5fe75044bd68c08046119f8b2fc7c2665c872c376fd610de107ef529b2dc09ce

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Size

1.8MB
MD5

6f80f65af62afbbbe56ec76a387dd295
SHA1

b0997caaa7c30b4c0c6f675478af2a4912a898e1
SHA256

5fe75044bd68c08046119f8b2fc7c2665c872c376fd610de107ef529b2dc09ce
SHA512

1e8466d86dc12fb1ff46608b78167c1a49d15e86b418fea09517052590d7c25083f3018e5a88b5a166a0e362e5101953f958528cdf7a7b556d9146c063b3181d
SSDEEP

49152:rE19+ApwXk1QE1RzsEQPaxHNC70jIpM3kiSBM29mhNq:M93wXmoKa70uMhSBrkNq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3712	alg.exe
1500	DiagnosticsHub.StandardCollector.Service.exe
1548	fxssvc.exe
4864	elevation_service.exe
4424	elevation_service.exe
1056	maintenanceservice.exe
4480	msdtc.exe
4836	OSE.EXE
4908	PerceptionSimulationService.exe
5100	perfhost.exe
2908	locator.exe
4080	SensorDataService.exe
5072	snmptrap.exe
3984	spectrum.exe
1084	ssh-agent.exe
1056	TieringEngineService.exe
3320	AgentService.exe
920	vds.exe
2196	vssvc.exe
736	wbengine.exe
4136	WmiApSrv.exe
4048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3aa422cd29f71c5.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93515\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F01385C6-4F19-4ED7-9977-AD2075D4430E}\chrome_installer.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F01385C6-4F19-4ED7-9977-AD2075D4430E}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ab138d950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca05acd850ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038fc84d950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8b97ed850ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e57f0ada50ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c69e25d950ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b96049d950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009cb481da50ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009475e3da50ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf0028d950ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeAuditPrivilege	1548	fxssvc.exe
Token: SeRestorePrivilege	1056	TieringEngineService.exe
Token: SeManageVolumePrivilege	1056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3320	AgentService.exe
Token: SeBackupPrivilege	2196	vssvc.exe
Token: SeRestorePrivilege	2196	vssvc.exe
Token: SeAuditPrivilege	2196	vssvc.exe
Token: SeBackupPrivilege	736	wbengine.exe
Token: SeRestorePrivilege	736	wbengine.exe
Token: SeSecurityPrivilege	736	wbengine.exe
Token: 33	4048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeDebugPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeDebugPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeDebugPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeDebugPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeDebugPrivilege	2992	2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
Token: SeDebugPrivilege	3712	alg.exe
Token: SeDebugPrivilege	3712	alg.exe
Token: SeDebugPrivilege	3712	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 4504	4048	SearchIndexer.exe	116
PID 4048 wrote to memory of 4504	4048	SearchIndexer.exe	116
PID 4048 wrote to memory of 2668	4048	SearchIndexer.exe	117
PID 4048 wrote to memory of 2668	4048	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_6f80f65af62afbbbe56ec76a387dd295_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:684

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4480

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3984

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3436

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8550138573348074061,7308779696487990535,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:5056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.87\elevation_service.exe

Filesize
2.3MB

MD5
776cf10caa2f529563d0cc9a246ce497

SHA1
861c60682f384aa8763a3fe86d5fb3e1f86edd61

SHA256
e998f67b05c9cbc8fe49be0ffe8c64604f1c83d2916bb3c095afd7003744ec14

SHA512
76f61ad1177fa74ffae579a15ebb528580f5c8b1e0111e8156062759cc52cbb6c8cc720d99e4c098fdac8cc2dd57b3177689fdd5e42ee831fe4dddb62387a096

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
b8930a1b28c9712e07c77ce40ecd44da

SHA1
51bd52c175977252246453492fb2d14a3092be19

SHA256
dcd902e87f6fbc88242b03f63a2ffaa3682b02eb5aa97dc36efaed44421ceb0c

SHA512
237b881e4f479b78cda8982790b5c7cea1e414a24ddac714642ab5be2b3fc02abb05f1e105743ee862ce09ec9081f4e0a4b143560e6267e8c7c0e784788889b9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
624371c1f573414c0b33db2777eb0845

