c602ca81e1f571fa7ffca59a0d0b264b3c55ae8284bc2b292b3b6f868cbbb912

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Size

1.8MB
MD5

8cbb663e5b94f2ed29536789ccc6cc2d
SHA1

86705d90fdac3cb879c8947d084453d5a8039e9a
SHA256

c602ca81e1f571fa7ffca59a0d0b264b3c55ae8284bc2b292b3b6f868cbbb912
SHA512

ec0a88e5c44b732ed3ced150d2531536e77f529c33b5187a0003a1af53183ff60d96a8e7dc8ee564b8eae4f49e3e59ce8a8708f785acd0b7a07aaeb0fa109259
SSDEEP

49152:lE19+ApwXk1QE1RzsEQPaxHNOgFIDRRAubt5M:G93wXmoKHUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3584	alg.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
3116	fxssvc.exe
1552	elevation_service.exe
1500	elevation_service.exe
3240	maintenanceservice.exe
408	msdtc.exe
1672	OSE.EXE
3360	PerceptionSimulationService.exe
1112	perfhost.exe
4856	locator.exe
4928	SensorDataService.exe
1096	snmptrap.exe
2936	spectrum.exe
3064	ssh-agent.exe
4304	TieringEngineService.exe
3192	AgentService.exe
2384	vds.exe
4456	vssvc.exe
1124	wbengine.exe
4572	WmiApSrv.exe
2156	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c4d112aac9b3195.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_130421\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CABD5C61-B299-446E-8273-0F06174CB008}\chrome_installer.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba0f197f08d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc3c97408d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de8e587808d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ab15c7608d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008736207f08d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007606ef7508d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e776617608d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd8dbd7708d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003274da7408d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004239e27e08d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bc3347808d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012973e7508d1da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe
2260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeAuditPrivilege	3116	fxssvc.exe
Token: SeRestorePrivilege	4304	TieringEngineService.exe
Token: SeManageVolumePrivilege	4304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3192	AgentService.exe
Token: SeBackupPrivilege	4456	vssvc.exe
Token: SeRestorePrivilege	4456	vssvc.exe
Token: SeAuditPrivilege	4456	vssvc.exe
Token: SeBackupPrivilege	1124	wbengine.exe
Token: SeRestorePrivilege	1124	wbengine.exe
Token: SeSecurityPrivilege	1124	wbengine.exe
Token: 33	2156	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeDebugPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeDebugPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeDebugPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeDebugPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeDebugPrivilege	1316	2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
Token: SeDebugPrivilege	2260	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4816	2156	SearchIndexer.exe	111
PID 2156 wrote to memory of 4816	2156	SearchIndexer.exe	111
PID 2156 wrote to memory of 4848	2156	SearchIndexer.exe	112
PID 2156 wrote to memory of 4848	2156	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-08_8cbb663e5b94f2ed29536789ccc6cc2d_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4312

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1672

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4928

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4824

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
130eec1d179a26ea3787b27dda5d2fc6

SHA1
a5832b531772d59cf972a15be88bc670b88b075a

SHA256
4c9c2eee2d6e9f9fd02317ebccf666ace34697a9b432e0f7da08bfea2c800a1d

SHA512
55c2278e08bfe0dde3b9d90185d5583bd1ae6deaceed5385e9e0d12390c2ca8d761df6d17a27ae16641227f363b4a2fd8cebd1b4a1f3f51a35d0561496cd9854

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4645c1c1e81405a089cd6c64b11b9716

SHA1
95e1b36de7a3e68098dcb8aa59582b6938acea7e

SHA256
5e4ab0dcb16f81d4c765ad312c1c0a5f45b3c2b720c1e8278e65da9b0ce43b5c

SHA512
4cf9e6c3e3bdef09e5b05704429b238dda6008b8c1dbda6091ff483d3bcd3fc341b8eae48b26199b42dfe869354e3527a8174c26eaadecd5307a40f28cebb963

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
8e8e93abc48107c528d75bf2d3c4cb34

