901cd1d56c07f1183e764ab2ecc299c680b4bebd7b3fff6149c7ae56ab72da98

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Size

2.3MB
MD5

129ea9ff225d7ec1f8b1378d31aae6c5
SHA1

5305a7a803a5a597ebf298fb1f725e62c2938a7e
SHA256

901cd1d56c07f1183e764ab2ecc299c680b4bebd7b3fff6149c7ae56ab72da98
SHA512

d4714a80d147a264895fcc6e2ebea1a10b5cab6242d8df8e157c4602058c0c9e061058eecf97393d8503ccb2d0418300ca215c09b209e1d8a923f38433e0c20c
SSDEEP

49152:Lf3ZoG3UCj5qzWt2skmzb2R3NBHCYcMpCqy+Xy9mp6IiAQgAT76sQuE:jZP3UCj50WtQwb2R3N9cMpCqy+XZqGs+

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4936	alg.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
3376	fxssvc.exe
4620	elevation_service.exe
808	elevation_service.exe
408	maintenanceservice.exe
3520	msdtc.exe
1108	OSE.EXE
2292	PerceptionSimulationService.exe
2632	perfhost.exe
860	locator.exe
4504	SensorDataService.exe
1304	snmptrap.exe
3412	spectrum.exe
4704	ssh-agent.exe
2360	TieringEngineService.exe
3352	AgentService.exe
4352	vds.exe
5004	vssvc.exe
4148	wbengine.exe
1676	WmiApSrv.exe
2708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a4c66e6352c8123.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{95408F56-EF00-410C-B74C-E876227BF0D5}\chrome_installer.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaws.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000871bbd7c20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc0c4d7c20f6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009890d27c20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000079e617d20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e7bfd7c20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000522b0e7d20f6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe
1796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeAuditPrivilege	3376	fxssvc.exe
Token: SeRestorePrivilege	2360	TieringEngineService.exe
Token: SeManageVolumePrivilege	2360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3352	AgentService.exe
Token: SeBackupPrivilege	5004	vssvc.exe
Token: SeRestorePrivilege	5004	vssvc.exe
Token: SeAuditPrivilege	5004	vssvc.exe
Token: SeBackupPrivilege	4148	wbengine.exe
Token: SeRestorePrivilege	4148	wbengine.exe
Token: SeSecurityPrivilege	4148	wbengine.exe
Token: 33	2708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2708	SearchIndexer.exe
Token: SeDebugPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeDebugPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeDebugPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeDebugPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeDebugPrivilege	2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
Token: SeDebugPrivilege	1796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
2032	2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2680	2708	SearchIndexer.exe	113
PID 2708 wrote to memory of 2680	2708	SearchIndexer.exe	113
PID 2708 wrote to memory of 4872	2708	SearchIndexer.exe	114
PID 2708 wrote to memory of 4872	2708	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-24_129ea9ff225d7ec1f8b1378d31aae6c5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3412

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1648

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2680
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
026b99312968559d5dc1b696a6fab1c8

SHA1
38e8ec3265598d48793269dd9d2ca133d4110415

SHA256
fc363cdc8191f00f62c288bf1654afdd6f8c0d22dee7dd5ba8a4f14f7548a890

SHA512
81ef5293f294c5db46b28578cf44514a4a574673dba36301d81c54d4577787bc85f45e0623b6eb8b58ab87d372bb49bf2b597325c46c397fd6cdb3fb27cd0314

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3713e79e9f75257da5f5cb6b63e7e845

SHA1
b51cf267b17337fef74a1570b8559f560dc37a02

SHA256
f85b374978089088dbfd38f4ffc8ec0d2ee41a559cc37772b14c94b33a351d71

SHA512
07c5f6d2fc7da73f3ff868cf4438fc105a69ff083b8d66fddec9c378cd054fbb313e6a1b99ea6d7a1eb8e4265c3ae2da23677608810df01c4f241170f3706ea4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
138a605cb4156a7c97ecdbf30aa9830d

