cf4d75f0e41833e03705099bb71806ead95596c6a559b9d813ec0fe2b7618f0e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Size

1.8MB
MD5

1082c76d4dc698f3af7df5b3cb3e0a65
SHA1

1336be00b7228ab1e08875be8f2949b4d0e273dc
SHA256

cf4d75f0e41833e03705099bb71806ead95596c6a559b9d813ec0fe2b7618f0e
SHA512

e1ce19c21e5f320fa85715cd14b82b8420af754d85edb85acd17efb8c31c21e556328287d915d1433067a821a62ae21361ae703d592bbc863e4e88b6fbcf5a05
SSDEEP

49152:QE19+ApwXk1QE1RzsEQPaxHNKN/j2U4FH:193wXmoKSj2jF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1828	alg.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
1144	fxssvc.exe
2724	elevation_service.exe
3460	elevation_service.exe
1840	maintenanceservice.exe
4772	msdtc.exe
1028	OSE.EXE
4620	PerceptionSimulationService.exe
2412	perfhost.exe
1060	locator.exe
2144	SensorDataService.exe
4192	snmptrap.exe
1032	spectrum.exe
4844	ssh-agent.exe
4296	TieringEngineService.exe
4324	AgentService.exe
4696	vds.exe
3288	vssvc.exe
2576	wbengine.exe
3768	WmiApSrv.exe
3532	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\465149c7c9b3195.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaw.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaws.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000278a58a325cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be3b96a625cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b07b4a225cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d37be8a225cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000643ab5a625cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa3988a325cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe
2424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeAuditPrivilege	1144	fxssvc.exe
Token: SeRestorePrivilege	4296	TieringEngineService.exe
Token: SeManageVolumePrivilege	4296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4324	AgentService.exe
Token: SeBackupPrivilege	3288	vssvc.exe
Token: SeRestorePrivilege	3288	vssvc.exe
Token: SeAuditPrivilege	3288	vssvc.exe
Token: SeBackupPrivilege	2576	wbengine.exe
Token: SeRestorePrivilege	2576	wbengine.exe
Token: SeSecurityPrivilege	2576	wbengine.exe
Token: 33	3532	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3532	SearchIndexer.exe
Token: SeDebugPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeDebugPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeDebugPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeDebugPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeDebugPrivilege	1416	2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
Token: SeDebugPrivilege	2424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1836	3532	SearchIndexer.exe	110
PID 3532 wrote to memory of 1836	3532	SearchIndexer.exe	110
PID 3532 wrote to memory of 4588	3532	SearchIndexer.exe	111
PID 3532 wrote to memory of 4588	3532	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_1082c76d4dc698f3af7df5b3cb3e0a65_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4052

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3460

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1840

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4772

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1032

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1836
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
310862d2e566d016517a915ffb989829

SHA1
f22f9f066edd80426bd857634a382b4703ef8944

SHA256
68e63cd6eca7b6a9edbb6cd4e1d18d5766d504987f7c24c1732406ab5b8f1496

SHA512
3ad3b8ea612154c837b6dcd7a5d4fdcf2a994841eefbc91da249e7d9f7f3f9d34748fe959e5299dc0008368e88b31859a97a8461c26841415d0fd0ca19aa87fa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d4783a34b4f8c191e79c3fef2502e540

SHA1
680ac143712786050fbc787b0ec6ca41b3b5af97

SHA256
e24d4cc9a4fba529214798afd752b952df7b51fd7b716a2227e3eb17be31d953

SHA512
4201d74b5464ca8d3145a8c582ac5210897b73f64af919405add5c9cd2e9e1f7a5e713a0c6bec6017e01982977986711f1eff9d91ee03c8bd10ae1a963ce2540

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
566940537b0d02cc2270a650a0c98893

SHA1
8c2dba96e071b5fc861dc0c3c290a6342b4d4a19

SHA256
f5c2a979fa41ba57bfd4dc08e1625d74434c661b46e1696647f58b80cb7bc18e

SHA512
f4dcaa31f7386f6be9f0a8efdd3547705c6af69ca645362c2e23453d3d4535329ccaed730d04e81884cc0f835d06329918b28803bfa41e74ff1cb2eb9c09e267