SHA1
9f63ca2482b8a6e4a1effe538f88512439bfdda8

SHA256
06bdee1cef779a53ae92f6cbfd37ef3063b1bf5012bb6558d8ad7f1f99f24ceb

SHA512
bfa3ea9e143298e0584ef065c6ebbef1c9ccc9c1424df98dc3528e1b2a55bc73c2171875d9634fa5b56a65cef7da97885f2c508c705cb87f4a0f9a77cea6de76

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
829c69a6126219fdd61d6293282b47cd

SHA1
82dee433e63d47617254e1366477f4598d8f8b6b

SHA256
35fd9c3b2c4be84995d33d66c48d173211805045bf96944e7ea00a9b27358575

SHA512
8a91ef702ae8964575919101108ed9c6f7507e74b3eb6fb1e77ac1ef69c259f5ddcd34a17b73ecdfd72d8b8aa3d0eb767abc8b6cfd6b6587a4582b45aad531b5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c739722ef71cdc50754d27445e697bfb

SHA1
9e2a66da568c7b4b07611ac2af5a37df44f5efb0

SHA256
3073a921b8b1f83fc83f0d29c50c32cabaf2679d1bab447283eabbeedba85527

SHA512
2516f25e67fc775b64926f8953deabbe945a6b583be86512fa9731f83d6eb701f9bc80eb3601045fd12ed23299b1848cf16c1fd04a1d67a9b241c64f7b868219

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
faf76419fbb096eec019e23a20688129

SHA1
e2ecdb5ec68ecf3bfd91ec1ac2873e5fbe743102

SHA256
e8a2778e20d3ade7eb12f61859d49c9db6b4c630f6fc725431b65f6a1425cb76

SHA512
8c76947d993f7040fea7df3f7c94943247e74069433ba4c11f90f92b414c267399f17a06b6fad8594c8665714c4eeef196320e5bd93a525bc525c312b61a9bb5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
d85f32d8ceeb2f6f63678e5833607054

SHA1
00ed305842d4d7b381af15ffe3ffb3dded5c5094

SHA256
4ba4da68cf5cd4a217c733a2cb62b7eef025fe84ae68b2cb9655595e3b683eea

SHA512
e24f4dee53e541683352759b04c583e6cda598308032c0ed1f17abbcaee2505d47a312f7de3db95cb9430cf526165120c5f203decc7472836ed55c00e5f42fc5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8fed7e4d0841284c61a3aca78988b910

SHA1
18c71302e9b140c5f1661ce075e5735b73e48baa

SHA256
a768374767b091aad0d72f19591911f0fe84fced80c4e10849012f2e26fc8c46

SHA512
6928b2efb10d8b31034e6f7e5e954d0d78ee80874bf86b48553adf9836f7f5cbb1423f8c169401f438a40b90fbaa4b033aa145ad253cb7f837bec6787c821276

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
8a1abd6176b77c33dc9fb60a23b7c285

SHA1
031178f481d7e3923b39629b42e7b863fc863196

SHA256
c1ca196227d2b95bee66dd21c12e59fa1e1c02b044090c677cde663853a46519

SHA512
fc4b106612df3b676a841812d88e1d669cd6d35c62b84e60d90027f84d4501390cf7302af10d9d153610be29812a29c1be50ee3f780fc7f6d1d420c3d30bd846

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
daf616f6f6dc106bfabe78cdc42a2354

SHA1
791df39a2751d873d1a1589126fad8af65637128

SHA256
e7ff4452292863badbf5baede8ec74b418c9462ad28beb3e2436a86ba9477020

SHA512
042ccedfb9ee9b181d8c810644b42b0822540c3253cf40062227c874d2ae5aa0b972083e560e9f6f4153f7c47ddbbb505395688c0b1b48d1ff4975d752528625

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
db93cb900ff421a5c24e00483b5dc443

