97033401a7d1d24b9c4273ebd8f0dff6c25e4027a15f91026d651655fb950181

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Size

712KB
MD5

671f55ad9af7009f4edcf5b50d5cd1c5
SHA1

5169d17036d572ce8a2732d30cf2ce66e5a81d3c
SHA256

97033401a7d1d24b9c4273ebd8f0dff6c25e4027a15f91026d651655fb950181
SHA512

ababedc861c326dc9df37df77d37b34ad6a0a2e98d466a01bbc173a0898243a0e0e61fe73897d397912fe2ed6bf2e8068ecb7f289224c9a4f2ca51e75a426db3
SSDEEP

12288:ntOw6BakVqKNdQ8yRK6rkObwsToHOOWGgqvoEWH/lInNg4JYU5a0Cuxy:d6BxVqIi2lObXobHAEW9INFJY0au

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4464	alg.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
1336	fxssvc.exe
640	elevation_service.exe
756	elevation_service.exe
3680	maintenanceservice.exe
5028	msdtc.exe
1152	OSE.EXE
4684	PerceptionSimulationService.exe
2996	perfhost.exe
844	locator.exe
2904	SensorDataService.exe
4928	snmptrap.exe
2088	spectrum.exe
1404	ssh-agent.exe
4400	TieringEngineService.exe
3060	AgentService.exe
4384	vds.exe
2564	vssvc.exe
5056	wbengine.exe
3088	WmiApSrv.exe
4336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\78534259971c363d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004044edf75edcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090226af75edcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe
2908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeAuditPrivilege	1336	fxssvc.exe
Token: SeRestorePrivilege	4400	TieringEngineService.exe
Token: SeManageVolumePrivilege	4400	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3060	AgentService.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeBackupPrivilege	5056	wbengine.exe
Token: SeRestorePrivilege	5056	wbengine.exe
Token: SeSecurityPrivilege	5056	wbengine.exe
Token: 33	4336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4336	SearchIndexer.exe
Token: SeDebugPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeDebugPrivilege	2432	2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
Token: SeDebugPrivilege	2908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 2864	4336	SearchIndexer.exe	111
PID 4336 wrote to memory of 2864	4336	SearchIndexer.exe	111
PID 4336 wrote to memory of 3068	4336	SearchIndexer.exe	112
PID 4336 wrote to memory of 3068	4336	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-22_671f55ad9af7009f4edcf5b50d5cd1c5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3680

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:628

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2864
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2e25309c9552e223d7aa5a18fad3fa5d

SHA1
c016ce99ec8a8624deb1a64dbf29514ccc28b128

SHA256
9c2860f6594ea659b9985c94b3e61ba25de09e070f638da3cd3a401ea8f9f33d

SHA512
c2f7abcd1e1b168e6f13eebedd11fa66ea0db9ffc0177e189ac3ca5be3b190bbf541b17e0fc10277327b2a46b38b008e73c6c197e20682b9c896b41ad640b522

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
ed10c193497ab0bec152c0cfa21e1340

SHA1
e5e0c758da8af5745ebe4837af0832a51607497d

SHA256
69b524f52fdbf2ba6601f439e369e4ff1ebb0b231172aaf15ba05c304121cbc3

SHA512
dbe7a9bfd563e53bc754905676b186de23dd48505b49abb4ee6c3250f9869608ba8cf516150b089cf952b85e6bf830ab01a55e0b0098e2eb17295b8282cee6fb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
004f262cd953fd25fce7c6633069c990

SHA1
89d9eaa6c87143bd55d1cb91acb3d3a5dc30daeb

SHA256
585e6c6b551142f5d92437668854647431b5c82b3070a2f2e001cb57051df3cb

SHA512
dda755d67f4b355cc3fbdc05de546ee64c296b4db1205bb6e2dad350f5f0407eb307ff2d39a7b5eda8a016e3fb53089dbe51fcb929100ce5224c8c8da02e7738

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
331a460a37d0f190d035f25d5534bb2a