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b49e1e4d2ae416c2d38f9bfb2fb3c620

SHA1
e5ba6b073b00fac557c7473df2283deeab42a601

SHA256
c2fbc48a046c7a9a0648db679676a4d2c34fd4c8097595ce32b4e04f62a86d1b

SHA512
e4f0e976567de08a3cc3aa3e7375844df9328c4bfa7be808a86f9e9d033e6453dccdea85aca65977aba1fc81aa76cf4da32bf357ed1b92b21630ac1b4f1a12e2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4ea3bdc3e4428f30a8840429333140d2

SHA1
6c89dbe62c280299f3a0498f96ccadc2f7534304

SHA256
95b3a4ad76f26bb13229d61328e5c22953b1b7507dae04e3d5d36f71fa7f48a1

SHA512
34910c1b99c7be42130ff3c913a530878d5b262170bee399a747bcdd56072e4390e32e9e62f67b709c48f158f60e992f0a7f92d7f103f7ac616f4569f40ea387

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
223c29ddc11844c50c75f0ee85de25f1

SHA1
4578bd0dcd43996f465f8ea8d7dc71e7a10468ea

SHA256
f43c3f470fb09b06aaeeb50cfd71332811f6bc59200993e24849f9434602ae90

SHA512
54aadd80cabc5c3ef01e93d84d1bb299a43e6c183f6c7a4842b3631742af7a898fae57c208c129c81be91d305be9003a0c9bf702021c5e927e7e70fc85696830

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b81e31a378c5eed5038d2f941e7dc1a5

SHA1
fa2156b2249f1edd6d3bdbf308488e7999392758

SHA256
a1b45b59de8c65a7354debea04aeb531dc14921ff144e2043d30398166db679b

SHA512
b4d0679501288e327c99f5d51dd579e464fe17b98e3b7cc465c86d3cec59b67d9c06284bb87fd853aa10d9d9a48025fe8469035129caafd4abecea1592247ee1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3308138332eaee46aeac3f1c25c824f5

SHA1
ecbe7148bd9f2e4f1dd86d60f9ff8019172de04c

SHA256
c1895709ff5f050a9c34eecfd3ed6d18a2ba8729d73e9583870045ec8578658d

SHA512
5320f3e556bd63b707cb7378aac7595d6c019acf23c523bf5561e47637e4b2f3c26c54809f89bc646b8889f833373c763b7bffa81dd3363060e96ee9c43a9adb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
6b82a97a8a3011a04fbd5d9f714ca853

SHA1
ddf317f9d0e7b97c8b4accaf1c8e8a48cc50b4a4

SHA256
017edd3e0dd8453d7562414fd62dfd693e8f937cc2465d03d43704824d72c5a6

SHA512
4bef668ca3387013a285a41bd6c0098d1de2f92d683ea9bb354a00e6c2512d4e924fc7c65ef6b10500023bf7fd6a9feefb5bd4d250c2edbabd35e8c0d1e6dec6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
544d8c2f02125ecc9db7f182622b0032

SHA1
8790882ac885b6146ee9f8f6549d681282be9242

SHA256
e544edaabeca72a0eb7e2186418df1ab379594ac38c910c7466b625a961268eb

SHA512
c3db2d101063449e7893928569aa9fc7e90713a1e42710587365e9c6ef2706be50a82adccd67012a7de11921888907e7009c0b6f7feab61547c88d2ee347e801

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
72534223ecf06dcce50ce73d4eb58fbc

SHA1
e4c218804680ab1d794c6401e8de5f94d480fdb0

SHA256
7cc0a14c5c7a64a565e24f597f6ea01d416c271e35c95d5e08b8eb8986281181

SHA512
82a635fb7df16df1aa7ff6c26186c58a49393ea2f2411806fa260af474b3ab7547456a7e7a0a31755460d4eb09da1f6e38cdc9aab8163dcfdf61f678887dc09c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
df15b88958e95a76fd4a4b6c8942a033