SHA1
39b7e09de71fccb3fa04d45809c0d76d4afc2fb4

SHA256
55ee1c215b9c28ab23e5e6dd97c20246aaa820b8bfdccbc98e45a11f9b56e2fc

SHA512
8394f5aae115b0063d01dcbe070763d4449d275621aaedaef6117c2016d6b62b560b43f95f2a7aba391c03f8ac55a819309ce02733ba8700373ebb6ef5ffda9b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
71c98892c4d75452a2b5fb7a3bc89b97

SHA1
f067a0cc558198753615a129bd6ddf3552aba46b

SHA256
ef7cc813b3574040dad119be4f43d7a24686ef1697051a7b551e77b44fff10c9

SHA512
c010e98434f6c342dad06b0cea0e67e36d664cf2f3569e1ec48762e65a50efbedf1decbf65486bc8ea419a999c3e412aa91e3af9e9ec409232a41f6ab8931aa3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
548eb7631c59179e8850b37567e54acd

SHA1
c3b57f47d0b735cbe751d28c097af1e13b0f48c2

SHA256
f0bc1ddd5ff04f80c25ce127c0b01bd92f2a4dc0ced41a32dd6b2f153aa4d772

SHA512
5c6a719a56d922e8de81f4fdc2a580659bf13c777bf530307a7b322de09b336ff4a606b74d4e5d5d0c4381280dfc25825fbade115eae50568dcb7882e0efae85

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f2223e452822836b13feb0951fa50fc8

SHA1
4f62324c5d0e56f9f57615f073170205ba8d2ebe

SHA256
4a016e62c90d130cb52e290a7196fbb9613321caf7d44d790a07fcf7bd7b4afc

SHA512
a964e71595f66549ebf75d71b7de8b0a084f747e6cb4c4e3c80d5c315723494149bcf1ae0bee5e796b5fe7ff5ba2212827958d26ecbfdadbc74b7c25a64c3186

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
0a38e5fd226bf3f4ad9f2f8aab94051e

SHA1
1becd36a289472aea1b217d7f965e678a4ec4327

SHA256
cc03c31f7350c5dac6116a704f306af933e9590d8ceaf2bbc1d1379292bae153

SHA512
17c568cac45837642596191a0238a2d2177cc33dc7722fa1d04c7a0e52ddf8d24b3e537ad21ef700d703ccd9715d90c38d08c9636ad1455f4c141cc1b3dfad29

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
571a48110dc4e16bf7ef07ac423e4881

SHA1
04885ef596004dbeb6d4dfb9db9ae4d62ef56cea

SHA256
300525ae63bea47fa939d99802798714cce961f5397643a94d62aeef3905a61e

SHA512
e82ad12750a130ce1f706b4025c9201fed7778feb53386b327f820b93abe8450233ff8428318a9c83a4bfd05564ede939913b549aa986f6872765483bfb86349

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
dfaee2b243da847698bb1afc2cabf8df

SHA1
8f754a655940f0ab9d144772edfaa8f82fe5ab74

SHA256
f0a39b90fdbd0a956d10017472c67d29e30137a0b0753bf6ac511fa26e1f7dcf

SHA512
d68bd57a23797adcf385a59da365b3f56add3e760c016bfeb06e55aa11661366e9ffd57ada84236fcfab598140eefbb78c95ae22bf969f7eda26b5056e99abba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3a50e2acce67de560a1669490c176ea4

SHA1
b35764d046f32bfcec09a6ce09936fa75f4d2ef3

SHA256
59254f2a810be3da775905280b60444f4730208d23e900ea3f2f303b2a53297a

SHA512
5275eb8c16338d256da722a833b3b4468a7d310ebf37a09df7db12dd59ac51f55b8c3aa850f1fc7d587bc322cdbd3c6c89aab748a013bce0c875a2ab1353217b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5b94afd15bbda6d3e73d3f38cec097ec

SHA1
80bdec4727991221a9d4021523cefbe06894765e

SHA256
fa92c61d6ae081a792411c87af8593d33ed2b0206665764124c3fef8882f31c9

SHA512
8abedcc7e536cb233c687d9eeb5efe3e7d755a1fed676888a7ebad0682790291fa326ccdc135149fb101c4137158ec5a821689a16e70f6c035ef0fc40375b04b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6d41533ddb0f2e3a5b2207bd8e50d9ef