SHA1
dac7478b72338d0988f5d5606cedae6008748edf

SHA256
d923d49dedb53c376dca759a37144c870dedf32e82eb939b958f1f84b546aa03

SHA512
d1ef7598f4af650fcf99e0a4c019b4121abb1359be61f52440bef5661aedcd4da2b98a0f8107271fcf839a654c392ed37ededf2385d4c7d586bd325090bacae6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fb8a0e35858e6934711ab1da70dbfa9c

SHA1
b1cedaf5eee98da83ddeca9305cb3de75ff9603e

SHA256
e44756b6250e6001e4e5d26eede3206c57e6167a2687d7baccc6a5bbba40f045

SHA512
b3bf0b121586c28e61812e4c956e5999025697d57867422046e19df4527216f6c97d5ad3676ba9731f32894999badfa5d321c95c8d7410e33e8cfe0ab33f864f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
483780376245ed05db0f72ce246f89a4

SHA1
a66c22307e46f3430e4b63c8f6be02d23876c798

SHA256
8ba008e5d2f219cc4c66a8a210e1e1e529a4c2a181dbfca706f4e31c27e85428

SHA512
37a46c6dfc22dfc72c22c138acd5876d66176edb003e7e2d749d20bcdfd3bb4bbe1ff041375f1ccc892bbc8b02ddf6a6ce68b14981100ce88b9d11efc341ffa7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
787f2f855681b8959a4a813880142bb6

SHA1
15576cd8b2847d5def0d4e5245c72c8840f6542e

SHA256
e3a60cc6ab42154c107c489ea113d619b52f74e2d611d03b19852d2df21f8d39

SHA512
5968110bd47b5996e7d6241f7e37f026a3cc206a604d824f3c240220349ce46dd50fae2a240473e213e17d88666aca647a1211351cba3106a3f67726bc2d3e29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c1d6c5743d1fac930c11feb394e5755f

SHA1
67e65cae1ceedb0fbdd10665e88e23fc553ba3e6

SHA256
ad5bd92ba9fef8df612aa9cbff07f0c9bf700d0f2f12f0465c9ffab04654454c

SHA512
7a599ff520254f2b6565c0869672c83b44ccce715841cb63e0710360f9141f51102bfaef7ed3653fd37d2d26858bdc63a909daff221f9cbcb505e4b6b42bcb03

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b6ba31e200ee2ff1f931f8dbd5efa42c

SHA1
7369ee8153c896b4778d82e9ed7de296908610e2

SHA256
58eb9df225641aea3351ca962165bd1ac7840b3f705472e9aa2f307a60de3d00

SHA512
eb7a79516cdf1f8d78371bd30f1b6447aad47bdb2f73477f2d87e9c37bd20d6c330e2ab6acd6e8de0075fba050e956606fa1ff027e5b0be48a03bb5a78ddaf19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b1e427197d601851140097f9ab6b892a

SHA1
ea2e02ea68e1c83e57352e325d9d2ecf2a8e1d47

SHA256
dcd56241dbd9b44d6e42e86b202f6b1dce46a6a779588d9c45510ec46b18e3f3

SHA512
f0809779ccc39c1056a0757cc5921f8992c286eabad906526527f851d652c3f8f9a16b533ced1c4c6454523f881bd1a17f8e83b10ba192089dcc9f46395d9bf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ddd997673c59c992e9bfab92adddaed0

SHA1
684a4b7634ca2479756e393c33fc54746e6af490

SHA256
431d4db24876f03b842323237249af16aaf9610d146bed8262ced69f463c5e54

SHA512
24539e927554ee539d519826954f96ff9ed7765f7b59cb84b60f8bf60f0509eab478e3e5f8dd610d980357ecf235f304bdffe2af351290cd6b9f74475d99b7f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ee4b824a3fa9fe85791bf7d24971c591

SHA1
b1ee3fdf05f514ae033500f48fb1ee335301e709

SHA256
2e52359ef9afde2d8393741f243ee93527650eb93f6d6bb164913687ad87e067

SHA512
354bb72fe421c56d8cb1b2307f30eaf53c4661f4ea0197f4bbaf64523d39e88f16652e79a99ca963ef99159a67a2a6d36d13f3519c3fad3c8cf54a7dba0f93d4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f2bfa8e5378894576fadac4fa37f9cd3