SHA1
27397d51692f16a77d725e2b2fdd609c142ef6b3

SHA256
1225bd7de7c2cc0469ce1d15c834d00f24c2fd4ab80b3b2c682947354e0f9fa4

SHA512
796b3b49ef150e8074772799c83c7138b25589a281c7b0536febfa09073d7ed8d74ac1d8af73b81e0aa90566a97971a6de4b2b23f4167cc0d2e3d40271c5815d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
62e124821d02f36ae48b1c5cb1d8c47d

SHA1
237fe65d53189b65132908c40e101bdadd397384

SHA256
56b3a4bbd2e9560dd6b5ef11c56c8cd22c31a7eb76317f8b6a6c9efc6b06f4bb

SHA512
9a51079c1b588d2f1652200b6cc20d48a5c3e790c1717d117321104ca802d041a7bbdaf6f4481392ffc6c04294fd565f7c4449cf80199ded8964f7b8d61e16be

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
891254866c1750514f8b30149c473b83

SHA1
3f6721d0df4d4c95e02c7ccc6ad004126f27b985

SHA256
1cbd3dce4d3dc7a1a7a36cac71d985d9977165db546f8b8911ef9bd3a878d197

SHA512
7f66c986b00959ba3afd2baf6a6b5b1761243b4405e2c26d217a5975fc0fe3f0cf7a477813ccb93943225990bb2b1abdee6811350b86ff3307ab2344c8eb4194

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
220a2e943e01f20750e1a50a5b19f5d7

SHA1
4307ad76af93c42cdaf4043a050c17058c08a16f

SHA256
94482b0ff4700a65014dbccd279655e906c2e59b67d753ac3910b049cf330a0c

SHA512
7caaff06a3a2e63a5ce07687f9ba44b1b6276b898ebff018bf5211b86d82fbbdb958cb179c79dda6a8e52ffdf2045591c339112996cd3218c96e411efd15e8d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
411757da230543ab3943de3ca9b7ea82

SHA1
d7982e6d4f0d0880a2ced003bac5799a2d556c63

SHA256
2bfe9331e87b623127c4b72b76a944193481787598a6b9f202ab4deac935f6c4

SHA512
9222f1e4173161940b6f9695d643d9eaf5ff15e3ddb44ff2de0f7b0ca7b254be1df4611cdcd23c605034513955b00f1053a9f25ac2f7b6f966c9efb6607614e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
82931498d4729326d80dd9213ddf073b

SHA1
9e82aa3c845e59172268d4cf031f1bdcb775ca3d

SHA256
74bf347500772459209fda0c95a4d8182ceb6827ffe4326fa7a85c64dea3f256

SHA512
a5c4e0d0d05d1a48ccf1a5154c4e33ac98af14b314a5262315ed55527a4353b551daa82781f6e4c8ca73d2e0a8513c680cff7ec4f30538da87f76c28b0442886

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8227fb8e902b8b86df2e1447be375d62

SHA1
ba93b9889862c1cdc3758e0683e9c8ad4de01cfe

SHA256
e7ee610dcc1caab7d3cfb755e8a9723124e85561a528233c7fd8e867255fe834

SHA512
c5eef5a1348d2b08934a4178356e53629ec4ec33dcc9152dfa2107b2fe62cab25cdf73f611036165ee37ebce89ab6f3aa8b08cddee4016add559b98a6d8f2a73

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d05bd44aad04112943c5f3769215a4ae

SHA1
78c4b3f926ec1d1952f914b68b374c963d1c3cf6

SHA256
4d6d5d09555d4b4f0ca644abbc5ee1325f5c3e543417f22ee13c8afce4e9ba7a

SHA512
5517af3cd627078ea3efcd29c8f2ea79b6d852fc3fd1e0922aa5184e6c14bb764fdc8cff2f9d88dc14e2cd13e60f3566630a324c09c590e3684ba6f4079d1234