SHA1
d11e24ce4dff2962168edbe5223de2c0e5069e57

SHA256
89dd69402157757384b39a834d1a4399639e8039c49f79b7823e2fcc8e4c66ec

SHA512
8e5a5d83193dfa65d949f94c5c250df31b7202b3a04d78f64493b5685994774abefb900ecdf9029f1705f6841e5e63117c4d6e8b2090063515c0eb89bdfe1efd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1374940f59232943f05123d51db7a70b

SHA1
aa7fb9e7aa64caeedd864c2065b924796e370f2c

SHA256
3f5f2e6e7a9e06b14e5ba636c2de428d09584769544f4da679c24b890d6ee40d

SHA512
d0ff861d6dac5787af49a367d6cc24aa46eb34242267221cc6f915b0af030ad16f0bc19575b44bce7c23ad7a1f2e0b82218ea6f320a97103010eda87a44f0a62

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e98cfbefb62c4a63ef5e82d7666a18b6

SHA1
524bd890e6685efd8c22ef5db47c4d4dee3cc2c0

SHA256
43f53bd142cc5e13daffdc3d86ea2129e9aee9852911291e49bdeae454b39db9

SHA512
a91d868cb80b0aaedd33827e74192a812ac19ad0c7960f4b1fc840fc48c774053809598864c5bbbd8916c7b20dd9f021906e2ab1ec17fe9a7aba8cf978b2d40d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
16a976c295eac9ae0599e8b5b6ec7b31

SHA1
828b9ae9ef6ea0b88a3934212956faf23c1c8d9c

SHA256
fe2be1df9cf0ffe756dc97244a03839bdc808414c6c902428cd015ffcec46c91

SHA512
9a7fbf0e14e2a9b79f61aaca0886d60940f880ff8e88d0c6d469bb2015bef543232971e4be059bb7b4f1b3dd49c5c6e09e130cc711bb683d24afa1282cada5cb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ba040b9c16dd053dfed39eed08675aff

SHA1
c9e4c258ad4ca747b85c0b35996e514079a02e34

SHA256
aa1a07301fdbcbbe45d76e073c9e3b1382906dc497e86da835629ee5b65d33d3

SHA512
70782f586a81db4aff58e59b182a359f7c07b9d7d2d226bc3d4672f6cd575229091653bd711dc0472365e0a21c8a4f1af94e9e9c2bb44d2301bd5c2537a6a0bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e05c08af145ed4090c8548f7ee03aa75

SHA1
872b47121e41d38a7d359e77b8ae626c0e3b9805

SHA256
18408f8e27b89c46fef26becd9057d53578aa51d42325f1f28f38c79aa636a43

SHA512
967cfd7b7f4bcff44fb46f32709b72605c5d13c1feb36f1da5947ff6381d44fa23aef6df59dc50a68d62421ff5f81b37f0b0f7cf7833ab0af88a92d2fff31050

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
3b668f909912e2b6473355b8d3d50e41

SHA1
0ddf3b186dab5d11ad896bfaf229e4915fa7bb66

SHA256
d71ef4f50c0936b6a4c8935fa6e96617bc2ae5949e2d6fa6967e51095c49384b

SHA512
2e5c3fdaf07b271acf2a2b682c4482337efdf134b0168dcb4d473abed01572599145d60463859f3b3949f75d9d0a2eebecdf401a4e1fddb605958497ac8510fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
544da9eca1949edb18ae9ae46f30d5a8

SHA1
059576f2a7532fa53555ec222fde27e2a91b553f

SHA256
5ec103ef0ec361a10e9df33b2a51f573a8dfd17bc40ddb48e729d6ed3846ecf4

SHA512
0cf01b58bded64e242b7fc8fb1880b1addafe6fdc573f2ecb1d6c870b856921fac30533a29500fa6063834a55b71f423e21ae170aeebb57429d807b96fe22722

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
59aa82274190bd1a7c37b3ecceeebb51