SHA1
43f86a3ec5f677010798cf0088b85e42217df369

SHA256
ae8e21dc63d19e45e38f16e1b3731aaa3d3629cdbfe928a50cb2dd6bed85d07a

SHA512
aa156206cd6727effd4addc898ead93325d234d20a2f87ce370194bb4590c626a2fca53f11495fca52538fdfe48fc3e9f369e10a8a6893fd1ddc33f679ee3255

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
704202ecd2853e9869b6ab39c164ab01

SHA1
fff2d0174523203703708782d52d55251072784c

SHA256
3df8e63d691843a6006e947867beb8caab980ef0b5244be273be41ce4b8a2517

SHA512
2fc79771a846909d54b070514b02725113ab43cf5e920ef8a727acd727f8eeb08d83f9326e9a9721d3b19c8ec42f9f4f7e790df6e81eac76d0404acf3f2a1ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
02d6997886c290b43a5326c75e41ef12

SHA1
86410f817a8c6aa3047c38eb24476084ddf51d15

SHA256
304c9e3d56ed86f2a5a63b0ed5dd99554acd07f310a70547a6a6e9a87ef0ac70

SHA512
43c03f60a850d70bc41c1d4112c661ccc30d236eafc9a7f6c2ac80f0596191700182f6d8c8e0255ea85bf8d582872a2b66cbb9201224b6f4a1a42df1fa326758

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c7dc087c9b93da738c000ae4c1035344

SHA1
f085f98e02fb1dd65e2c23410aa56046b34871e1

SHA256
62d17c5c63f20d2b5d76ce29d89a69eaa6c96ed0d2a22a7f777e7795eaf5c9b8

SHA512
cd373cc0da499a1b572ab9fc08b89e8ef53a7e4d467d6ff8975b1a9cf7b2df3bc43f322f78d7400fe99a2bd4a29f14c4caacdc07ee8c9bf6843cc64c81c11ff2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e1dc962ce88360d017a72a9966fa4313

SHA1
d71b9eca53fb4cfa140bbe99fde91e33f1b91386

SHA256
565ac09dd801a8843878a2995e9ca366cc8bfe0154d81f0853713dadd664c3de

SHA512
9fe29d0b5814df67b4c95e95711427eca7f13d8069d75279cd3fe28278b1d324fdbf27ec665166b67a10136cf0fcacecd480e3bbd350236d41b083532f51b75c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
79eeab4154d7c48042c04c052967c3e1

SHA1
a8f19b8b9a1cf5cd9fb447d70648c04bb3ba6429

SHA256
5a90b183f6ba6aa60ff003d96a99a9831065856873467476b03dcb4875ec2c6e

SHA512
0547056df3f782ab02d1b34f49ab2e1a6889f17ea4cb778ea2dda2f355162b474803a5d56806953f162511ed1d182efdfdb124bc83a39f7fcc1904f048b00f9a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
401492d0ad75267096e0458d4d6ff9e7

SHA1
fa3a34998c6cb0144c9213032ad0ebfea5ed7747

SHA256
ed353385f56b7504abd49929d6f1d44776ebaba1c109440a5ae1a23835b9355f

SHA512
1a22ac2ae569c768ef0657ebec82783f2f2cc1eabac675351b6fe3d37cda9ccbe645ec96e49645da33656cb60971521b972939849c14e30cf17e8bdbbd43d869

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4be1bf094476f03d7ab76e4347200a17

SHA1
cc79bb6f4813a89a064b6ab366ea5ee1145b2144

SHA256
d7f6d44464a6772c788382546d2df6ea8199eda0c00dafe4adac2b4c321662aa

SHA512
afad06f978bf7638b70ef3f6b269bc9bdab04f34cc2c040543faceeb1b027b869a78f7b78ffaa2049247fea69897c6bffb6790a85908f46fdb7f310315f69f9c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8456f106bf28131d7cc0caa3fdf28000