SHA1
3f8f33fba303741f88a95a03738994fd98a05e72

SHA256
affa615e17c5e1c95188fe77543bfaf3b118008997b53e066c97c1da5e640b6e

SHA512
7c4ca48bb29e878658aaa9559d29143626256bad221ce122a0ae94059a6cffbbe5bc29e11997a8f95215689b6aff526c150abd7a614b9e239d91152293094a62

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
421524aa275beda40c8a62c01a560bc2

SHA1
1ffadbc877f826975d4cf9f9ae9a58b021f567e7

SHA256
7b0bac2661527150cd40657e6d90d6290d06d589c0a6ef47d012ce2a4ca25565

SHA512
660b10764b13b2b9d2f170183e9c0fbfe2b8b44a196fcac1a19132a6b75912326bc82fc6183905f08bbd965a6b57ea5527d6286911ba3a96f3040ce26dc130d7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
520288e78d886a4fe01e15300efb3d66

SHA1
a2e853f2aac97a6eb1bdee8fb9dd43f51259f19f

SHA256
445cae3f74ff249452bf8c25b8ff800f906abdfbc63a8aa04c4695ca0dffe9a3

SHA512
796db1720aaaf34565dbc8073528f0f90425a99d02fa3b34d008b47b0a210f78c3dfd2a3cd2e0c51afb9fb6f7d988deadce69de021254fb2914d1b2ab335f48c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
f987df7c56fedaefc2b239a03c326fe1

SHA1
84783ef09f1c7caa4e64e5578e24d774423b9691

SHA256
99ffcea26a926a9bba331e0caf73581ac339b2bc7bc52589463fc99653effb12

SHA512
bf75b8bb35bfd5743735cbfa51714b34c31d19892516014b2ea9f2f6e057a02159977c0f5cb06b534d722355165190b0919ff020b6d4b04f672f4742073c3f6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
09806c08b4a1f612d9e40f504288845a

SHA1
ff6a99cb7f4f7e7d9755ad9b1eaeeadaddb19c3c

SHA256
047d1134ab862d991733f1db978b3096f089efb310cbf399c290a383d08ae9f9

SHA512
1be8363decf628a723721139f32e47f087041ce833f655d0ebb3d6d8dbe51a005d4aeed61c641b7ea5fcf310e97aefa59d2451b1b0b523ac9ed74ffba8ece1f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a7e67e47b814363b5e204e2b0bbe625f

SHA1
4e64837cc34ed32deb62301915c4f99b07db1398

SHA256
15725be9766ef40b34cae8260abbae00c1ff2009f942c725ea38cf1e5f86d4f6

SHA512
12bdf3626f98604dd335dc85e2c7a27ed001cbc31a209d8d6b9dd8dbe5fa2e5ddac3a24cad86fa6f7909a26f57bc8fa459f37fcbeb09b82e269382a578c7e8fb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8e4954d423d461d4313ab33708f22474

SHA1
cea59869b7f181fa852bd55b93431ecd057ac155

SHA256
41fd00716bd7f63ac7ec63f7e3dc4bd239d54ecccbc37b224a37bb557b611d03

SHA512
9e6a21fe86221f9f3c1a10e5c81aaa74ee862ae562117bf599110063c922c920e42c4ec81fff7aa1c37ed65aa2b26427f680314fd575917ef86b6b93ec354884

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
5f9b064c66c3e8fe38a72019ea991929

SHA1
12b24589c6a1a2a3bbc89c9127175beb443b065b

SHA256
d5470715cdf727efb82a39550204282f13d471b3d18d0a7bb0e087c2814b4910

SHA512
0cc5fff41b83659085e6f615e5e82fbe2a6671a591b6982dce220aea2a3cf0c306dc6bf804b248856a1b6f0c8e94ae716e959ca546f9f48b98b3bbd4201a10f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
06b2f9de528e901c621ee69bd37b962d

SHA1
7f8725ada2ee15341bc5e4f0487fee2a91e9d77e

SHA256
f1320e22384530a7ccf41bfdc30af1ee28ec4ae3362f4b5ed41b34d27dc83416

SHA512
132331c70033c8098de5098352a2b33f95b7c1518d235ef5b16bfef1475abd564e0f8fcdb7381b135aae8888c5211f904fb2c39feaaa9f80e1e86e444a0d6c74