SHA1
216bd131cc86f6d4f045fc348a68a457cc407766

SHA256
0bb0bfa95f219402b4c02bc888a2fe74b8af4cd54b269193b3e05f0d3e23edcc

SHA512
9f38a6f2abd3ab2c1533d337e8934cb8d267de881fe5349390235c8eceb79d39ac4c110aae6a7a8a8f32a676ecb02d9de5c6036b80ac7cdf14372ba65e02e8f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
695d03715f1586d97b9d61a6ed823ad2

SHA1
820609f0b8231380997893cdaaf2e7dca22f7ea7

SHA256
f5bd2ee08c688da57b1453c1ca5d9683a42a5d548b2fe6b982240f2eefa7f292

SHA512
91808e26d45e93ae6f9b063febe41c367b9e666b187c89cb732e5df3ae4920752a2bed480c246b4bc0b678dd709fe1b692f2bc32d0efab22c915ea48c4136e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3d21c5461c85438b1bad244a13aab26d

SHA1
ce3e659c4cac0368bc61a63568d4d68f7e4bee28

SHA256
588d4060a46bd9113cc6b993aeedc862681f4df329078aa94d28bf28c8004afe

SHA512
c07854a7bbc1b8729bd7c7aea377a9632d47cc9804c5f6669d456698280c1d681f36b8da610b2bdca1888f0bc28fbcaee9dc6089791901fd0a2840b0ae494c5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
aabc1f59f6e78ddaf0f59a78470dc0f5

SHA1
9c28855192c89d4da3f55252d1051226b25f1532

SHA256
3cdd6d9e0c730e011d384769f56eeb51a9e72359fa72342a0ceb2a4ace4ca18a

SHA512
40177521ebb7b651ca5c908c97627091758fdcdc2dc783bb3a7824948d2d0dd98f468870a4bf2277a4ed50124141fa5e0d7519e99ac2e7b7d3b648e9e42a0a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
f0c00420d7e6437d7145762a8a070a23

SHA1
bcd7005e274839aef061ff153624cf30188b1681

SHA256
4f875cf5378c8974f2c32fcec4398dca916be24eb7c1fdf4ee6a3ec750634058

SHA512
43fef78c95cd8229ace8702789f3a8af265ddf192c699f654d1f3013e6492d439da151581c5de04fa999594dbf5900c0ca82cd99fbf53b2bd11c2ba68dfbda19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
263ab8a075dbdb42624349421fdce465

SHA1
33921c3991ee8b0e9ae5990d636bd0d4cf3bc919

SHA256
778f83ad9a21163fffed7d91ff6c65f9d1fc733d0abdf9498cd3163031163420

SHA512
7d7790035bac5085cb25cefef7b0e930937d244da231e4c0f15200e092f7153226f5699f27c2981a77d8c19250b02210bed7ac5d8a69d07acb0726fb3bce2d96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
6804b22ae1d2bdb68eebc4f77fdd08df

SHA1
95e0e57b912f7c82fdb397b25bec81674af3c804

SHA256
0d2584856d971180aef4a2297aeb390dd2281cd17b2957928e094a7af8b9a37d

SHA512
4d79df4771e70fc5af5e9a0fe870b3f312d08ec349c59a2262a396e924d3e64cae93f70370e542ffd4922e5f4023fa6e623aa698840991a4298c68f8c5ea3145

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f13db691067acba7855fb6d601d18a5e

SHA1
4a547fc71ecbcf20ade6c9027faa6146f0d0e1d3

SHA256
ed61fc7f097d3324dc1797dac7306a768bd6416d44c8bdaeeba6952d97493fe7

SHA512
5e8f05499996db7e03515928e0e3560c3a991512b2c57f899874a90c3fa3a9915357858a8cdb923d6fa75a2fb438dc00680acad3a2ea1e7020be6162a05a4220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
374c5c4edb0d2b12057a7e5f9a165223