SHA1
e3856be59eb22afc65b127a5854cba84dbb25e51

SHA256
3bc04f1a640b3772fcebd90d7e366081607a775c777fd40ad6f5c4d576ca6b6d

SHA512
b9b7fa7f482e60a37382198298cca3eadaa538a1c39dfde3b83793cfcb4aab0eaea28d2ccad13e5a0c95ed8a8b4265a0085f08932dbb06ce8b5729cc4c54ed90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
42d71a1e6be69bf208a639b13538aa6d

SHA1
d7ae12066efd6f265616bcc512c0e4a6ba5d508e

SHA256
de7d90933fdf39ef8f834b4f58d99874c874af79bbf74abc86bfb8d743b2016b

SHA512
cd90f2a278528fc977c1f37afbe98054ac9a909557b2a67d6c4c483769a8adff8c413ad75bae530236fe7c080860016c5066ec3bce19dcbb514d1f954fb09f13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
03b16bd121669b6630db574f85c3d8a7

SHA1
0a7eebc0a5441622f680b0ac36250dc726a164ab

SHA256
391ed90d5d4a17ac2d9078253c98b774fd1c57f41c0b54861e87afffcb86eff2

SHA512
177a7c2224b2ca80cad56bc89b2a57d1e2f34450d205e17ff6bb1ba6e4ed82551af1bfa4798ac396116df4ef00e9494d4a33b895c5c7eca5ee234ec62f7df139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
bc45abaeed33270d2945332a2ba780a9

SHA1
fdc0dd8fc2696383446b97e87f44e40c8dd245f9

SHA256
2a29b5ed5dbf750871ca0ba105f7b8c374bf7e3b9714af70c769ec89d53892d3

SHA512
849a7f2f7556e8c94415b38a6386981bca271e5b55b79adf17a55da7d6f0b027da1833505ed7d72877582b9a0d535c509d3ebceb8f45714c981b1ae55472aac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
74a317d14575ffa8df33bf5263532556

SHA1
47ddfbca87abde2c3b77945ec337e3cc359cf20d

SHA256
874919d06c8c1ccf2bb74cec3715efbc871a288e62e08ebe72f39692f5781177

SHA512
f4727e16de1b9404c8dcc6cced17b4c26992210d35da5754d706057eeb9bcb69f0495a6f19662c14e54d6753a5d75db4abfaf916dc39d2e9426a72ee5100afdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9f4d02206c4ce0ded5991e19ce2da8ba

SHA1
fbacc33b0d69a3254389eadb982a90e8e965c481

SHA256
69953d016ca135d93b18d9801cf757081b95aab56f34752717bba80ac66de3ba

SHA512
97a756b9937fbff85c20f5513e75997019cd80e9d2e1bf9e17da2f084cafcdbba92819755c86a581df5003ec088463fc1e82afad6f6df4b4f785975df4613564

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
68f7deb1384f0c772d1df9150bbe94eb

SHA1
b0e0ac34df8422abd6c4fdcc318f47fc9213b41c

SHA256
83ab8d9e3b28079039c5a4f831a45372c9119cdfe0c37b18ee267bfc3396df3e

SHA512
6a427ae7e6f9cab8b10b24b613858d67a59bd0ef7196e44be303d6e673a5263a9b17f16619c31dbac9ef854aa70035e6841bedf29b8b1f1dd6e69101450f28df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
11d02b2e69110e439268be39e4082495

SHA1
645d931d409fceb9db78374228a9a4399f48e2e0

SHA256
5105adcbe285fd95bbf58918005a66ad9bd271a196cc47e5f2d122d40a6f84e9

SHA512
1585208fdd3c7a06a06bc7758e730559fa52f8ec2966fa66daf51760a5fd716aaa8f72bcf4c65ca911a60c4cd155e37ad05aa7cf52433d5e6e31acba1bf09842

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4915ccde14ad4ee924da585060950619

