c0f58cb2ea35b72d4b960538cd

SHA1
3c499969a671d07d5a1948752a6d501c91965619

SHA256
78c316c724fe4d29323385bc3ec78f6d3711877c47fb8e481709222e5e30f8ea

SHA512
d23a5091c3211c46230bd8e86bf4207a26cc1ffb566b21d1db6508740b418ad331a764b9ebe3e0c34b11a04e6560afb7b957ffdc30c12d035131408c64cb2955

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8a798c4dae89a58c7402189626ae61bd

SHA1
d6b161e24dc04c4189ebb23ba0e67fc0369565a1

SHA256
029834f563c257e72495f4dd3dac722499416893d036f22c9951b790cee2f702

SHA512
4078485447fd8519b81b7f069db66b0fb1fcb6b33c94ca9bfb7154890c0f68d849cb43e1b0318fef98ed93bb9011422dea8cfdc2baf5208f485ecadfe55becfc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
02dfd7f8166fc405ca84b020f8b1df81

SHA1
c6a774e637a5c87b2604c15f130d0e54bfb6d499

SHA256
c97c02da6d9ed91dd1e62948c0226462158dfd4eccbc959b552a3d8b02325b5e

SHA512
f5e9a09912e5807528a9ad0e329540746e2d544992e66d6a679f6c1411571e4fcfdcd0d4b399229ce5d7f18b206a997d340dcc338f56fbf7abb034fbe353645e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d8daeef572be5ec43c41ab89edb8bfe5

SHA1
3f763e80c25b6c3eead9883adc91270533eae02f

SHA256
822714b38e4c9c698e5d6fece8435c380bfa2a7c98ac09790083a397f3aae092

SHA512
2652c9e89f2447b23c356bad25ac09729a72a47e4d36b7ed0f399e1eb8de598be172a30334b99366dbe8d5b03a3b8021484a2e73fe631c4053ef6d0e4d133b8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
adb74fbea5ca3d117b9f644d43600554

SHA1
fa79a61d5dab9157ee92998a4d91eef2ba70aa24

SHA256
c74dee8781be6dadd1c740207f79ed9005e58d74f070a63c91c7f001c6eae5e5

SHA512
4431bf87ab674f859d3b68e7395e192b17cf935e9be9c4b010ee09026bd93d102788adf1958f151f5e75f51fb2112c13ffb54ec00d406f1774533faa8fa88889

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
766ec8d2533679e2b818a8fe31abcb8a

SHA1
eb4e56c6ed2613a21ebb1c7408aedbc792304df3

SHA256
6dbaa8a5492d12cc8517bba377991f5a5abf13ebc0ba68ea144357fed8f23353

SHA512
5a933f8a4b65156a5a4adebe4b640693e87b981efdc4ee6255dbd1683ab8c880d142a31db23dc428d5900409eeb8f35155dde5898032233e827a8f6090007dda

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2ac86f697c3f356189b3b45c62c8b94d

SHA1
9f5e5ec40ea277baa67b582f6023aa0574623e45

SHA256
cdbfebefa7965e349e066527a7ff77a70dea768972c069b3e364f2c5ecf73e7a

SHA512
bcd2d354735e824abf313ce43c1dc931fc93a8a01a507e6004bcb7b09b75129145075218d4c6d6d1fc3f0d693e5cf3ed6e2345a91df399ba2e810056c9c0ae14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
220729a4c5af8901eb048f5a515968c4

SHA1
5557f625c0ef8ab6932b19fd24a330e4a8bc332f

SHA256
831dd769fda82eb2960cc3f2699f7a54f940ce32df82a396bc98777adc41e355

SHA512
c67d0d2aeeb99aedd0066109561a0f41d23a3ed94f63bbcc28a6608df4c7986417dccddf8b3aa017f5cd172b2d126fde4c427fcd57724ce6fee7b79a80102a7a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
21fcc085d2edbbd5845a42405dfb5439

SHA1
394fafe5d71f5473b5bb7725d8d0bd4907a6f8e1

SHA256
7a1c00d13d06010f087b33d820cc4a0291ac951fd3c8f8a5b10866c429b3001e

SHA512
ff8ac08fe6bb33878e97285d7b4d9c4e46fde6d981d79caa914e96d451f289fef85ce9ac5e5a42f2ca076da7c9b0591ed994c702540464ec541cc46fdab7b923