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf821071652a0d699f0df3c10d1c6ad1

SHA1
6ce1b0eac1cf9ced98831dc378ebebb28bd5729f

SHA256
3b09959bb7b75f044f977f654bbed93bff98acec17bce090b127ae2c35f7f677

SHA512
baaacb5468688e06435053352598d619380954bf99108f2a2b776da8e1ad3bd9633b486d8e1ac3721f2de0eee4190a59e1a04e7ea8bf4549078e7404554e285b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
6c64e7055e258e92c11764351c55bb4f

SHA1
86a5bfe5da1da1ed67cfd2f253a435f0e18cc5bb

SHA256
3fba89bd4651193e67b98316abeceb7dd164c39e1e0f8f92236701354796ff71

SHA512
d4f181db07a0e951519499686267507714a9a71ef3fa9b24b5a69dacdd9c6c3687c4d8fbd9370d2249baba79e6c17b25e11a76b3e0a0ce5be673380d828f2d23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
a62f319134be34c95a8fa4dc0e78df5b

SHA1
af4f69f7d1ba76534b6ee57d0b417cc26e64f3d4

SHA256
014ce16491ec3dbdd0079e82707d5a3ed5eec72af166dc7e48240782ba4c768e

SHA512
3c1f4f9f6b9b38252bf954d32b28ad60155079a6a597cad6b3e7f63aa4225c258db94037af9b6ca2e302223944af50a2f4a18d0f3b372ff8df88cd480832151b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
ea8cb19efec322d5c4674a75bc9453b3

SHA1
5dcf459845fcc170c55b92cca4891f68059a8ea4

SHA256
e9c9aaf13965ff2805425a9a4bd5e72064361de30f3c15037b93fb8597886656

SHA512
f23b86c225ba892de4801382b9b5795bfeef25fd00fa65d5c9e96221515868eabd9e39d54633de28d7a05afb79546368958482aa2e380595e4d952476079a386

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
da3468a971a6808a35f47e4196197341

SHA1
d573dd5975aa79f15e86f703c362f35d655e6139

SHA256
04e6d7be42076f25142be07186452f4ee7646f23fdf88c7ad47b071c238151d6

SHA512
ffe7a6576a09090af41bb7ec17f3136894d361ec4ea401e0eb9cac4ee2c936198316a1284e003d67d13a9d8bfedd231d17b931378133ec6728115dcde1645636

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e25ff1030af0d6d9218199731a654039

SHA1
14bf78420fff5f985ae1e41500cbe36d7980912d

SHA256
dad2d3d1a55f4d1645687697c1069c3638198dd94844b790a8a9b84c81b9672e

SHA512
5741bace21305fb68c2945e64115d62be26b10a37fb077b457e911b1c00ac366e3ce68f86d3c01d7c86d721fbc3249fb5d3c4914d17af1e0ccf40285f526d655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
3b0460366d8d191b5ed2ae182c194fef

SHA1
06572f796b91727df1a2afaf9980d8460f6d232f

SHA256
67a30353b0f580a249f291253de35eaeb524b5e90041c5217337865069db250d

SHA512
c96f6d9dee30170a4cf198cf56d300511b2ae48dd3a675e58680ac7a86aa62186f5becef75211df815150c447b3623e5d387be801598fff4c682bda7790e28a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0f40750a6126ef1ccd6bb7a27782fda9

SHA1
c17d938ea924af9ae0a93d43be0367a6d6f31d80

SHA256
50ef32eb7d4f76c76d227c1dfe90491c16cc73eb14b9eabc621b8c257fed9dc1

SHA512
6799c06d49fd6c5fd02cdc6d0aec2a23f6c301627a49286888201a22665b3afa64dc34f36e39d825b8f297393f30cc2de36f51183ac82be5cecdedce35d12de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
cdff47f8cdb938afaf8f3d0b9dc1c6c7