SHA1
888c438f06f5e99ad03315838146abc5870d9d10

SHA256
4162a51052028ea6d823c7ddf63a179f9a5ed1ac2d4bd34273b190dfbe85eecf

SHA512
95a4884e7fe14830a9a440f976fbd4e88febd2c85c4cbce91f2b23310d6003e4fa22a737abc2505cebdeaf022685909d65ae2474a2a7e3ff7e40ec8800e8538e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6f5c81830cbfda1c3f7358747d156d1b

SHA1
c3ac439bf4ce911f80419832e4dc23a2da14f37e

SHA256
7e88e68ea15cb13a923280a2cbeacfda75c7281faae7c6944615d2996a5bf534

SHA512
50ffaabbdf6fc1a89ad85c03d67efacc8b1194037f3da1c13be4282f815bcec1aaba12188216b4f244d60b7c317a3467552fd2c84cc41baf32e0a2e8e7cffd19

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7cfc02de1d8654a67650ae55112c8f08

SHA1
6003c7c384b8d40bdbf9703ccb988a3bbe61f10e

SHA256
6d0cf100dd4a594f191f1bc57975c01d94accaf134b0ce03b85511de8a752b68

SHA512
4322a3a01bd075fd34f47d321c11045a5b07d0e3ec35c690db1a2817397d46b24a909ec59e94d11e7fa6d4cc1ea0cd8cd4cccbad3f8544233448ac624e5fa12a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0363119ec719179a56a817be95415260

SHA1
f2639db88f722cffb99c40fb9658aa71f66c15ae

SHA256
6c99abc861cb9af48e90038b6001e9a488c3c08d28467493d20eb8342dff03eb

SHA512
a1ac4b4522eedc8c1b58f563bc70a9387c7fa44b8f98cd851872ff756ce2a49724356f0d87c3d8b0a4ea2278938f9875c5323418c29d32c30344fcdb8ba21f80

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a3b50c5a482869a07f87a438a23848db

SHA1
2474b4c5276081cfee5cfd839d6768b843605143

SHA256
7b777e00bb486c62732811a24741a3c1f673f690fcde94b165863cab9661d7c2

SHA512
7827f478a239c2df7c52108650ab9bd3ec152a8aa6d00284b32eca1a67b1759007863d49fe0e13d8c936987e68bd3033d64e79490a9cabaaa02ff389fe0906c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8de6a9b8730a9476c7ed12fbb6764654

SHA1
9a096344ba4370e07b8c3fc87ac67c49048d54f2

SHA256
a001011717b443204c73f098a43c695bcd4aec5859a2e11542de719c1a794191

SHA512
72a74f29fd51cddb313ad8ab5bb9bbd7fc1e25248c5cbfd51e488af0b6ca2253762f34b32232cd8da1dcab6b0bde7a25cb74e8282580578ed63b7b85a1b2011f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0c4aa7546b9e30aa924c8d0bd0a1b457

SHA1
474ade6778372112d779a6c38a459d2bb8254c1d

SHA256
d75a748871c27e219525ab634c68a8ce2300c817a55731954b83bd39c676ce62

SHA512
4b2a152fd927c8f5e46b27750fd090a5bb45b17b0db6524b0f7bab518b4a3f3d748d3d2836bfe53bb8a60f8874af7ce85b846bb4ffcab5867290844cb054ce0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c447fdfb145571ebc9626ad2e8675a50

SHA1
7840ca59619037904c6d32cdfdda47aa7d6f674a

SHA256
3c77971e80dfc1a6dec22f829e8d27cb684852251cbc48523a564ab9ae8f163d

SHA512
b8bc33c4a54955413445c5d69759d519befab65acfb8074066e28af8d784f5819a68353398d1e0a78415ba8e19bd16c48fa98b7634e3238c6195f18fef686206

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a54fbab5e407c44d014c90f242c4692e