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2245e54ef5c7e2d16cdf1f51d6e1c884

SHA1
cc2f16d59a0e424badb74fe599102c07a34c8634

SHA256
4eda4967ef824779f0f3cd5af61164c56d2c0d618bf0d1208294755e954bcfcc

SHA512
2b2f99cba871e22ba75e96f73fb1bd6eff2ba65f627054259777061d34d44759ca01f9ce93f076b8884d9a577638689d98f784e2cb61c802f73d56e6b9794598

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
89ee0473b0fd41261410db53dc262155

SHA1
af5d2799eb0162bccf5ade864d6b09d19f135611

SHA256
72c62a8634b3d7d04e2c0b739c196dd881e946e3f32dfe15dc1900ce0ebf37d8

SHA512
f62fbb0251dcb8df599dee3db4f12e75f434e6d0e5348c8a0ce5025c06402098087c6681f75b8a4753b1363b7274ddb9db00d699e2d5e15b51ec5b5f11035858

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1d456eed28188ab12df5091d18a5faa8

SHA1
cf4f1b95d4cad7de4495f8ef659ae3f798ee1fdc

SHA256
c321a1d4308bbe04f6deb7429a4730a6c1fec27ed7bcbdb931cef2c84f7591ce

SHA512
5405b2066b49eb2195077a52c8cfcc2a09d6ba6b3bb01c42744c4417cab54cdecfcac41d4aa47a4777dce4b091834f5cbbfeb6f732b3765c44efa4dc703b290d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1dca80b14987d12469189a86dcd54132

SHA1
2bc37ef14243f37bf1885805a2db0795d3c4eead

SHA256
08d8dbbdae2dd6c074f55da75d2f68e4b8733127fff2fe9103760bc85c7b6154

SHA512
cb075235e6235e154f5b16c64001b8ef88931f1489e94dff8ae6ede046e26b2a3765ab06c653e5a59d9bc3ab767b4f133537efa9b41376f945729556ef9e453d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bbfdcb3dc994eb21ba31b0c98565a326

SHA1
e644654c7d0090365e2f3db27ff67e64d6586d30

SHA256
174b14432ae2d8b92869e2fb8ff772949b466cee1d8387c2f4692a10cf6f81ef

SHA512
2045eae094811aba9123e7e6f57c49a3a08c1b13de2a9acf671aa4a540b72f45fc9ca998741967238932d0a5ac7defde8df61483900017855a4b4be7ffe21ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
18c4eb0d58b1f8434afdec7cc84bbca8

SHA1
84ea154ae46c5d3fa4b6bce751eb65bb8b9c07c7

SHA256
cb96ea0d65e7897bae70c0d7d56272508cfc226c2a327862294d7443dad3f6ab

SHA512
edf997e5b527030404f3490976873fefb73aa57b719890bb20a94d612c9e8a4782db23722561ec41da46f8da134fb9bbe7785e5cd66da7202782d7596900fd53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cf6bf88df8b487ee96f5113360f89597

SHA1
dbd04405c3c1cb314880d9ec65ae35250a9eb40e

SHA256
11abd4d9a3beb661b3ecfa1f5f1a0289db568a8c87e71b00e59cc7aa01e16ef2

SHA512
054779b2894a1951cf5f8831bc64c7e4182f10d89207f93ed889eef3c988d62d4f343558a3694125bad1e04c8217598d339760948127ba8935dc939171070c6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
442a83bcc14ad1c1bbbc79a7999a9d3c

SHA1
4b797d0f0044bf4f7c9db08fedafbb1df3a421ba

SHA256
f8f7dc5a00d9152ab9f621b9edcba483741617bb97af2877e97207b479cc5cdc

SHA512
f271c6efe09d495764d6c2a26bf7e98b6b88b5ec84a37df42628480a65b58d2b918675649bf25c5172fef0b7bb3591e97c4fd715a9370acd13ee5b020a2c84b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ee02a0205a67723e5567c816917fe579

SHA1
b15ace175112d2d999a211f75c99f122b4a2789c

SHA256
3da809709b60f00740239196a941dcbf6e3d01949562f2ef1fce6d9ff08f7de5

SHA512
a8948b5ea2f0853ff700db649b8299bab02b8b258543efd0a5a99c081f6b21b0cf3a5322f69e921ae8f1d45caea239889b2c567657582aab7fdffe7496f9d62a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a4acab8eb273f4bf9dbfbc4a6fbb5c58