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cafaa4fee386269fbfa59a1bf07a967b

SHA1
c9c209041c52f5fdb0694e615e5a100f995d11df

SHA256
119e00fe3d672ef6aaa781f3fe3d0d792cef8668292b1b0f2e2618181e6c1cc5

SHA512
381a4df1a69ef16b31b1ebe2b3319196ad831e43b0390fd312283d0015f81a13cc377ad5ba3ff645ecd5c787a7a68b0c80b04297fbbb842992fcdbd15d787af3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ac9efe171943874bf76214698a42df41

SHA1
1aa8334ed1974c36d0b4eb3acac1147c80d63545

SHA256
6c3c93f09a94ea4c4c6b9d435d6451fbc5400066e4f121fd470d3c36f3ad24c5

SHA512
2bde9c701eba4e6fc6e76409356999eb13a755143b3e7451367759172f1ad12aa6d7e507d3d60aba11e62ae67cef3151c14736ea76ed62b473093a7b286babbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
22a6b1a33d8d348f172605d6f690585a

SHA1
e52949250bbddc9b2b819cfca05352a276900950

SHA256
6e44bc9ee06d5ff764045194d05ac0e2b9dbfb249c13f7a845d92e1dbd474916

SHA512
47c013e247db4339f8f891621343fb3293b7dae298427491021bb6e2962ce4f8541f65de500dd441ec0c4cb035c9cbe56295747e3b37a4aa36894a70b99612b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7459e7936b6720b8579911dd7ecfeade

SHA1
6db7cd87cee5889f2f22d660b299d01dccce5129

SHA256
62394259685399c201484aea37f1e19a48ec5bce3c4a743734021d21a85471dc

SHA512
7508db5d7714d7b80336992350c25fdd32bf2ba06f28c5d175165756f2e903e0b51497e46ca937f40d84a0572451202ce91395a37fcef561e8ffcac5c8588319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
95c13f3f26e07d957870332b44aa33a6

SHA1
567ecfec631a29e5ffb87410032910c22ce123b3

SHA256
7a289cf7a862e73e462e6bc7ee9598500dc919e5397edcbbef3119e45a572a4d

SHA512
4646ff4d670940787ad677ce35641f7457d947d06580a9cc1f2bbd6f3686a2088daa76e91da7fbb2ab954d43ffa81f915fd54f35698b27a902355330bb7c51c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
c6b01ac3f8a16b7f63a6b6e72f5dd621

SHA1
fa76337d95608ba4d10471ecfceeb08056230326

SHA256
3736ad6067fb02d79aebc5eb327ac2710de54ffc4082c9e5db828fb170c97ddf

SHA512
6af1483ee19f3bb9d3329ce9f1163759b22fc8324e25b763f2725987e5c760dd0fd74765b2e7650ef2b06a91b37b5d0b1a159a06da647e79785a6c7a894e1338

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ff7f7f61704d547ffd4d0efe0d25c830

SHA1
da7187e1cd9c2eba871fd0471bd2815ac9facf87

SHA256
219f638ccc6f244ae2b73d98cdd26d39db6a8cb35c3728bc16cc45d55fd907f8

SHA512
709e3db01c9b0e8d361f96396d5fe232be244256c5dccc54635a858ab793f45402dc34cf943c9dfe6605da67223e7b0e30b6c72d905f51bc3fe3c45b7763d03e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0ccc32c8503fa3caec94c91ee11e1571

SHA1
aee95b1548a66b85da42b68b7f7f922ca7b252f0

SHA256
51a0304a3e679bcbe9c1b76cae2e9eee01aa3e355c25d7f16850ca11296482cf

SHA512
1d3e67afb9cc04212457d2fee6c8d4238ba23db187dd819eeac19cbc2f04d76a56d34afcc20729e2edb20eead9b7c97e0d672ebb0ba7f5c23797877aa78c560e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e238893ced07c7de4d4bb4f964f3ec3d