SHA1
ab7449055451e7b9535fa092d41f92982d0c2dc3

SHA256
adcc469a0956210701e8d1c964d750834fe3621ca013c74f363b01b5917a151f

SHA512
959c466028e0256971e3bff35b6c89e311144b45ddc0ab06547c1fa11a1b88c92ba0836301b5a4117f7a3b48b95e771baa3ed9139efe8cd5cb75e54eb6bef3db

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
eca275bbc9da7ab2ea31aa5c2c8b576c

SHA1
d1a42f8372b9b76f1b824266b88ce2f3fd70e976

SHA256
799d3580067147642fa3c0cd1c8d4060b3c4b2622ad9548e853454444967b5ec

SHA512
b529a91fca68057074c601b36669c08437fc1b1dff58459e292ae9ba3277dcd77ced226d08dc81f5533ed31eea25377924632c1607ad6131971b5948cb2ae346

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e8f38825a0096b1bfac21947fbf29bd9

SHA1
9fa624b364ab25162bd4fb19a924872cb0461440

SHA256
afc0a52681b164caa8c10d1c0271f8ab2667d4cd1d1a3fd95fc21e33aaa7cc72

SHA512
ca6e9f2ec2beb1c9e91e94b1d91637fc4f7678631797fe181d40b621d68f40f85317ba086503fe4ad3d1a55fe12f2882a10cb6bb18aba3075bd2c4db2a8961e1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
91e906bd7f56726f2acfe6f556d91a87

SHA1
b78d39265ebe5b3a38ecde2f62448aef99ecdcc9

SHA256
fc0fe4159e669a02d6591e8db2fb29763e8319444a156e8584f2ea3348b5f9c4

SHA512
4e67c9245e70fb44edc9aa24461db0199dd1abee1d9bc48db36ec3a1a37b219e5f17b6ae5d3fed41daf347341e4fc41bb377614e496b54f5da94af0b3117a6e8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4c56b22bc202846c9ffb099d712829ca

SHA1
98d9f1a459e7500218b059c9eb024c162b5679f5

SHA256
f04b83786c642746179cb473c725f3344476cb374436158340b1b8cd8ee10f61

SHA512
5847338200d251972360eff5ff3baf1f2884f67d3cd1b53ec3866f1442c97fe90086151433e002f2abe9336d7ff96c1f8c7d5815b7c968d882c098951b167ef9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4973c1b7263325853c338a004673c107

SHA1
f13b9babda3aa994f46a10bac76ae5eda5a17138

SHA256
eaa661a21b2d6c84c619742df70087650f65ac81bf3eb07fe86fe1030a41f281

SHA512
02915bbb8975ca9c517f8e9649ec592b97c39b51fc40b988ac09a625b866b2777ed9428bf59a8456e5e70fc1ac7c20f20d6bcbbd8ba27a579d4b2281f6680d56

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
5000b5aff6e53f2a0c8be7e693da5b41

SHA1
0912bf7c8e60fdecda9cff6632aca44b41ab288d

SHA256
d1f2687c248730a0a51f18a5229656fa418a490c5a685f781c857f055c61bb5a

SHA512
ede8f9a26aca9d462a15edb5e310e8cb7ad99d76aa93af623378f5a4c3668ee536c10d917fea74bd9f08e85a8e5deb1f6b84c99cc602eeac890db41f131e632a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
57b10aa0ccfb3ec32c8ba16cf40e68b3

SHA1
839b10a9f95311ea228351e9349f0b3e0e75ad2f

SHA256
2968416371490d68503759025885a0c1d0addf37c712856c9a869c2f424f8834

SHA512
a5e19835c1004fcf1633e388c84574fd961e2c6c9451f287d80f22644c947bf4a29b55404e908536c35f1362db82a63244aade7b023c1fd011f7962343d6e160

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
be4b232b86ff4c872c68d3db7a611027