SHA1
149b77e149ddf5bcd7d887884717b4a25cc885fc

SHA256
c18b9185454164b503412d29e4d2ed4900972008b1afc454e6bf480d441e03ce

SHA512
ded8802e94bf00644db0137290c41c88a1e8ace980a05702309f423fa6b1ac95c8577377683a1c82a7fb70c81dd70689a98f965f90564140f10e02aa654d8365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d5155435d72f85f547c7707813682ea5

SHA1
110fb4f126d9c65512a1e018a8e1d991fec0e6c5

SHA256
c3bdc2bcbd401a45ae3095aafd36290aa85e565d9dea9f6965b78c0b641b0eba

SHA512
4cd48ef68ec89adceec5b54bffb8da66a2ecb8908860e2bd020f5be43cf565faece333bba92a1693839bdd6c98de11451e664e6761b7ca5527c8d2db5a28d8c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8af4bc441e12fe16c9c740230d25a385

SHA1
5b38a2d709847f3a8a62bb5073251cfa2837041b

SHA256
5378f5bcbe630bf6e72456c5528dcbca51b186a9593d09a17c3888f0d9b0f031

SHA512
1ac837b0f888c7847e9140a02a10272e172e821a8a017102327297885e1ee3ef1ddd14bf3dc91b86dce830fcbf9083211b0145fa128316d31e0ddc5d79756d5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0193d35b504fc2fe340e74e8dcc99b4d

SHA1
b6cd05803039565e631cbddad80fd600fc6ce6a7

SHA256
81a1917018a612938b806448bcc20361ddd8070f80e09c2f022ba548b527746a

SHA512
b76176b8de3625a8c11e3c67a420d236d44fcced3d09ee93d6074d344b7b1fec7bb927bcf7037f4474fffe453fd7037e07b234a810fbb5fb49ab4c7d2ae68312

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
4853b9c1a81a03b376d9e71a83bc9003

SHA1
721c8cbca61c4f24583b7dbd69c9b75b257201ba

SHA256
7436c2c86557d286d64acd4a2e1525824bb537de173ac0720eccf1538f75166f

SHA512
c5f25ebd9498e6631b4be01c571cc243b013542fcf3733a533e220fb7af57dce18f331c55c773c9bd60e0ddc7a42584dbdc1ed54267418d36b86626afa2f63c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
596cb7805a112153798630f0b8ef6bb0

SHA1
053f0fd36dfeb5f876b06460e7b6f5fa903ed08e

SHA256
e46fd887c25183bd83087f89554bbd8aac24b85f0d23112e8d09814120efe683

SHA512
86c14996d41b11575cc3f7be3699562e829df78be26f97fbd3c3780921e177998153e213d2113c8915bd765b61313d57a63a58193f760ab8c3079dee6ae04d70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2024bacc746b38596f1be5d67bd50db9

SHA1
6813cc3e8a04d24fbe7385f572a44b133f13cfc0

SHA256
9fc5ff485ecd809894c92b73ef5e4c27cb0a2fcccff82b125d96540f6c5913de

SHA512
1b401b837205a5519e0dc69c99f9d296dfdfeab67d6d2a0300aa2fcb7bb9b32110d7f7921775e48179124c7bb3e3fe993ca87b6de3beb8b479e32b3a6598feac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2fbd20ae57748f9cd67b8b55a9487230

SHA1
e28fcee0926e1f15d76761a698e1cfad7a7eaf5d

SHA256
b6c1076e71b3547c644b330373026f87a63d32d8385935e45d6e4448a0aa1038

SHA512
1316317b5545c202672fcd1b29d8123146ef9cfa887f55077df6ca38ca637a3fa40ed3b3df97d1f073dd96937ac5a5b9ca6af9888d3e370504ca561b553583a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a2bd9c65cf43128f5da09a5c493014ae

SHA1
a269575db7a9308438e7ee8a97d1b1e4ed27e6e6

SHA256
f8176d5568756b454262261f367ba459223f47b4875099ea7ed1c54282ec5da7

SHA512
aa860f654bc1e1e63418e25a391894f94652f99ed101ab0edd21111e75f944116b1addb3654d4ad03166e756f480808b582079f1d46e0567f2c192de5344ed4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d68bdd7a433903c292b5854cc8fc3b6c