SHA1
28532666820200b7bfc9cfb8a444af8a8e65ec39

SHA256
398c5dedf274579f15cd69dec787caa18c6cbdf0849959bae041a9f30aeb221e

SHA512
2085a29349951f2033e975cc47f975c40f0b9916b1e7e18158d3dfe96a417db55d1fca01e09c2722bfc36382ee06f5dddc7152fc18174290bb83257ed14d57fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
66fd4e960539821f43b577d1bc5faa07

SHA1
c898a23a7c380641e7955885355cea0e92ae8838

SHA256
b69565207f2c98296bb88433eebb6ac7fa916f30e29d724a272d04fa0553f3c6

SHA512
7ffbf32dd4eb266f99199201040fecb6990cd49abf275160e7ff82778ae9b9bde4f79a44650595f34cb05eba580e2f00b4ad70f532005dc7725284ed43dc700f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
51d11711a0703c2767c4a6a435a25a40

SHA1
c848c3ffbfa96b5863e296e4fc3926f5e7c31bd8

SHA256
c1f5f39a3a5eb9c3c9dae1752118b28971e3ab6cb21f47f7e4897756a0170a4b

SHA512
43d800d03f812fdb6cba3ff300fb0d6aa0eac739e3185442521fb27d462f483eeaba5173a7b27e74cd593f5f2f3c489e35e5f45f8206de8201dc4fe1ec6302d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
af00cca923d653f5b54148ca117090ed

SHA1
697bd69898177581668f27c16d7c066dfd2f72ad

SHA256
fd75a8ea72b37c0124f512c9584583ab941072a426e642213bda325412175dd7

SHA512
13920e2a85b355e91947627a2f1408e84dd47e799ee0725b967882f08b49af11adb2f60f8d2524502d051868a1c516339bfe45d8d45699f0fb41f9d00c82e154

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
85294d0b389229f8aff967c5c90f67eb

SHA1
d1aea44b529c93dc23abeaadf977d9d62ad274ad

SHA256
05f9e7085885ccd0a882da0bb6b58e562c21a9267f6209999c25f595b0d1bfb8

SHA512
cb8ad82a8dc4a87ca001079b6a5fd1cc5ada60ac9a068c8d6a705f8c3f23e0cdf4a17902e5338af739f50c53a097c2f7c1778cf9fb701f3486a76b90edc0fc20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ba04cb2375018d7b535627ecebe1f36b

SHA1
94d8dd74634a8bce994336e4dbb71fa972ba3ca7

SHA256
33c2376f0c1e0e010ae8ed61cac63ad81dc4402238a495c9ebdb7b0eaf8d78c7

SHA512
5dbf46dc19fd383a6d010110cfb66929efb9e1204c440b6129e71f191e49f53ff54e1850ccb4782ea69dbae05a0fb866abc358c909ca5ed2ff238f6b08d6d12c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e7811615d7a0ea1c05b16dd67a4bc3ab

SHA1
581f356d83f0735f2b939b75bf9b7214270877c4

SHA256
624635230aa8ba42288f0da98606876bba306cba288357da56fd16881edfcff2

SHA512
504da1a474582aa5c5795fcb802536d8e42755bd90926066c42261e5b86737158c40a72afaf6d8bb143a115c030e71a99efc1d8b1ce9454aa6ff54ef985e1bfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
21cac9ed0fd4a8c0ae6f7d6f075b9638

SHA1
a0ea9d6d59e54ff21458d2e8a7276d752f86c5db

SHA256
90a3490ca93c006d74b5772b4bdda0a428b190a0e6e3eb9351f0355a08796bfb

SHA512
0bc68b21a48eac70a364b75737c85d7b3069cd9c5070549ad187b53a0773cf4ba66167293b6d7cc643bf686a50619f38f97f8ebb8bf5f6cc9efb78a24b777d00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
089dd6010de4cf0605f3f2430574feea

SHA1
0f7906cfbddc63a998f63845f658886c439c4a72

SHA256
9607592f48fba0db32afb858818d0ec84b1e994860799f7e1fd23e368ba7e6a4

SHA512
35a873a7e9d2b087cc97d233a1159ed40fc2261fe45dd130e31002feaaaf698a61cd4ff5c4288d88d546dcf853d90c286e97b3de715c129b48bdb8fa39f6c2d1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7497a021fa958f9f720e45e6c00bee57