SHA1
c74775ce67610ac9ed6763794e3a02bbc1120cb4

SHA256
13530a4214a152b10ee96fcba62ce0cdec8192af1e2e5594d8b2efc4b32bdff9

SHA512
0f84404edf09d8ecb1c08e488205718b4e66316d50c11e85eff5e170b6dcc0bcca7a406a02bbaafd0e47dadf4775577f4964c9c363925db4ce52f8226c58edfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
901feb9a429af0ea599d2dd457c989a5

SHA1
d412572c45665d4e4320753f02974d626532b0b1

SHA256
0c1b6f3a3d0cf30619e76fd00c8ae23bfa6998e19b26de63a35c6d59efc83d77

SHA512
abe164c636f797814d980e07f24f73b79340df95824245d9032373d6107feb0c5b1939734aac9bdb07994fce8df6d92898b8e3c110e64af999e3bdf35d22692c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d28437a6854a3d1e15283c0a41b96a86

SHA1
900f735509fb267b5a8af5afff78dc493a3c40b0

SHA256
e0c849bb5522612e81c6d431eb72a46d99348d00cb0a9e00ccb233007e91e0aa

SHA512
c97809da427296db349e24f1bb283e4adabe2585e185a41b04891dd013d0d2dd32d093f6211e58684067e7421f6cabe92a7a40e6ec5fd5be7441edfa907351ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
471023d65170ac183efb3ec2cf40c981

SHA1
4041b65dc0d9e782a7584aae0325c09ecf45a2c1

SHA256
9e293f38c3d9018ad8b5b1ea91d90639f1809b8166cdb375d7837f6c47f7d58c

SHA512
1facf949734cf30bc4a0ea3f3d456143b42cf1eb51661b2d609e5bc627246bb1de43ca804ba1f5d3b8cc5d98d0e65ed524cbfc0d8b51886e430bf1ffb4f3855c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9e59d8466e87d7950062da8fff781bc7

SHA1
1aed49da7fa0f27b7183502463dbfea060a211b3

SHA256
8c356b410e4a45d1d454c9883798cdd14f41ea744b6d53faba53a5eead64fcb9

SHA512
609e34fbb6dafad8062c8ec58ab98be5a016d6a83970df8813a6304d4facca4f595477990d6e1bbc3d63b4740052b2ac56686d3678cc84c248a00dd9e35e3601

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e24ae701e29997c4badc2553053f496f

SHA1
0ae79031f0e201e8dbd31adba7cfb42a3c56644a

SHA256
306d7e4d8e8ebe711d1e8852c5eed489fea5ef6be8297a50266656c76d2eb409

SHA512
9703988fb25c97ffe092eeba29e939579d614e791470d8368c0948cb49f558f603c9cab2292b689fde28ce55baa505537fe91fd71f1ad7c22d27d455391727b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
76b68cab435d8a58ecebd47926191dde

SHA1
781970daa2d4bbd0c027fe12e713035aab1c949c

SHA256
c9182cf26c2726bfc64f2cca411c1b674ff06f52f98915a7a1941be22746e58b

SHA512
b612a1070e0eec9c8c79242e7e2133bf2d23c3d0e9abd01cec2757ade684a306259e5ad501c0d988e6fd31b4a34d94b0d783a6dec607c46ff72cbe94538f4a08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
65df439afe5eff0894c0a6bbc057ae40

SHA1
3f5f944d39dc94f78f3279c7941f0f57a238147c

SHA256
34aa3a90b58612c63ef007e6926de5af50a607c4801c23d4ae88d5a7ef06d793

SHA512
56aca2a37b492bc7dfaa0bc903195d1c30da2e57d0d704c76b68bce8f719d7ba5bd78529a765ee95edbafdba3d6a0d2cbc0d2706caeef0addded6b6a384e1d00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3c979fea111f58e7935c0a68905ed212