SHA1
726350afedd885c041a9a91a7aabfd867200fd0b

SHA256
df645b2c4e113ca90d45ad41c45ac31accf085c3fab4bca5b2498edeb1161efe

SHA512
82e6b6c3e89769e7a471a262a2c46d0c291b2a9d6b09d77e6749f3bc2aeadf8fd24811e02f3ca39b837556d98950d18f9661468720eb5e93821bd800a1c08ced

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
bf97b5eccea27eb4ca6b1b4991cbb655

SHA1
7497d2d864b9eb6e6a6ecc87827ff45b63e4fb89

SHA256
ee7bbf6104f2981d8dbf7530d1f51e4801fcc3dc454311c1b6d962a6ad2d15c0

SHA512
729d3f6f9a3f83e7de0d00c5ae0c57b1b492f803897790dcd27d88d464906ca6a75aec8f75fa8d165ae24ab16ef1dfa268637437b8d0ead36bf5f9c719e58176

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ff479fe4166e11f437d4e29ce607a9c7

SHA1
0feaccb93433684762e7fdf6610a55c52feef6ce

SHA256
c6084e8fa6f8838068edd1ba67c80c07458419575fecb4177e269d504dce2cd0

SHA512
87802998c26603cdc83c96dc8c85e651228bb8ac1e9c80b0c26d63a377b1b6d7ce3b410602129faa2def2d1163c210c89259f312860011eeb8662ef79d3502db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
93cf68a3ee9beb9adbff2c584f08768c

SHA1
ab3924fa1fda95343dfd7eb740dc77bb83f19d42

SHA256
3a4fb02aa3920b12b82d6e3a23c1506c4c408cbcd7c3d3ded6a19f127d017b88

SHA512
1e97748b21e364d812b39fa42572a4b7fb5abc7084665c83fcbb6981b08f8a7cd213c9db5960f2156024617b3dfeb85ae96d41c6b64a52e93eb63ccf7427e5fc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e74af71a94e605287c6019da2deb798f

SHA1
297d0e0ab70b1ce6b7d3feb089007afa45484639

SHA256
ca4035f8d5a7473912b4ae23fec870a5a990b3c3ed5d060743c3a6a84ad7105b

SHA512
560c34a9badea9e8af4a21c5e1ab8592e0f7981cbf2fa51dd352c78d37362885162b1d968f60450988acfe41cd7d5a1e8082d73e357ec3d73bea7589b3fce7e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c4d314d96a44a7aec031996f7eea971b

SHA1
2568218425a2c6f74c1a11760708a1385ab062c6

SHA256
0f92dab1ae16196f696cc3072151a934fc1fc62120c28130d35dc5574b3c95b6

SHA512
28b7ba7136259c94e4940f2d5d72b62de946cb6537af3e13b92cad1574d776e04022d6fcf32295cab49fc5d0f09889034feb74cdcfe29fc67cd46fbe99a11d0c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e93d48cadc2a42030dad9c4e1207ac62

SHA1
7118e5e830c80f5b77a6779b177f404b5218d984

SHA256
0cf517356fe38085f905105b48dcda6c2748c09b2ef45f14907398ca133187e2

SHA512
ef3e62fe86e26321a74222547c80c14299d3b0eff76dcd8086675f1c6832aa65e27a21aaf8d98016c25426081f4a4411355d7250d2d0505c687265f0ac5a8787

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a75d1eba20d5f3d07334628701c83933

SHA1
e073a57aa71128bd5ee620b9c8005ed32102e6e8

SHA256
a27f2834b7f2efb77ce7436112870143ab3a43b32780ab479d335d088c26f61a

SHA512
3489f1ac3b9400b077af1b99fcbeab956ca34acfb8c04efce684751f9c7b938c691420e9d877d0e015ae6962cf92025e8fdab8a15d2101c3afdef0a7dc274980

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
accdb9faff6d09763e57c9e3875fa0c5

SHA1
2049333202c8dd4f20095a685041d4496aa51c53

SHA256
63223a65c7e3eaeff06e1182818f0d6ccd3eb08bf5a44c29aa463965bbec3403

SHA512
02e9fda1035de2cca666f8411aa7c93eb0a3d0d7d8638dbbb070de68dba4e07d169e7cc9229b307cef63e013c1548bf99c81ce8d5f8d5acbc77744f3290049fa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2fd9f8af1b8a48e45fc4b13bb21e9383