SHA1
23f64fadf08c65457e517264bd185301ca7a73b6

SHA256
983b8adb3d2027c0266996092e5c5d9c955cce1e5736aa15dde4c1ae9350d63b

SHA512
0d95aa591870d3557a75b28307c5b6d2e747863925880b83be306ab679336c3c57e0288f7c2aa7463ee079b7458b1cc998b8efb93998f134e48687ee8df6390d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
02ade0dcaa452295a71cde1b3b22ffd3

SHA1
28ee2ddfb5a66a00d93caa52b29e6f41551b3f7a

SHA256
fe972b4e61bb447c150f9cdfbeccc4582dbb52aebca6fba77c253bd3bcc2e1f8

SHA512
cccf1328640192853e1a42d30968e50990e245b1637a27a8508b012ce3708e77332a800fd58269efd6e5c1338e56d2866a793cef6c76c58e1a0b7506bba3886f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
14f145fc7d24f8d3b2ca7bb64cf0b925

SHA1
7d0c9a0d93057387158e39499b4a77803b68686f

SHA256
8a47adf8709b21eadcc381e422ba93ca8a748420591bd3124f8dcda0a50aad06

SHA512
2245935adce089007b04fbb35ff0c2bc404b912dcb34572a511f7fc19b2888c9b13c0b3392a4928324dff74505694aa28ea57ca237f13800e8118777d21de11e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
573eb846b02cac6fd0a74f15c17ae923

SHA1
5c2fd2f976933e2e9e48657d3ed8c3d03ca204fc

SHA256
9116b87c3981a74eece759f37c7bff4ec76daa156974b21c2174fc7bdd7eb9e6

SHA512
163931c955ba5fbccc624119bcbfc88ebce4a828deab6317d527450b4cb4841695ecf674d472b97c6754038926065e1bf08620fcdfef31236c45c03b89edb201

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b7da8c6ef5e1388b0c2a69d97210d247

SHA1
064dceab256ae5755de9cb008e5a823109b54ec6

SHA256
e86e7d2a71b5ae9dcf4c5e4697254098a51c9aa95c4b436677b935e022f092fa

SHA512
4b0803387348b4946ed57a3120ec7a87ea6a0894f085014c23abeaa4b65517389f75503e66467813f757870282c27406de1fd7363de8e9add9a48796afb563c7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a25958ad04533162ea642e5c809e4ec8

SHA1
69d6c81876acb43c5fd2b6a061f4e7e867dd405c

SHA256
d2e38b2855e843b6f2d80de7f17c4fb034c7fd42cbce1869910cdcfb47dd84ff

SHA512
0dd0516d98f155b1ad4d43305a85f6e528a6b169abf45179a677b05c2d1efc2bfc5ebacc1a4376d9a9ebcc368a533af573498a1809241f00c3d67336d962d6bb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
612c67ee8bf57f26f4315b4b1d86b240

SHA1
9df5875ceda77ecc2e8390f32ff300a5ec4bde0b

SHA256
7394ca1970d5208e90be61b5cc828d21fc12db67e7afdffd6c9b29fd16f0eb81

SHA512
57952ef7568051448bcc1111dd95b21a1cf95fa3b2f125f3ffe3cdb675830c46156d684ac72305ca3321b6efadfa7a9874ce864af3dea89c2b0dc9ceb22eb2fa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
dcd8db12319bdf163acbaa1261081f72

SHA1
49284573a6cfd80041fb1f7ed8dd69dbbc94f5c9

SHA256
7e027fd5f210630849e96435958b7bfe378011e1832e18150a3b5707b2ada7af

SHA512
61ab83672c01d32bce51489f6a4b57e0a6afed7bd5c431ad04f57b8d129203b29c84159a7f3da3eee7dea13fd45d7f1ad37baeb09c5b30cacbb3f65c2c64c288

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2382451d291bef1bbdc934448b0b1569