SHA1
cd7603728e056febbd533ea0e7a9e5dc2953b73a

SHA256
b371c75fb889812afd07b76896f4a9dc69875744cbf0f69ecfe3176d6e296414

SHA512
f9ae42811dd665011607a9f497da136880fae00efe8e5a0605756da2eddf7e9d877632138aa883b142e1801df8926efc46e1649587b6b7a3fc6f97cb9b9b82f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
054ad12cce43662ef628827c33d2dad0

SHA1
4e657408901c86a8fb212d344076e349f16e22e1

SHA256
eceeeb1a6e57a44e13918df32a692a56f07df3a7b415fb186edf501f09461df1

SHA512
726bf77cb04d8327cd11e0a0f10209d7c7e45a45405287b1545a515a21502e84ba551fc23ddbff1ce8d70622415460dfb22648ceacd5cddff3e5289461b8eb63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5d6864b5766b3163ca20e90106f17fc7

SHA1
831bd3da089a574b816ba8a2dcbf7614ac84a150

SHA256
940804c3721146b42c0335ed441771be102dcc7e27801ab97d5d6c642f7232b9

SHA512
70b531f0164d88b2153c856ece31cdda01829dd57dff708f18b349c40ee6eba783e39e2983a0543483ad96a3f2b620b0462f91a8354294e86f998a327f157761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
c14148607d0b632883c6703cd66ae6fc

SHA1
9ab6ad9ca66283fc30be37f7422bf25e7180ffad

SHA256
aa089f5b2f7f05d71338dd6f29169da3324e7356eb0005582b2147b39475e4e8

SHA512
cdae30956be94c3e2b495d402688bc0687278e6ad3a23d1b16234f13af1030e0cfd0efe4ff2864791c81e589152627d44979cd9b12fead124a440b7d04544272

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
9025691a0e52921b93308c0fe8683037

SHA1
4da26e8e5e6f373b374d6a44016ebeddca3fd93d

SHA256
00137ac1bf9aced03cb43b40396472b4cfff98af47b355a6b03c4ed5afb92edf

SHA512
2f62d9976568e485815279b583e39c9d2c3f9d4f73f9da42dd7a9fe1a35bae77bbd186c9e539c84b66a1c2ffdef4081d9a93fbe621525cd86660d205bcd07586

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
7d9e0e950a1db9eab88f7e64fc87cfe5

SHA1
c18b109c7f9aa70e84153cc99cdbc60b0cde8ec2

SHA256
a10431593b11213680e1764a7f2f865fa8cc17d0d3537c72dea4e1e2cee2f5ee

SHA512
04baa7987fdb36bf3a3a91d55f0a46ec9c2bbee559296c6d25e16fbcb5106c776eb0837dd58be39c2a2610e569cbd474da79afdac27b47f30ca46059f07538d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
344b7cd13827013b818920281c808f3a

SHA1
411d65b2280afeb61e0e2eb35049a5336f52d228

SHA256
d67b2542d9cd0c6af53d77b5f46a30258a4d53815278f859c8274a783fd772e3

SHA512
4a359c13d3c2635b635c59d9d04ec92a5cba346e6839209491c2079b178d22f1709f1bd83da1e2df1c1e4189f075f1928ce16349b93b7ce6305450a4487636b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e3b6e7382307b258feb8e61f3b1dac55

SHA1
56f5ecadff997b220a834a7f0c9e590231617f48

SHA256
33ddaef1ffa45c085156fa66df7af62754a4747a50d6eaa8abf2416120ddf035

SHA512
b12821d591874cbbea961700ea35901ddd7b80272faaf36c4cd19d649961197960a91c88a4a93e0364a0c24d4532bb637776572a1f24471f7fba78c990b07d0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
ee2368617ef38e804a98af8b08e045ab

SHA1
2999ea8c497e3c8d720b913d4ddccbb70b44d865

SHA256
c4decf521e465071e70d78343e8c4f95a0f0e25aeb7f0a35ffbdfbade96d5992

SHA512
b68b144ca1b97f2715b522012a8f7448bc8978035604dc21820af0975602add86d4a0e9b374c6dcb432e16c2f5e547f2f7d5157dbc43717275f0572a95f72ce0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6c1fef23719396ad7fe8582270ff296a