SHA1
dbf9855eca17415b0802367ffc4d0ab9b4ab8a80

SHA256
aa2446dde9c8a7edad65fc1755d44c28d3d77f6a2b46f40a5522631337e505ed

SHA512
4bc2d727ae989acd8f3cf9c30e95dc2b57147b0028bcd479f6a0bdaa6e0f42910e84ccc31644ec24fa268a9c7ec27ad8bb9093022f53104ea844f7e3b1e4cb0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
991ecfabc8511e0c6a1371ca57afe86a

SHA1
c4f00808b033c8145b0a3b8f721d7a3b46f240a7

SHA256
99581c67c8b6de1f5801661a5110aee22cbe2e13d9575aa2b9bcd1f76445a050

SHA512
e85b91774ffe257c3c18f174d66ed0e980436ef5582af8effcb6c80489e2ae8727dac4de61c364a90cee33249567b09f8b3b8fba86e6260efbcebbd809ea102a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4969595413c6c20866bb19ea4c814cb7

SHA1
fe3cca5f169e6393aeca64826d43dee25c683ebc

SHA256
cb10d046f550a66179be0c697a1bd6c1cdea677036a741af6978a0e3eed3641e

SHA512
e48e156605b83f054e73525be816dd079e79ebfa10dac59566b926b996bcd4770acb94027a754c3528482fceec5ef3e3db527e696da404a8bea82cbc6726a253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5e52240c07195ed905d191f2b5a6c28d

SHA1
4ed3fd768b0d243dd333853dbd8f30ff106c9b54

SHA256
4e1be93681565a11558331769219710a272f090b66175bd2fff760e512ba37f5

SHA512
718c7e1bf11b959cf7d7b5a8c1e68dc0b9178657cd2608f5060f14cbea4a4786f1a812f117136b674324a3e7b5d29d429d1a67009f0dcd5488de485465c92a42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9ce3751e76f78c7424e3baa265fcac50

SHA1
00896401db5bd8283036c99c51438d0ddaec915a

SHA256
eae9e5e69cec9d0bd9de4dd35b157c30edc4dff1e6bfb7b0c8a463e81b5e60fc

SHA512
333da2d2c965a547f628213456173a5fcbb919dc5c472583a861c6517798e6e168145aa7620e0a8a1bdfbac5a12fe185cb603501f8e0ac16a86f23193fa9c401

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6e5810c3a9f29c26f1e0e38dd91070b4

SHA1
f0b656287284979dde038ceaf1193ff499425f7d

SHA256
5d85ab5394846f22fcfd9410fadaec1b7a27643dfaa8105f4048d462c2c91ff2

SHA512
d07deefdceac3bcc3e539a6b339a49794841607503bc3c87feb4d632d680095869b2e677dcad4f9432f90b3778785fdcd0b537c67218e933cf7b2b141a69e92b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
00e3cf19625a6731e7ca3998736c8154

SHA1
d86e81db7012c881f2efd1a9c2452eaa1c160b67

SHA256
393d2ab6fa1a9c41dd89da495d5b1c0d2dc81c343929152fd71e40725b688e19

SHA512
cf34f34b5dc26202b8a42fc034904ef92992b0946b05b795a22b05ac16998912266a3189f8330c610c1ad544d247e643e954d9c1fbd59b87b5e6c943eda30769

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
148e35c6c213a6ac319bf72d8adc9c12

SHA1
16d4b4c48a0eb7db2f1a35ee95e28fcc8075efd8

SHA256
693d394975885f0212510dade3e0dadf1e31fc687572f2fa31afb167d54809f3

SHA512
fc032a5d358926301bcc6e0fe2e997eaaf9b5420cf34015c277298f01a7f31e76644f18360a45ff777916f1c99f7c5a4137a4dfdb2398f10d7aeffbf24bd547e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4893ef3e854f60e6d9fbbd3ab5c1d3f9

SHA1
77d17b244415f49dd09a47073dc3ff44bec61ca7

SHA256
4d23210902d03d0b77aa6b1927d355c1a01a98af545d06dfebb6b3bcb5e73248

SHA512
b306aa512d724ca969e0999647d1c901bd39a928da179821ce1fbe44603c225d05c0b0e9b2e2ad307f85fdfd1275e313ec613932e8f278d2b14faddabec9ea04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2e5253a602cbe9a253c6100bf8a35c64