SHA1
9529a10021f66e92d7e48246b957cdfb347bd527

SHA256
39b287f5c801e989997190e2f36699ab1d2ce83dad30c307496dcc23d9a77ca3

SHA512
debd02903be959fc61f7f3b328899c6aad3d269bfa20a0417153729cc7a4f4db9fe244f3a68dea7909d3a7abf2c01eaf884b438d3abdb1589ee0e3635ceba603

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
528ba0361d08023c8b06a5aaedd9b768

SHA1
cfb5cf44ec325edb1cd474060e1beafcea968a25

SHA256
b77b1ed118e5f538347e10d59b908f86071aa82ae63bddd51402e70a85d770fd

SHA512
5de09dc8bd95df1e7361d83eb6cce496862377d6f0dd75fd380e017626c131d18b32e7c5a04db4b9295de741cfabb2fcb6a6a8a332e9731e3d4dfc4f396607de

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cf405b9e7eb190f8ebceb45c5027a382

SHA1
310d78281a95be150d26d22fe5d44a42c6e3edc9

SHA256
c13bc14032e60684ba600e1b9192296a750deb2980e6c3b9ea0a2e924fd70e39

SHA512
a01ffdcab881e08224cbc102d244aeb8d4ac9ce950a54c5ee871a1aa5d55c36c3d877313276b5da1d7acd5e79c06e53deb079b1491813f3ea6db24ed50ea169a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
847ba82b7770479808a0342161446e23

SHA1
eb37aad9f966b252b9ab3a54c7eb3f33c212d088

SHA256
333308ed09ab50c0b472ca756f658c2dde01d193044c2da30732ceee3514bcc7

SHA512
1031a6e40af3cd5be980bef480960b342b61de943d5b9b4ccb7019a487f148ceba56c4d56d34c7f2227d847df1c7a87c5ef1152005ab9fedffc3d6eb6ea3d2d1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
47ac9a570040e36a2dc29cb137f7d28d

SHA1
046bac9672cc6f16866b2e4949ee1f33dd3798c1

SHA256
69de954c4481492195c3e0cc313304c3e886e4ada350f3ca9ea9f76b991893ff

SHA512
8e871c6c3060f4f8bb53a455c4174d95a02c17421fefdc0f63ec0224662c6975ccb1ef8e88a43b4a6aa69b997f3006cd73a2842eaa865a5ba82330692bb0bd31

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a4daeedd8477174e44e24cb2ffe5bb6

SHA1
63f5daf808b222de9245074d0acca5ab5a3d59cc

SHA256
fe7093ca97359ce5a420750c463bace4ab1f13f6761f5dacb90af7a0a01c2d0b

SHA512
e3c3946384f8d9ed8680d2492badad5e02a8682f9fe6a4e1f680420c65cc3ee8e11372b1dd0ef8ddf0d348ea3407d98ef3534949191eebc4db0a16d891b2c418

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3f0c0086cf3929119510be09211579f5

SHA1
eb911270bed60c3cd9519d64ef947075fa88d904

SHA256
b0ca60344a5a173080535dd5da8793a60b0669905fd21e97f1ba219965f37b8c

SHA512
1b2fd88347dd08b279b365f2615469d5376821f93fea0bb546d0d22fb0f474833a77adf46e915f95ce914992fdd6084111813183cc018e7ecf07939b6f0951b8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
eb06081546382b5c81c90e6ec6cd43ab

SHA1
e0f791689df48c5e03307d61577a972a0a722887

SHA256
08fb33ad3a0a44500469248bf7bcf6fe4f53e842810176f45be80f2f57cff7ca

SHA512
ebf550a4e61656c8fbe8c96172353676e214a7bd38cfc462a261fa1c7c408af3485fa1c75a1349057b4988f565e7152251b3f542c5081ca33b4c07bf232a428b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
cd2aae2770e00bf80665d00ff5e17e4c

SHA1
7b4e7c92ae1d4634d28c4febd6affdb14a5772f0

SHA256
e95f9719ff83571d4a64555e32971176af8fed222c3fec44fb91d2506bdcbcca

SHA512
02c2098fbf6e2001f2988665e9e464b0cc4f1d547fcf075c03480ee6d67c0ba8160d79a9f5416af408074a8a7ff8f8ff7877975228ccb4bb53daefdf6c2a4e03