SHA1
40336fdb4ef33d1e409925b7d53ebd52cc084faf

SHA256
ca709f3d5f04656ba2a7eb6473595f21cb6a612b82d34f83ccce08553caa1e1b

SHA512
8bcbbfd1af6465dcac4c140447c025b917e09712e3065b3aaf6fcd9d7ab3f56a65d524eca489f6ff62d4ce34bb9bab38e76c2832359c80e3b6c9807c6306a3f3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
78f08a7c5e9a575254dffeb155e8f328

SHA1
1b3dc843e1e7ac38cd3d022a12118f766aeebb38

SHA256
86ac26d04336ea344614752cfe07a62df1ddbb12bbe99d974db7f7a78e964614

SHA512
05fe3a005047a69b175cc9773b1ff9d6e4bfad1a5dbc0a6b58aa7919914650ab870b5ede9f6051a20ac0d36e9018726de23e1d4c17efbfd8369241bd1be55c9c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f3f2c2fb47d29ad1eae717ebf54998e7

SHA1
1b611e770210c0677ab3a9cde3ffe88e185b5cb5

SHA256
c1462de9c4b864582b7ef722408e32f33e90d2e0fa73318016001fe2a58cb958

SHA512
ac17d87e1b7d995902c165e930e503a0251b4bdb1aac53b35fff03d7bbd5d4d300bba5cf6d61cc6e0b245ba143ca7dd2549c65dadbfa8aed2367a7732d370618

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c2f4de99fdb9dc4a56e2fc7367733e22

SHA1
874f3ce52a55297e0a68b47b16bd81696afec917

SHA256
4bddd055b3340615395f09ae77b5ab20b2f277e6ed94b847155f128649b16a6c

SHA512
ea6779994d60b36f2d6ff92ed101d35a75dc2fc802e36d88e32d2fb2523701c45ab131211922ae50752be9c2aa8dc461c3c73a24c297d40d3528afc98ec3b1ad

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
792fbefb13313d63af564aef861e0907

SHA1
120000c0805ba0c7d3cf0b1aceececf305776688

SHA256
27db3ab4220ab3ee828d65adb9e9cbefecc4b4013fe2c34e4e8b7c11fa2886fe

SHA512
3b7e34d4e22a60b6e7660b8c31bc11d2fc8c9271e856bfa7e3fed23e57a8bc3ede5d84d34077f99b475f5e6446231c6ec7f874542a30f26be37bf94afc5ae9ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ce0d93d1fa9226d6c3798beb0cf8acaf

SHA1
dcd0e8630b7adf225b4616bf7a9d30c84330d115

SHA256
463c0dc64a88df9dc478d418a059e4cc0773078466c2087d8cc3fff325ddaed3

SHA512
e6412d1f612ffc45d81058c013a3f1213e76b9d184c33153d14ee42973fae7db3379ee0704b0077c9de287da6255f0b7d4ff0103084568628dba6fbce661f540

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b7b4432db940945049bc41beee2d0825

SHA1
029ff0a591bc3068327d225c06559066f7f62b91

SHA256
42707ac88cdee02b9a075fb8183a4551d05710394b2e249ff4d7a329b8f498a5

SHA512
f2afe16865b8f063b54856a7e3b61066c3e3cef716f550381b9c61529e275ba88ae55d786ce0804e3f0d480f188e7a2bb75f1860796eb12793fd9ca9ea0defaa

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4a8d7d78e72e2f9102ac03be2bb8486c

SHA1
cd2e9eb4523ce6ca81773ece05cc1f780d319735

SHA256
72bce44bf265671759caca6830ec1cc0e23b4ebb95dff942307ddb3a06cd9c82

SHA512
b2fa84d852929cb8c6a030f3ea372894b43f7370eea0ffe3cd8b29f4a561e79cf10503e6fc82a47a05cb12f04ef15da928a0905a144c4284a5b200488c10dee4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c186ea06c85843c7898861b366a60948

SHA1
235e95b9a53cc3c99cd7a2b36969fe2af5ff11a9

SHA256
8592b984c33d67a890837a3f07fd0ff90a57ef9dd1db82a8ac0da4d126706351

SHA512
63b1055f6d9408662b78006873403b41885217696fb0d4f66621da2b11e4fc931cdf0f4ed65e9c00522a5fc1f08fb65017da40eb00fc168ce9f14b4967377a41