SHA1
9caad527194456693d00f02441e4291b256839a1

SHA256
e92f85d33b12859cf5543f687a007cf0548c805ecc52da3dae825e16d03eb335

SHA512
7813e0a929c1e83ac2bef8780408c26ebccbacd5a74d1b46d999ef962131604c72a0a04e033d3e38a556e34f699bf7b740ff2f0a84b77ccf1feb0fe200c609a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8489ff4795e1946a56f24e15016bf257

SHA1
e711a3d6fa7d2d430a375258851c9d153029d9f4

SHA256
3e85d18b4493babb6e6eb47cc39ddecf22b525a10b1a8bff4b2508af4c332f09

SHA512
1b4a29c8cf8bc67a826c0cf505f3394ea8e5f73f3245493af7c5984d47536bba117de8d00a6fb773fbe04f2bdb8f8b96d8bd75a0c9854f7c67402aadec7c3c04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0b82b4be22c6ba9f9b544866027e1de0

SHA1
1cdbe587fc9612bfb4c41ef32de630cec3a9b4f5

SHA256
b13d05a371dc4b4f94cee14b1db256c441c954698b54caa8f7f9cf36b6d24851

SHA512
73f1f6a8de595382a46fbca7ff94b8386cd85cd1ab707b80d2a450bf13bc7c4a699d2767c93c8a6880ef4f47f21363870944b405fa15ad3b091ef79a792eae29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ad023fc0eece0762ab779c69f4cc4430

SHA1
ae0b793c55f1f613244557c635d4e8c03c844e00

SHA256
4c0add4fcf4402f71009f7f023790f12c65e3be9aeb2245fc07378985fb19e03

SHA512
7f285bdf022f27a4cdab2fe1484a3b93bc6fecf9212c6f1193820d8afed05fee6fc18629cf76a127479219d6066204e142897b203e49efcaf18db3063c3d1b1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
854033049e3e9a306a15700c23374b0b

SHA1
fdeb76a9a1719839931b2b9691e09288ac478916

SHA256
a7f414236b0dba009df50be44c590f534f6de17bd1a481d1219cbf9acbe5b629

SHA512
9153a4a5eafe49b0e6dfbd9ef71af24e542ba623ce768e937b850fd6fc2d924d17169b46251d3cafc22f4acce0b7f306f7c1b66eea36b34dad95b83628a1de1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
900f268df9a5dd68a089afd2b663cdd7

SHA1
6d54b5fcbdf1290e3370c2578b481fab4ba27937

SHA256
05e3c210c86cd67548e569285d05ba552500bbb9851f169af7652f306fbaecc6

SHA512
bcd601e10d28c50c844f2f6074f50716d6f560900e577e1ce0a39d2e7aee56112605633cf869b6456addb59bb56bfdaa5a33f94d778f9f7e22d8bc5f7360db2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
346fe12df659d9792619008a1191fc06

SHA1
fca4331872235662ebad325bbf79ee5b030a95a8

SHA256
81eaef694cda87cb1e47b766ac681d6d5d1d905927d7e54052c491c3b1a2e433

SHA512
5630089fe1929da24df9da10e0c4145beee91a2aa9bdfcf727410b4f3b50781d01dcaf9925df2044dd41c0e677839798260adf7b9b0c4a69d4e901325bf6fc42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6a2867691ea1ee691847e656a69fda1c

SHA1
95a317013c0e46b1c7ca2f46d759944cddece498

SHA256
07681528312588dd8b41485689a8cb85a73264401f07112a465b3489eb2ae991

SHA512
841168e516a12d03ea95b1ae5ce0160e5513211fc50185b79eab3f4adcdf8f31aaf356477cfa16b3d5f38891be237c8d92d10aace80f4afb1a314f8e2942ac56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e7e587fb992a011bd3d73df690162b54

SHA1
57032f5d222faef98cd2dbe761e6a7545fb13a35

SHA256
176a1925cb2202a1025a024af90f093b006733290446143e975d617497d92b99

SHA512
91946baa55ba535e8bc79af0a965b1d9716c0c30b0ab0b3e9423fd067ed08a9fce989adcbbd5de1ad8a4ac0cb18ac6f816ccc5b47803a7a48d00566819c37d89