SHA1
79c795893bea30ff7c87fba4d9a70904f557944c

SHA256
4905b96802c1512f353c0875ecb460044c4f26d45065afcdffc966aef097fa7a

SHA512
1c1a8c87e31bc2d263ee2ea71693d82b6faefa73a9f7568b270aa9476d629b0b870193f76289d3ca6b1457671cf7c46b4a113f06d14929f0c7cb9747631134ab

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0481ffb570db45ee89b66352a1ce8a3f

SHA1
d9d70494f790005b2ffdbabb603df0ea7e1835b0

SHA256
912e3fda689a890bb38677207c9c3c789f41ccb6bf662c621f93f1f99081cdbe

SHA512
98b154201a7c3a166a3a945c058550766779dd8c896116be9e9781db2aa774e97df2aac5ba995d6ab481d373a9cc385a6bb95be54c1363775dbb430ec8944d80

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c34b8f11b02deab5174241029b668c5b

SHA1
d7db72cb5106921954f117f0705619ef48fe9977

SHA256
505fc949b56ccab9d8e1304b6185379bf7b2167b9c4dba2da2cd5965ccc1fe41

SHA512
afe3d00906ee1f362e8d26805ef43ce431bb2304da7e641024c758014543367873abcc98f5f9fd3e074b0649376c6dcb0ba9027aab42db2b2fb07040a29929d6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6797c84ef6976d6fe8ea7a8ec219c8a1

SHA1
3034a624ad08b2cd3d8444d57d19c9dae7a61e2b

SHA256
ac65d388505e999346c56218d4c1cf4c7168900f2c2023e9d075934da91341d6

SHA512
568d241fa3b0c899e0e4258bfb08c665847f29d77d6c81de1f78cf90295e99eb6b0459a137c9e7b3913abe4b7e6778b1c1c7243b0313ed3be55eccb42b421e85

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ed5413d4b2534e198136816b690c197d

SHA1
5bd1f8760b1eaaa269b6955a3861167fa5cbc14d

SHA256
7b5c3714a53a4079436be99130e530f3e99fac287570ea3f681efdb06f05c5f1

SHA512
7ee447add139d13967bfef0cd9a8a27028f4f8b55f9fe4271a3969238c6cad147076bf76a2ad3b2b33dd59dbeb0ab69f2c0c4735e0b910a081b208af0fa5b036

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
18583e16e36d673f10550b572ba4cf22

SHA1
057b362154f6ae60503a7b95b105c057637ada0d

SHA256
439407d1b2a8cb7b4ef1630ad95d47e151e729417e7f71ade4ddf5b5437f1819

SHA512
26abc5046696f9f12368c3fb8c954cfe9ba6971d2ee89b912ae8b394c72e119a61ffb0d4b4a376d2d297ea247cafc899fc291f4fb711801158e2f11e751da328

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f519a6664ceccfc9c77fcf85176610bf

SHA1
ef427ea39ea09d24fc9a366acec9ad641a229f45

SHA256
c9b7317c31566c11d06fd25a44b5ef46b9acd3e964ee0cf1cce40b8bd2b34634

SHA512
c45e49944682e2cb72b134fea2035de0199bb2e8eae24f1b5ca980e42d6dcdca34a47ce2844a8da4862965e6439d548ab34b1a104ed516bd9fa47abf3bf7645d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
45b668e4bb60056e1394e9a998af193e

SHA1
7982e444d882149f493c4435847096e665c257da

SHA256
83393f6479a074e0759e55a9ea1c8763447c4df2a4e35fb421e65025c7ad91cd

SHA512
33072472199458b170e90150e6430e12f47a5f2de9d2a7cd9a06ade00e0309975053aea3ca8e0abd20840a39fccd0dfdfa6b7c4b838813bafb51f3796f913a13

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
36feaa292a9b8be555a189eab9b88751

SHA1
4c6259cee5e78c241ae386ab646cf22d9769f677

SHA256
99a83ff7a40dd4fe88bcb1d4111d9ee4374baafa74437f4789d47111b35ed718

SHA512
7a501d4b9e6b564b996816bb95092e0c2322e19959f6d3e79e5c3bb29815ccc3785b4c55b67c351cd19719aca33ec249a93955ff8a6cbf5cd919af1fd6ede1a0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b3e76861cf0cb750deb0cb8a51eed423