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9063523e9bd839546219e41bc0b07e5b

SHA1
994bd4d4cb054a157b939c29367cae8be37f6a58

SHA256
56c59a33bc815208ee49efbeffd3f01385653d3a76f77cea212d1488ae45de1a

SHA512
3cc2c7696733c4ac4c27ff81425867c0d134202a8b1b2479aed575eb2eba1d9e33fcf199d9ac3dccfee3c521e9369c209e7c13e9068000494f2d3643efd0d920

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
190a6bba21ef5607c1a28dcb446e82ef

SHA1
f2dd3dc7701baf07cb75bfd86023830f4bdc3bda

SHA256
77e15142af432c23ee9072ea4dce5b124bb183d4a9215908b55699e5eef54096

SHA512
ac6395b0ca01ed9a6bd5a2d83bfc5f9a7115708e89d46419cd37978055522d92cc9898dda37d67fe5a726e4f6b16b9fd05ef3cdd92e63fc5b325b0a1e3a99c70

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e8a04736cc8917bd4b7dabbce98a4212

SHA1
284de8b94ee45b38ca896ea9cabe0a85cde6ed0b

SHA256
5090f7c58193d258dd821107a5193e279662bb74076c99cc04127d7e4712cdc9

SHA512
98d64b0fd81244fc12d853619aaf8ec30aa04fd9dbf33c2b2743bdd40198cea7e2bd9ed793db6b8cf3708947b2615aaf5a808233235d86d02634a13dc578c593

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d7bfb2e7409cd02430f899743870bb8c

SHA1
4122dbddc71d1a9075a47314a3e39fd8e39e828a

SHA256
e4d1066da89e966ed4d096d3a02fc71e5e2615eefe0b0c832dc8a2c4593b67d0

SHA512
8e47ad289368b2b967a6f7199827700678b1938d54f978a885b349c87609690ee0b0ba3f35a39ebb814c34cddfa6892cea93b9a511f5b853d4b5b59c29ac29c6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bf8e99075daf875ea607a74e7aec8d0a

SHA1
bfce8ff5da13f47bb39d1e9cbf9fff6b115df55f

SHA256
a464473a275ada28904a5c2fd020a25ce6300d54f08372d1f70b8c8f6c04f1e2

SHA512
b1505b6b5fb5c437ffdcccdb290ae1bb4fc9db3bd58a331970529dbb3ca9d0eb325366ab0b5b555bc2e3c742a1e8b631303a91651d33bdb0cd6d61ba62bf52f7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9e6049e4152e8ecebf8793c50bc06043

SHA1
d47dc5d482c60e19d3adf4d5246f4b406905d44f

SHA256
f2c74fdfedaab73bbacfa7d3a3075c8de22b0f30ce9e5d7514a75239d6bacd37

SHA512
a297375fe08bc1bd9cdfb8a379b8058638d6f9780dfc04c3df5468c947bb5a98f6d3db1a139658c4512adbd2648f84f004b1b06b14462fb754a13324846b5c82

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
575356799bab0759e3f8458c21666981

SHA1
5b3e77dbe6758ea0fa52a992a9fbc1e16c010ac8

SHA256
45cc1ea7ca4e1a413d1aa7ed5f6dbdc4db06014786ad854a6729dd8edbdb201e

SHA512
a2193f725635587adda9555e189f7cc03428daf29b4b97f73e1d2387ffbd4879756e69dfc75bd79f28af2fe7570b57c251031e6fc229e666f6b6e382d8489729

Download Submit
memory/376-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/376-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/556-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/556-467-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/824-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/824-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/824-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/824-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-104-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1240-99-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1240-109-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1332-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1332-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1380-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1380-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1380-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1380-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1388-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1524-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1524-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1620-94-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1620-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1620-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1620-88-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1928-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1932-471-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1932-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1968-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1968-466-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2116-2-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/2116-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/2116-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2116-81-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2224-468-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2224-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3692-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3692-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3692-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3692-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3692-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3744-473-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3744-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3936-73-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3936-79-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3936-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3936-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4476-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4476-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4596-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4596-472-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4604-464-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4604-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4896-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-465-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4896-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4992-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4992-15-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4992-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4992-108-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5052-381-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5052-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download