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
300743ed355d700c01e179ec82cdc75f

SHA1
df676db034a3bdd5336c2f3fd472df8c57e61846

SHA256
bbed721f174d072fe93ab5d34ed0867ba67a5a58b1d5ece8b8a654fa42f6e454

SHA512
2f7f0a0f94da027e604d155825b1280ec76e35e2ee08abeb538519c435f4080c27fa2697b7b70fdd9597142724b9238cb40450160bb5647bb7eb4721318b74eb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e2f48a0575086689dc48c8dc636c7eeb

SHA1
ec91e96049e5ecdfbc3dbb84bf4a5c155651b942

SHA256
c1670d34312ffb7e04a9c5642fbee083eeafbedf92aedd4f2022ea81a57c92f7

SHA512
98b1130c232436e60c24d3a8ebf2826aa79077967c4679254c64f0c7482365205723b3533db809ad6d468286a9c7accda84c25577fda7f1e569d1d74c3819626

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f72c129e679807e0fd2352942a81ad1f

SHA1
2e45c04dfd00905712256ca4f38d207099e9abf5

SHA256
19cf741c1caa46c9c5e87c956cd87eb2f86a597de6a73015438cfc2babac1a30

SHA512
8170e4cb96f59d7558c48e71271033dc9cb1e697829ac0b7396b4732243da6ff44cc8aa413b73752fac46d84056d608c4fcebcb1e2828eca861a0696349998a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cf8ba21c7df150c639fb5436f8a0db67

SHA1
21f9f497b60c6d2a4e9e246dd64bccc8152e0340

SHA256
ae213de5ddd838c37a2cd836d6c33dabf70c43fde94f428abdb207782a682103

SHA512
b71676b44730aa837a9299383924ceb1cbd578c183cac151ad558330ddc373543eafa14e4860f93ea53af4f299a5a7d7ce077e3ac0cecd43406bda619ead279c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
bb40ee05a485f11573772d85ccb77a2d

SHA1
fe981097dba6d71428b82bc351568ab2dfe7c414

SHA256
f3ffde52266e5ab905eb7df7c24a5297f402da2c43b7d8659c326387cd059f0d

SHA512
923374b752e68af717fd81062a928a9c71d188ebfbe49b6862a9572f61bbaebb68e148e65483ea0b1c01a9a0d4ed9ca1249f2fc8bb43ac918bf2706b09ab6718

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d372eca9a71b6abada7f294db9537bfb

SHA1
0d94b78defc2accd402b1910e6e2b41fed43f76f

SHA256
d811aa9b9644fd256337eb17fc6721b6b044ec1c8edb3c812f854cd3276cdfec

SHA512
357c0999ea93706725bb13a85462364c251203e6aec6edb9f3ef3c5a446ff25ce1ddc92329362eafdc0ae4ac297871d4f95f0f6460e7bf238df6c4f8d30fe766

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1cf01a3587ae2f8f96e9cd12d4ca4d8a

SHA1
2627e9073ea4690d389e67fec23f9251b0465f93

SHA256
4f95a723bf0294c388231bba1801da43859f7f6ba52be3ee8259e72c07989552

SHA512
fd38d8ac8ae93c6082be6adbeb2f8cccd0b96539c9ab73ee312d808e1f2f4f53e0ca27aeb0b0936f3e7c86de38f6395a82d60fbf39539a55d0f9e3e412a5dbae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f23192f27c483a9ad55bf7c1994842f5

SHA1
610381fc84b942eb5724e5aaa3954dc4f914bba4

SHA256
7927db58f363521dd0595775f3cfff3fa545accd122c94386ff8fbbead4243fc

SHA512
f6bbf8464581bdbc519359b09e5057a0d11d7bd798903facbc2f0393bf8af9fe831ab9d8f7f7287aa3ad211f28d83eeaffc6e04faac6c172401db728e5d733ce

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
329dc6aaf5e824c7d63b235abccdfd94