SHA1
72606482b0489658e951edeffa09597bcd6bd658

SHA256
4d00f938488874d631fe1c1f0fc998e359555945a9db201a6f948c590d55da15

SHA512
7fe77c738a184d6f6b426a98d5ec7eea534d78a70069e43a5a1cdbd7fa73258a50fbc9d862b359192718e79e840daf0e8772c450b349fe5e571628d122acf531

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
54d5ead2af6d8f46b5727717826a30d5

SHA1
41bce8bb0f12d8288964af1e9f54fe0882d3c9e0

SHA256
173569450b106bd9f591d93b269ecfdaa200ed9605369aed5479e061ea0d0386

SHA512
97ee60b98deed44b12ecb5d131fe1a5fb398ad69e017ddea631ec020d1f639b244f20c2d7c01086a20fbfa47b95b5e38f0c829036e54facb556527442beb5038

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
52493f50790989ea4b8019732ed42ee3

SHA1
551afbf6b12f8d6ee8f5c65cd34f0006814840b8

SHA256
13886325361ff52af0ddd1fe035384688fe902ad9dfe0c49b4541e519a367a66

SHA512
ee3ddc8b50d3a81367b81c873e2569d5b5cd6f3a00059810c0995a21fa2e4a266b2e2153f15374f9ffcf74fe84d12e859f890aa7838638bdffe2b289fa22488d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
aec86f8fa81271b5eb5f2f4defe06d79

SHA1
af9f9b4bb5240e0d949e0d7d98fbd1fd9df3c55a

SHA256
d8560e639ebc940fe1d1a6d15cfbbcec168233365da48ee6ce8dd547a4b88c52

SHA512
95e1c439fc00a67f5ffa6ba87ca28a229712705a6620a4b7ba9d8e8120054edaddd8b9e42b0d684b8258201cfddf215dca195b295fd02e08ef0a7844bd2103ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
88656f89a2f6685b7c48f7ca9d44233f

SHA1
e1305403407039533bf52f31f1709767612e63e1

SHA256
cb8e70e7e7bb3ac7ba2a9a9b33386b4158e864f666b4590508dfda66003b206f

SHA512
d2876b0293fa670f57b3a66560ed8d30f7132b42a24467485616a332c7de13fcbb14736eff73fa07766b8d55e5fb989575af28698673ccdec5fc68f6827912bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
950beb759206969b3f5a57bb7aa9733f

SHA1
53ea75e5a407c3e0620946d78db500e99e48214a

SHA256
30454cb093ffd45d9469026b9710290bc904413b687162e6b9b28b94e77dc8de

SHA512
07ef7042441f0e767718e7b41c63718619df5aac0c5a16bfd335ed231d14d513c5626b922f213f26a2bb90409dcba041bb715f334b922f6a82973c2a25a29d19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
44cc27e39d39f14a6a414d9be95fdfa6

SHA1
4d3f716d6944107276b10282a88c3b0c2b91950f

SHA256
b49e73165fbc98ff1b725827ccf64cced5b72b178069208870751dd889a1b6cf

SHA512
50402be81e9824acb30009c4cbbdcf73d9f06b45a219ed5a42d6b41392836cc8a2aaafc5157a81fd3b1e0df2ea40354defd45c9ab861c86dc4de072663d198e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6d261bcd9bfaad73bea86dcffc844239

SHA1
279ec5d2f6083e77c26ae5c6b91cce9224a640c2

SHA256
03e5e30f53577c1127ea8fb52237f4b9daa609e546b0082170436abca6363689

SHA512
53b19ac1d91ff098f6b4685705258de6969e11126347444496c96dd955aafbed83b6fcca63c7acb68ebff065b938d71cadeb3d38e9a9a02576b9e934676fa0b5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
17c73505b44aea591ab1c0e0a2487334