SHA1
3d9b986cd6dafb97ae9488a44e786395d032960d

SHA256
18e3a2525b30ca00aaf5c255104eab3fb126b14c61e5abdfddc08337aa9632c1

SHA512
4b89612e94abac6a1629b1ea14d945b092e6f5b4bd06803f2a5357dcb76e809d3b1eb1a9c9bf0886a1f848eeeefc65381329306c7bbd85051b37564baf02f91f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
771005e7a37fcaea11df5c7a795442d8

SHA1
fdd0a021b99525262984cd81bb7993421c6f0097

SHA256
ba49a9578544c35f0714bbf9fc087f0d4cf8d97e1f4f0215c0c938b6e2761ee6

SHA512
966e9553857bc8db7aa49eaeb1bb010f5427a823a7b3a2e4632ffd0194910be96ec7c6d4e919a5bc39a7bf6fbe0468084d983cf99dfae90a4c52df8887ac2062

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
482aed2cd446e470f3ce19c7e237a0f0

SHA1
796b2a3eb46aef3f08f387e7235083bc9498619c

SHA256
a9c8279168a533c7efccf96a2986d2d4bcc6df4f95239755feedf9062ce5145c

SHA512
4e2d090658e67f61722c1b6f8a2fe6e469d66b6caa17ae0c3bbf293906a728dd18a81ceacc5688d0af61c8cf29a48f39f341d033711fd0932405b01598f0ab06

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b989d3c9a2517da7d603a95590ecc31

SHA1
6e73dcc5ef9513a6dc8604bf7481c9b1ca9819e0

SHA256
d9f4cfba76bd7cb9653ff86789fc2517d2fb2e66b3a871b732b0d2dce883092a

SHA512
2cfbc68fadb46fc9d02d2e4db4526919614bff969e4e6f4ae8ef892977b434fe2fdb978fc882dda7daa57e6c09a6a21dab59bb5cbb31ad49e5e30685150bdc65

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e9bcb892ef6a6ec154c4448620062b62

SHA1
986ec2288c26d86e744e3242b41adc905543f283

SHA256
a8b81be54a09c0abbe7ef1830223dd34003aa931284e9449a4292f1dd8c8889b

SHA512
fb5e192c4456268a54403d5dcbbfcbd6df4fb4b83bd234a02d4e211834f4632eb54632a21aaeb4fbeb66a5df93c0fa31cc761b78c256fe95ffd9ec39430c849e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4d1d839394bf4db3daf7921be66be6ee

SHA1
ec4c0806b5b6728475ccd82c2a21f2ce542a9ace

SHA256
dc5a091633ad70094078c620f8bbfb5088ebd035c743578f6337989e73abf289

SHA512
16becaa9cba0c6d02884268637ecf0d047e399f9de0f63e52364e9d42e153d9f3ec847d6c3e03c15d2242d1f8896def1b2b48b7b421e17f39ad7e4b179a8815b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5aa5d7fc75d6feeb469f347f31e8a05d

SHA1
90eb9d1d5845ef7dd1ccfc58655758a09ca87a75

SHA256
dba82f07c31a3db3147ee7e8ce6a238926be7cfc1223b87a425b8ff9d80fc702

SHA512
8ae8cbe373c3a531d6f5f1f20811381307d638e215ecd900ffeb8c37a65a4bdb631fb927a46b04f20a5f434ff4cc6012d687dd72e859809a4a8fbacfd3b11f19

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
e459e856a04d057a119c05cb451895ac

SHA1
e625780a9d0231a73a826b7f390b8b9a6db69a13

SHA256
87b13e8875b0756a5f4b26cdc6e1c469085f99ccd095066afc52f8a72f73dfaa

SHA512
85a56c33e0e3a208b716f6640c1790f88c2128c5938353a144abebf04670255bfd55ab4576a63c8bf73c9468e43be20af50edf3a5e95d8fc805954d6e4dbdb22

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
951b76a1eceedf1852a7958512d6e535