SHA1
61b03819b5648b9a337545c1c138a0c3cc265535

SHA256
ac385a462b1f60bc9cbb6646e485496011064e922c0c4ab0d542538d581b8289

SHA512
d5acac9410d43f163a1bf031b68ef9b137a842e198693e8d5e8dc0f282e5511077ad2010a1f23fe78268c0113497e833bf69537edb9b0ecf68f76d2ff7232ae1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
27154f00e23b5b1d39a7a2606eea20f4

SHA1
0b35b020a2d1304fcf52c76a88f171eacfbbe759

SHA256
e321295a3cbbfc779dfe2b0a35751ec1b977cd8d994aca89b92455035e51f3a8

SHA512
6790ded3b36523e51229bf86634c20e915c314e48256ecbadf559b8eb3ffc2536b433925c81c8e3ed414b49820f5cdda01910e142b80dc39816bc29577399891

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c7c25178d67696006575cbbda119d5f2

SHA1
8a02ad15d81f2cda96ab45324840eab58eee2633

SHA256
cd5e4903eba4a2b682245e13450188cfd613639354348bcfcbcd4f5231cb148b

SHA512
0b522cce5d03e8828583eac91a5535172d2bb1b8eaa5dd6d20255cfe38df3944ed1e63ad42500eec4d252214308e299c1f087c85e6e5eb8ef36f6f610d852e80

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
397e37793e3f7889ef95e6b21d2019a7

SHA1
a2bfa73bdc6855c1b093072c1dc93c5df215734a

SHA256
217b71d51187d3b557e3e71b8770e50caac0dd30e2fe352c1b365f3dcd6c9205

SHA512
dbabda93daa7a492244411c4d7aa63cbea1ad8de247f47c8ea0e5b5fd362882c999b7ed6ba3ca22d630b4998788d6cae91860afd712204ff320bbd80080ada0e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8f8703d61a1509be21c353188df772a3

SHA1
a039e44cd2572abeba2de6c65004c30ee3076153

SHA256
065c1ec1877d4834ef50f52c6a4174095bc9ca9b2489828ce1365523edd13dfc

SHA512
c4ba48ce98b1c1530e372d9e2e3051af92448e3077335df87cb302cec641a6234db9bf176e8ffab364818866e45d359c8fa019bee6733ceed132608b0befbddb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0360dd92fa8a9fa44ea190301d823530

SHA1
82fdba36df7a29068ef2e1b2030db4e26c8b26ca

SHA256
c95d2a964a9f9efd32e1e8775951a7720642b4bee82515ad8666944c6a0a0f8d

SHA512
765ab2a7fa0e56f573b2b7602edb43239fb913c805c3fa4ed6ee3a19fd38e897a72926df52a50541e3627dbb2aa6db42042102cf68c61375b9749023b975afa0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c42f687ad5046b19f40ebd6519e311f6

SHA1
a2d2be14b8a4e9dd400a51d8a5d3f3ed8bbcdf3b

SHA256
4558862a8160091bbff2baae367f2240b7d9d93cbeeaf8f991053f8210e2f393

SHA512
6865dbc330367401b1a93400b819712124c2258dba52ad7124831c0b2f04b9aab39af1150e56cd4c2fd72d3bf01296e814f31d7c15c32985f7bdc63cbc9b3fd7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f9fd907cc4a32c7e101ba9d0757770b6

SHA1
0154771cc90707a648f94d0e5ace80d433e946a3

SHA256
cddff5cc2cc5730a924cefa898bd20985e6954a79570a52c4575752fc27b9123

SHA512
cc8bf2e97a587b2b392705eb4acc6aa5a8a2df780f064ce23a915606a0408f3459ee6e6c91e0c139b3e2441b7f302c3bbf35391453354026c113e54ec29f337e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b08413baab5ac4e2637fe5d2a1f6d930

SHA1
8f073c3610d5bd20012dbe64ee98a8adfedfaf88

SHA256
10386e2c1e1e4bcb4c84187d005c4bb72f53c7fe964644d04f1984a0157255aa

SHA512
bddcb989f5574f85dd10f85d9c0b8ad0b3ba7ca3699cc75cb0bc7ad7833bb975ddb79b0f43b861376130a38a8a39280c8af3f2210f2abac9747ceca8d5a4aab5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0436251cae74fa859085b5b1f3921b9a