SHA1
3efc7359778a54305e02c4cd4a29803dc3944276

SHA256
047d96ce95557da1a3bbedd066f09cfec69e419df06b572e0855046b4036a808

SHA512
66805141f268d84d075f48d628667445adea511d29daa4fc47459f101e7a273a49ce46541e89188c1d5342a4fd2c025895839e13771b298372b8f7d32cd20596

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8c3afe936901332ee37de02143ea8151

SHA1
c1509a864262e962c4befa80b6ae6aa6e9dda6ac

SHA256
0acfd63becb860dd21d2dc80fa0f951898fd99de25941a1bc5948508c0449e7d

SHA512
600bfa955c6d299eacf2582ac12dcdfd54f0c2003fe84a9ad39078ec8b6ab5ee161faeea02684961ce5f9f73a1dad379674844498d60b8dc6df06188ee267005

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0600d1095c2282d19ccac209fb1d8310

SHA1
47c5603e7aaa6a5933d67add258841ddf5e75b0e

SHA256
7faa5f815e63b3e995807d5ce2fed8e244a713cbe16b9435e2d6b929aad1a26f

SHA512
963271788a2efc896fa78e54ecc2092c2b78adb923c05bf2fe82bf3bd0276abc66f59a941035171e3be95e6ef17c6127b30b3cfbdcd8d45ccb15bc9e37633fd6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9c122b7b9ffc807a1012d61db9ed3303

SHA1
db351f2aa7517a5066e33026daaa3f373bb22096

SHA256
8f2d3b2a961dd9d43eecb7d39bc0f46f61413b717fff6d0c4148f5fce13e5f97

SHA512
4c4b922bccdb7f70658a215462d9e399a99d216f3f0376e5ad123f57465fa12100bfd00de721e026e1b78bcff500196465a6d5e72ee58d9705510093dbe93653

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6d9123139bf0576d5b27418ff768e9d4

SHA1
d86370b9b92bbe4b9f77eef8fbeed1cca400dd18

SHA256
c8cbf754d79029b80ed1852d493c8a2d32b6212700ac397c15b9d2ee70e4ecdd

SHA512
47fc5e052017ded07af29d720dc880508bc08a15f25865e5c6aab765b79ffbc1d9be194921fd1b34964e545f918bf12ffa20b233dd56b6e51519fa1f838f0d63

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6f1e8423321e85c2bf4bbe5cf12fe82b

SHA1
26e08fece0ec275b7641291323d37f79d8c2f040

SHA256
3505fc001410566430455fd2f30edc5a81a3fffeebc8fdee3c8c32327f3d03c3

SHA512
361eea2d234e9b815c1d7e037ab0eb4fedbcb1cb2ac894fba2184af2b8a6397bf9fcce898101523721f46a4c5c50f37d3519b1e82df31619a847a23462345c96

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
17a81afa88cd24a6f7d3a2808a5031a8

SHA1
1621f3bf17962a70989b82c7522621b7afda908c

SHA256
ff9dea7cb6a450c9d9ff9fe652e7fd1fb613913bed6a50948c73a11c2f60d3f9

SHA512
02dcdf41e42d238b1d325bd693ea41fa83d3d4e5aa0f42c466de06d9ffd35d6f447bfbd00b373f13755c8557a7ebeca4fd62b741d6e97b3929311f364e66450b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3a21c89b8f07118e14e2fef282c7b3b4

SHA1
bdae655ba3adbe229f0abb6a5b2cf73cd273e875

SHA256
63d322fe5f57cb79380c86ef6890c7f171850ac5be96f93baca72cd9db861e10

SHA512
e079573ce5f8285e5230ba98c9011cb9b872bf2d13a408afc8ec0e55df80edc1d00bc592ed2c324ae3ff858c07b2b458fb8f3765d04355a7b6fb600fe2be6f88

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fdc10f0c0ee514c7ea6d4ff11be9b34d