SHA1
1c0f6f0f2f525bf9b54797a8a8d788f4e7918871

SHA256
c1fad44105993acd8430affcd7bf56bf605cc561017f39a1cdad5d375aac0e52

SHA512
6634143298f9b92c0708acc6bc1490de39db494e341eed8fff0143b69ce9a39034ee120c8918f749821b28684766dbeb467e5e018e94f386426ef74fdc1041ad

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6e50f166ce9a4163f1b40f5b71973442

SHA1
d61e7ad00cf69cc81e5a94d43f7819598f23152a

SHA256
f969d358cec448d3c18b3f65c1be74880b746f601481b8245e153f196abb931f

SHA512
4c4d28cbf59e691b5edce687ae8ca448a776e9bca517c9c88bbc99e336231f6cdf98ad76af0bbebe0cc1fe3e087d95e53af107954d2e327d92c1c023c351bd34

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
abc7fbc621312dd3ddf413865ba5cf55

SHA1
645ce9416f58ab3c8a0b078e16bf960af368205f

SHA256
14d46439011a0f01603e3590ad43e728affcd7f22ab64f00f54ebd350dba0a01

SHA512
f60518fc1ec152102e7fbfd70263b88afa83fba044ccdd123e9cf08510bb6d5241a06996dc9917b904bf25e546fd1bd5d5c92d99535dfd897570a0f9d2b13e3f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1dcf232842a78ba5bf7250fb7232441c

SHA1
65e647981203a2b7619dea18082620acb40d725e

SHA256
27fd0191763b90f9c45cd4c09e1e8fb3426e206db80522532062c2872665cba7

SHA512
1fc98601720c5ee7156f735966e50585ba063354184c0d015bb11e211efba13d72d0bf1d3bd10a851eb4a5d4ef3d3d614ff813b240d2b2dfd011f9542e71826f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4c50e363ed60132302ab727b4cfe4820

SHA1
9f87b07b6448907bf105ebfbeadc20658fc37e59

SHA256
d83122ef25fb10581f0f2b929adaa0ba0608e6fb3a5e631da93e0925a3d4952b

SHA512
f5afd0c29177fc3f95b082d3dd30861e4047d7ca12c20d3656d36cf798256f57c97a0d2d45c2bbe4a469b76b663b419df7d344af7e5661186f2e55e99c460b09

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b36a8ba0186ab679459cfe6463cff9e3

SHA1
2473493bc5bba3fed8a159e1bf426a2e2fdb3ac1

SHA256
29b0c1b1f01fcb2ffbaeb942f9df7bfc92ed595571003e4de7210857b4a17c88

SHA512
00dbff89fed09e4b05b4f611a79d9d3e0b00705ff4d0db89446af9f362606238b65d73a79cf45d97879a79b7d330dbae4e7c08197778ee6f3a6fcb4c0888632e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
bd99ee141b813a3ec0769f4251241e70

SHA1
d2fde48a823b18ca3e9c191624d915acd212ab0a

SHA256
14ca84d238503ff71860a699c9ac7b479080f7dfd8c8cb67c1ef4b276f44d459

SHA512
7e53d634511c919cd4adb5beeb913d9fb06537ec3b954c5ec357b53df34d7e0d72224c33aa3b666e3204514097a3beec3747bae4cc223c808daa5b578b5e4f46

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ab290c8ffa67e436abcb9df22029568b

SHA1
0444347c3bda6af2c2a5af1d4dcc4e3d287caf88

SHA256
c8b0d2920a923064bfdf73c39e8cc52444ba89909c44d7b52c3eac2f4d1bf3f8

SHA512
5bf801781d676df5c4e0c3830f814e77db81066607eb5a00d49d26bf19c868b2bbdd56178f99297d0471b4bad2e91b354b6b7b8f8e795d51ba080806c9cc50b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8bf4e570416442f0e6a9be90caf9252c