SHA1
0dd86a3e3406bcfa24e5324a4f265e83d3c7bc83

SHA256
3c439d2ddd95bf9b89019aad9e7f12574c8f03dc41e4cf8815ce30993ef78f5a

SHA512
0bfd437071a082a230a04f77e0171912719ffe6e89b574f16d478b94cfd4a6fb2e65c4e9306b079a5a1e5cf816587a2f767e4c7002cf7a14d9544dfc896aa769

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7ff47a817d893d0b4c28ae10f493102a

SHA1
8cf7094728666e62b8167a6363861c2b18af02fc

SHA256
2e74ca1501569fd063717379143e1b22289a79e5d6090d9b773b3046cedad513

SHA512
dfd12b264c30d15a3a6bd49c8f54f3695b7f457c30159567c1637d18347d28e6ccf37d91aa63fdd0b523c63fe183d448f3f5dd62ef82c9b280d3cc423970a43c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6ce0c3164dbba036611491e43ee186a0

SHA1
b40ccaf74b8674e57dbfca7323cd622e0ef5bcb6

SHA256
e717fcbfd2af93cca5fa4bc4a16047176f8ed66b0bc252d0d212cc4807f10edd

SHA512
d1de687c052c69139d8f8624a36eb4767c2919e49f83c23b3106584f40b7dda103bbacb9b339635a75a5fff6431894291a40d480e3b73198988c9ed3f9a104fc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e3d7c877e738b734d0c5c5b7a6a4348f

SHA1
1095f206155d0e97bb384f17c43043c908e0fffc

SHA256
19b3844d017cc9de6d68cc5ff801948f4ec96574b0fa8a072330ac7f1dde93d1

SHA512
f36c37bcb535025989e57760cd07c7f2913317701ba94a05c84e86aa97d82b4b4691d8766ccb041ac54b5e61a4f0ae28436af7f689f707029aeb70cded94a236

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3413fc66c193a2b61d251992ea624557

SHA1
bf22881c448f659345b50e18a685b9b0b929758e

SHA256
b1e20c0b2f3feda0c24bb0bb75a5270d782537c7f5fcc185f2cef89f56f5d456

SHA512
8a64f685fe33799d2f182689086297e5f06d28b99e275d239789b59b3863bcf4d55bfcb0c1c2bc86e26c02f653b37b94b9f3bf0856fe234cc9988b898b0d1dd7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0471f1d09ff2ff910fbed34ac24ac1c7

SHA1
c9ddca294602ad91eff820c2a6d749c1effdc81d

SHA256
c1cdd93329078f91434ea38f91ff31cd38115733a91f84fe20b96d4cdbed79ce

SHA512
fc7a77ca98bb126bb6e10a98c4893df94e8e87283730f182190e9756207f69fb3d431b1f7df482e9e408dac084a510d15380f577d5f9b29d227f1179db23dfff

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2dff894e77ed7d832ad263d8351bf77c

SHA1
92fb315c0506eb2481254f96adbffb8866bb71a6

SHA256
64ed20299de65777f51078a1562e0b170118f33d6b8d5332742e3919bb441c4a

SHA512
3bbf6fc88dfcdc045e7ba2be09006dada616369051f2654fa92589567bc9df3a81e351df7a1101ed8dabdfc66eb70bc28a1d804979227cd3485d92fc09876456

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
07bc9f1a0809f4db69e091aa1864472a

SHA1
9c9d859a94eb5093c10606150e2b70865df7f363

SHA256
09b40a4232eea02fecf662b11b193bdc388f8f4b2a2c40fad6f790f81579c574

SHA512
8aff79c0a89879462a3e6c1d320060e05f7e363f1feddd7dd43d4a303560a02637478949f872b386f4154bcefa2d7e1690190a478829dd80358f52f521c52600

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
53adf79bee3be1e06742cb8eeff9360a