SHA1
9362e6a4f4d38a38a0716f57b51b39fd97cb86c0

SHA256
47ad56483f261f840def7ef4f6fffcf35f9dba765d63d3c3adc4f907369dbac8

SHA512
858e1589d05478d3d88526132d5c76fcd3a6100af262c6b8bdd6ff93ee5fedfb83584d6f9b67f333a9d9218e39cf4294de68a6c4739928b5802b457cd853d545

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
713d23a09943a1fdc81ad96b07bb1fb0

SHA1
88eafe6b60f63ed9ec95a84ddb83496f0a2a143b

SHA256
63d3e6527ea60f672879294d040d3130f3bc252c735ee041a52b03bd64846ce7

SHA512
b6577d8229ed8d866512f4cca331cb256814f4a2a10b11bb2b32d6cf48a5dfce722e0dd9969c468a9e15d1664a53bc2291c429b16f8855e4c0ffd20a8d2e4d89

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9f2bb79734ed3cc46291cb5e7177f97a

SHA1
a87a3b016cf5ff6ee29726af292df2fea2392020

SHA256
32a32f46176bc684596029b0e01d303c4bdb2736cb79429e3485269eef97bbb3

SHA512
31b2ee46855cbf5ea119f24a1169b4a5186c0d7a18ca31c20a6049ecc8c06e6cd499b9a7715ce797e053b1791cebf6351e218ce2e716e74dec89fb08b3a77aff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e99856c0699b21eaa2ae929f35ae974a

SHA1
8637f87b71891d18c6763a31b85d767130055728

SHA256
ae52ac951591ea1bc4abd494e9d2fe0544a0b8c8e0ac0add632259297c463f21

SHA512
57daf81570db7339551fdded08faad9a2e53d259a398972da7d30f0b45d2cbfdbcb8fd9d92f49cb4bfc9a9819a503880aba37ed28f55ad37a5ef90dccb849c8a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7d31d88df6d5e4d04029be2836e4a12e

SHA1
ad2e1f088021de06e189db9c292cce1e56474ef9

SHA256
0bf5b16f38d63e9fd13f7effa27a69038ecc67219db740deb7e08d03b90d6db1

SHA512
4fef1d76c43de7c6a8c130de1e6d91b2d2541e66ac8a95aacd6610425bb6d64d7a426107c692e10426115c471e630e68da5962e6241f9cf2ca2b3c05b0fa26c2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e89a761ebf3276f051d27e5f87d0cf0a

SHA1
9f3595c9f67dd7d40c68e91156852c967d1b391a

SHA256
72444a0dfa5387e29e70c97eea81a9c5eac34562a2257e7e64ad15503e9dbe71

SHA512
7245c8ce1cc9565a6c88594b1a9903202cdc84eaaa9ad36d02f3f2be66cc9788a1ffdc6074db9d72e292ae9e7d904b12f66bd32984f60fd96e83e9f28fa7c047

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
16699230686fc3fc0f5532e5ee47314e

SHA1
e397d1014e442d54648d1d0f3271aa1deb9e6b41

SHA256
6562412bfbb5679e9ae081edb76ef0685faaf649dc4e8845600d3decfdac63cd

SHA512
a6f9fdfc82d505decade29e1f605c30bb4b52a7c28875750ebc1c0603fb1c8301ea6d755de1144b9fdbd19c184543d22db6046ceb2336050630bd4a7bac3f1fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
81f5036701e7a48525b73b5dc94b73f7

SHA1
15856a5c8bbda0b9476ad61432f2cf5dc1a7d571

SHA256
1fbbfd07bfe91ce9c22433940ceae945593481dd0d379103616a90819612f2f2

SHA512
9974abe7b0da10e5c7ec27a59a3afdbba6afa529a9ab69808ce8095cd44c36f335a4eff329c4aaa58eec1e7af881e037a2858ef178d92f5bc99a8f6b010d8ed7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c4831a3eecde318283c8dc219e31d735