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2fd9dad5bd08367789e40f6bf116f976

SHA1
b97e4c38049fb34fa3159edd9aad30c4f4994389

SHA256
10a5d51b6e7bcbcc02020297f247b03365bbe10e7bcab9986c2cc32e3afb0f49

SHA512
63c924bdb977a3eecae91e0c8bba7695a0696f70b70ef22ff06b94714de8f46ae3a6015c9bc1a16b145490a7d9c4102bb641132184099c90e321b73af22d6d7f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d367edd3239d420d19f4d19f52c37863

SHA1
1725f2f1c135074c4e4719bc1687340b0e73e94c

SHA256
bbbcb4cc7eb51a8af827ed9904864c435505ac5aecda8df269a6e230a65f26b3

SHA512
ce667dd4dc6279eb2e81445d4bcd1ffed16520b5308b40bd3c8c594e2def8fee44534737ed5ff6bdb409d804dafb5f830fab81698a3fa7d5d208581cf7b348cd

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0384a181402b20eca9888cc2d590836b

SHA1
1d7275e16ce397128bec8102cedb390c297392c4

SHA256
cd829d0c1f2fc8a4809196494481b28cde154655059a7000665bf61c57990ccf

SHA512
c51738b0e52c18977fb42b0350e62d12ee2b928a1d6deb19547c00997cc2bf06c9419a7e6fe6c23573d9e3acfba376064368ead06707455af55e9d0eae20db38

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa5cbdda476a9542526c97cac300e157

SHA1
3cd3bdaeb11fc093b397afb182865872ff5d8c70

SHA256
dc2ca8eef23534bd07fee9957725f1f981f92cc1f07042645785ea51bfa0e20a

SHA512
26666c3cbc29564ecd44621120cf69f99c8c66f84dcc3782cb630f71fa02a71f681a31a1a13efea3cbd36906a3bc4f0c5a2c3bc5e99c41c8b8b61bf6dc079548

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3ef28b9e21c83df5a291ff5cad2d9d5c

SHA1
ccade2691eb99c01003e4ab504d3367adf1d713f

SHA256
0967bcfe5280b73d39c6bb2af977c7f019a305e502265403dca3534bc7736929

SHA512
25f403820d08d039ef735f3f72699eaff1420206e062471647d86ffbfed52e7300e2813288d83a3ac5eaf07499bc0e9542ea6d85b29841cdde4ff61abafa6157

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
be505c7f55826ba1826b8c8d85e3734c

SHA1
0fc01c49df1649dc98d754df61e4ef452a5f913e

SHA256
8ef151bb485e816b134564a3223af890a96e910cc80ef59fcea96f1dcc3f2243

SHA512
caab0772f6d6b91e4cd4a5d9a57de23947343a5f0a94594a7ee6408d12b60bfd3f7d5eefdaa2c71de078e952eec5b9209b70b089df6149404ac198bd91acdba4

Download Submit
memory/408-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/408-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/408-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/408-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/408-59-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/808-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/808-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/808-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/808-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/860-240-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/860-111-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1108-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1108-78-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1108-72-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/1108-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1304-340-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1304-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1676-177-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1676-489-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1796-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1796-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1796-15-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1796-110-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2032-81-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2032-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/2032-1-0x0000000002590000-0x00000000025F6000-memory.dmp

Filesize
408KB

Download
memory/2032-6-0x0000000002590000-0x00000000025F6000-memory.dmp

Filesize
408KB

Download
memory/2292-162-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2292-91-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2292-85-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2292-94-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2360-385-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2360-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2632-105-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2632-173-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2632-102-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2632-96-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2708-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2708-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3352-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3352-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3376-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3376-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3412-363-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3412-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3520-80-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3520-146-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4148-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4148-484-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4352-466-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4352-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-307-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4620-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4620-38-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4620-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4704-135-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4704-365-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4936-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4936-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5004-485-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5004-170-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download