SHA1
6a66d7641daef3fe3f6682be546e096bcfc04d69

SHA256
bf22eb96b5101979a63138d113f0db6a0c1ef97050a632b8323506d9dda89ef0

SHA512
cfff66a25840401a0ee5f40180681160db1a63f8c7c2f88f2b909ed8436037babc8cc2e8dff38149bf12ed97147de66933aa543f520c4a3dae04e4d3a5e3c5cf

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2aeb58ba7fdbfeb29439f94186aafaa4

SHA1
c03147c3cab4f9579322ad0981a65da44c47a8a2

SHA256
957aeac5a520c47c713097391acaf170cdf42bb4a2a4c6b0a9a2ab3ae83ec23a

SHA512
63b6f08edda502dbabe190a6753f26558c046e50c55b778698abbfd615889d72c149d1adba54a62500dbe9fba273a5db425129e6e178f9df1c45648052af16dc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
5864fcd4397626f8f292fb61947f2d24

SHA1
8437231b4081c4e9a62776e8b7619de6e036d3c8

SHA256
ab684e291a6c145e8af0b85b6b4f617e64a3d8f23da3677789c8fc4c2b956302

SHA512
aaa93ac0d9906f9b1f711084d7c41b1edea026bf05ce91f553f899d0527fde4481b7ff9c1259278a235354eef57fb9c1752e81116683173dadb5e1ced82494a3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
42c82293c3e25804462b974fa6425837

SHA1
8c7a7980aecce5186f2b38b988402df71811657f

SHA256
a9cccdb2c9df011d4d83e48cc373d076ecdd261387ed138d02a00478fa044be7

SHA512
71081531aa1596829d2840066bdc0b4ba82f7b029159517327d27d0e47d36b13a848f1219e56d691c75c612878d8aa7f8ab177d41977a208ee6ff8df7eb50d1b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
da3824479854972a0099be2100610139

SHA1
bb9ed53bd7b68bd7c3c1ffc3a4124f0c7c05b3f4

SHA256
af7c371d1fe500b13a229da78361e7e09a2bbf5604d5e61980758f2cbce185ce

SHA512
d55b63525d1bdd8bb1bab91daa7cec8a091092845bca0fc4fd7c86a0bec29faa96f88e7ec806c7bbe1179b5c7b1da34f1f3ea76706a0d7a42678b665f57f92bb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f5ea9c8c6403087f37326b15db799659

SHA1
8e5bc0b7230497cd49c5058ec44681c7c4349752

SHA256
ee07213bdda60584da233336323469e57182d3d3d5857454afcf7097683d9e31

SHA512
98c15d30b895afee25cf1ef80ba692e5aea94bc126fbba1dc6926bc9e483babd9d90faf02680310024f798d87a90e04fe5204676e1cb1ba86e8d5e207b39afdc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ae4eef3f012652fcc1423d59655cfad3

SHA1
db6884c708d49dab380afda315bb451955032da2

SHA256
402c07f35a2744fadeefd49a54d0acd6e28fe55e1bd542d3c2b38c0ac37205d3

SHA512
1917ab3af9d822f7726fb671ec799f4b1ad15b1e1e7c6f0d6eb5e48f4e08e68948c04958d1a6672f97a09231b04bbbceaf451eb6e2be17327c294e675535e727

Download Submit
memory/736-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/736-551-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/920-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/920-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1056-88-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1056-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1056-84-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/1056-548-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1056-206-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/1056-76-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1056-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1084-188-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1084-543-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/1500-33-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1500-34-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1500-25-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1500-118-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1548-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1548-62-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1548-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1548-47-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1548-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2196-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2196-550-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2908-261-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2908-148-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2992-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2992-75-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2992-1-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/2992-6-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3320-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3320-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3712-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3712-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3712-91-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3712-11-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3712-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3984-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3984-472-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4048-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4080-542-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4136-262-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4136-554-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4424-71-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4424-65-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4424-64-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/4424-187-0x0000000140000000-0x000000014025A000-memory.dmp

Filesize
2.4MB

Download
memory/4480-93-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4480-92-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4480-210-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4836-112-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4836-225-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4864-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4864-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4864-50-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4864-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4908-119-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4908-237-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5072-171-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5072-413-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5100-137-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/5100-249-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download