SHA1
db1af622fd93f41b17d4d86a784059caf7dde7a4

SHA256
7946840c09ebe40c09401cbf5e31affe4e813df3ef6b7b552e57285554f4e9eb

SHA512
0b0934c2952648adcb480d910967ce2b71ed4bfa1b84a1b0d2d5aa3678ebd4ef92f5e80a3c48e6df0fc847347e00381348327e2dd2ea194e97ea3267ce981dea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9d0c1f06dd030c87b67991b264a82170

SHA1
be8e5944088b0d3a8e47aa5700e8644575006e32

SHA256
6557a6a2cfcc13b7ccaa887902adceea439e349a6e687e7d9ae7db7a4fa29762

SHA512
b65ce0ac1d63fe3045a0e6aa5c32a7f1eaff86c849c2302f29ec1193dad9dbb91eda67d00208af76c963271a6bdf503ac478108314e4f0081073387491af3ed6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d056810cdc7627339c81794ed0e03950

SHA1
4348a98cb474fd5d8250c50dc414bb5672819a2d

SHA256
182fae874e3f214e72203145ef4fa7d9053829709aa6ae014c81099ef8b6947a

SHA512
bb0ee193f38d6768082240a7d00689eb4f71700265ca83d22e631840eb89ac8d0e07de14350c62fd63ed966059d2f3d6ba6469e5d7a277f7a5d3aa19a0f679c6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
104173ae8e32a09ad67db855e9541073

SHA1
c4739310fdf11ef4dc87e32d5ffc2a39ff87e07e

SHA256
9a094788bbd712474ae69cc7bd47e58b3696711e54b9ba40ca28e3dbdbe199bf

SHA512
214df7f789c380fa42a82da10186a945d96a83df3c7fc1251854ded46c4ca0a1c349730b84e776e7b1d9826e5e0b4e9ce6749facdf62add7bf84ac0b2ec6d929

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c5bb88fad75343f4935f64634ae5b682

SHA1
d5aa35c529da8a47982f93f1fc5a9a16792ad441

SHA256
0faeb09204bf69a3303bbf49a763f8d8c67426002a97f3d3b29261dab8a51006

SHA512
90ff996c83e41cfbf3e5f13a39458d2786c036f3929e8abc68e10789b50fe76bcb4942cc22b4c320c8af1f089da16b076e65ada2350efac16eefc0b005445a82

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0b64d8a43f9890fcb850d4c82f29a86a

SHA1
2aa647da75160104235bf7038580df60485e9cca

SHA256
115be94a2e26cc2aa9ff022f226190f26dc7b7d9097b2acec712b1ba274130b1

SHA512
c6da6d1d485e87deb01579b12992c735baaf7b5adf27454f0edd6aaf489272052e8f0c55fdc380da362ccf80cd3b0f9c9ffdc277fc60b04e87cccf406feede04

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b3bba0057d8922121445ed5bc9b5f5e9

SHA1
a98e71223dc44737c0e42e5ef8a4728bb1a8bae8

SHA256
0099fb057e77e52250b0f8d809f00d51bd6ea15ebdfe78c685bcb0659db0712a

SHA512
08767bb392609592ade41f3548c3b8fc50c26068477b759f98d8f64b9d2bd9e01ece071e2c44e18c27be4369574f5c73bd0915725e591b575996a66d3b352bbb

Download Submit
memory/640-506-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/640-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/640-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/640-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/756-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/756-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/756-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/756-507-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/844-144-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1152-95-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1152-79-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1152-73-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1336-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1336-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1404-148-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2088-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2088-147-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2432-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/2432-8-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/2432-142-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2432-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2564-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2564-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2908-319-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2908-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2908-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2996-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2996-99-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/2996-104-0x0000000000760000-0x00000000007C7000-memory.dmp

Filesize
412KB

Download
memory/3060-139-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3088-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3088-514-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3680-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3680-66-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3680-55-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3680-61-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/3680-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4336-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4336-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4384-150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-512-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4400-149-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4464-318-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4464-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4684-83-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4684-89-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4684-96-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4684-510-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4928-146-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5028-94-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5056-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download