SHA1
6c4ff646a0e137d1b65b4343b15cb1607bda0df7

SHA256
758859b590acfa5d8927c97cfd9563a179e365058887c92a1549a928155b373a

SHA512
4d718ba742bfdf78abc25b091a7ec430b7fce293fa536ce33389a4d256f14745fa8efa415e6fbf583aa2297c9fe772c18d01ef2ad552a0d2fe16c82bc1dbee80

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
7ff12607e9c8e87c84f73b70b24e47cb

SHA1
fec1df742abddc10cb962dd5df4113312f08b1ca

SHA256
aed217f63a96698aecdd04c1230c01435edb2fd98fb2e1e68c8064c55523c7c1

SHA512
5119f006d8c6962828f75e32b7f8ba8040db4466c9514c3896c5119945e98d6768c96e61fe14c174d59ef4c37ed81becdc8e367e8d99a7ba85cc6a4823f77637

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b450ca6c596e88195dfa0db38ca26d51

SHA1
3b324f2e3106ce3b6687152a5981eedce1bbdd24

SHA256
d79cb90ac04683266383e9fb1167b5d2aefa11b844060e411c4ce745c98b3dd6

SHA512
65c4f543c1d883ae0cc5b9e45af0ef8f2222753a8ddfcf46ff5636ffd4d4a2015b837fc09215ad4122a06721943cf81a862a96c57999f88d74584f1316c7f74e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d6438d586fac056ae10fb629553e926f

SHA1
d42d17ef286f8b4f726e17b3b6e5b3d3a809b5eb

SHA256
dfcf94e2a16bb0b6c676fa9e786c1060af69df217c68d0ec5a027cc208e83d06

SHA512
132cfd618e8fa0881014126f96bd9b7c596d1f69c40ff238e4676fd6582a3935847eb6600e3a59a5b4d6a8248ecc71fdeb39b72768fbfc65a45d58e0ec69e55e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b989f286a01a10be057f9451381e5f83

SHA1
d81bbd0340abb5801b6bd15023f5d6ba3cebdc8b

SHA256
bcec6cac6a6d0cf16c8054704c8d21356eb178e470593cbb63b3011f66339f8c

SHA512
f97a2da05fe8a90387d1fa78c4a416447317a2b60aeb7495938f986b7ee14b21650e2faa891231525931de4a6a49cada1097b177199af92c9f1c74dd9eb3d633

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e449466ff514e02ecb5c35f39c7a8e82

SHA1
284658135ffed9a571e4153719c4ff12adacec71

SHA256
3e70fd193c2b2ddcb008f8ea8dc5dd46679312567acb8d676b92262641af90bb

SHA512
72caf63a5f0b7decac3b34a753fa8c3ac96a32756734d19d49b8ef2fe6881aadac508f0071829e3fecdd18c5ec7ac127182839a90fcc5ed158bba809764229c1

Download Submit
memory/408-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/408-164-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1096-128-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1112-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1112-356-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1112-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1112-106-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1124-401-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1124-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1316-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1316-8-0x0000000002390000-0x00000000023F7000-memory.dmp

Filesize
412KB

Download
memory/1316-6-0x0000000002390000-0x00000000023F7000-memory.dmp

Filesize
412KB

Download
memory/1316-1-0x0000000002390000-0x00000000023F7000-memory.dmp

Filesize
412KB

Download
memory/1316-94-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1500-155-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1500-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1500-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1552-32-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1552-152-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1552-38-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1672-167-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1672-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1672-81-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1672-74-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2156-407-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2156-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2260-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2260-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2260-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2384-399-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2936-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-363-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3064-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3116-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3116-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3192-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3192-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3240-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3240-66-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3240-62-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3240-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3240-61-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3360-85-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/3360-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3360-91-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/3360-318-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3584-125-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3584-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4304-397-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4304-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4456-400-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4572-404-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4572-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4856-126-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4928-359-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4928-127-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download