SHA1
bb6604b6dd2b2dcf666f4665416d85e45b98f666

SHA256
3183f00ab2440d21270a87a483b5e609b34cff7d089efdf899eb2135190516ae

SHA512
9a1837c89bc99aafd98a82e3d47321b965af8242301b7a2c07c60bddf127c9c28b9f4585592920ca2b01aec29a9686ba0c99a5644fa525f2ff014d5db649f4a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e17b697493aa134b3c6c85985c6ea119

SHA1
0cc22e296e1de622ce7edf9f105e04d37fa88836

SHA256
118de0524d53c5b64d925eb5f8ea27d4577a8f5b89f3387fedac3daf9909b7cb

SHA512
b357005cd95204a3cdeb00287c204e8616059fa96796ad8463013b7a920c904fd6a71b56b8086ddc4c6f52cb90b99b2b33bc7f9c7d3593bcc679295e374c9d62

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2fd94e72fa9532c45835397338e9250c

SHA1
00bbe957f2f869b0ef30f4a9545f957d97372d48

SHA256
a93bc7073397a5123799c3052ed8cc2f969ab1fc3591bef7ba35170acb6c2d83

SHA512
14b2f588bbda31dc9863548527c7fbe02ed2c1b2a8faf0a6f4b46884d5a580a9a250e316399a41b1b240f4767786df8777ce5caae48903d77b18d13ff17cdbee

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
07bc40490fcdbb80e9d634d148746fa7

SHA1
f96fe4a6fd791b204a77a219dfc1d3454b89c604

SHA256
4babb85288cef4f847411e87fd7a914f834d2a8cad9b3ae68530ef87090c375b

SHA512
e466eb80d55db5bf7d65a85f89514fdefc2ba7d04384767b7e52ff5adedfa4d10cbd2b1f14a288f2c1704b65be598ed07560b357d1fbc1e90fa16dd86ddda925

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a8a13c3c4aa4b751d4aecb6eee855fce

SHA1
2779155c09130a7079f9150711f9317b47d542bf

SHA256
ee0ceaec4ed1573cd1a3f94d13b8b4edb4087a6b21d17a9cdbe9eae6522ea154

SHA512
e999104d79b21bcf803f222b098c973d4501ebe4653d556009e4e80e89321b310d03af88a2ab46f2bbbea44d30c267fffa8741965c92a9b72853f13baed5fc7f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3bd15ee077af137ceb804bb8bfebfce6

SHA1
3ac108d07362e232aee1ea9efc6393c31de107ed

SHA256
630ade45685dad5b08d824f27f3e713bbcdedb2b05e826367e91115545aa1086

SHA512
f8ed7efa842fbbd0e33565934cbc85149d66db369858c71c347edea2b63f9e6a16e7caf2d9229f61cb2a60539240ae77572ac4843913304549421b16b722b672

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
093e6655fd596c878bc70f2461a58fa6

SHA1
e247da2c73bd2b84228e51df5e79f3cf861ba637

SHA256
0cf0f8f925b4f8da78a4af4c5ffb39150539502c0229475719067a5fcaf8f52a

SHA512
b8f3428126a331d219a7b6b81d7b4116022d37f91e891320e904a197594de3570799891231b7b65c86455056ccdf8a2a05d6dc99e28a8763f45d2e4a787cf56b

Download Submit
memory/1028-434-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1028-78-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1028-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1028-72-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1032-140-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1032-556-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1060-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1144-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1144-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1416-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1416-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1416-6-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/1416-80-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1828-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1828-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1840-64-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1840-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-54-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1840-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1840-60-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/2144-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-117-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2412-109-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2412-103-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2412-98-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/2424-16-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2424-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2424-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2424-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2576-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2724-143-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-37-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2724-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-31-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3288-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3460-157-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3460-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3460-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3460-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3532-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3532-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3768-561-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3768-162-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4192-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4296-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4296-558-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4324-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4620-439-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4620-87-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4620-93-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4620-96-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4696-159-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4772-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4844-557-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4844-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download