86c19efb12ec3e2b7ce9fdeefa64ea196fca1435ace238dcaa660891d21803a2

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 11:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Size

2.3MB
MD5

bb64fa43d42b05c2de5b49420c6f4315
SHA1

8afab4cad1e1350e097cda0b9c596132ff392735
SHA256

86c19efb12ec3e2b7ce9fdeefa64ea196fca1435ace238dcaa660891d21803a2
SHA512

330e03cbc1b9b9ef5013e2428c1948a41d902408827f4fda9c85d7c1cf8d33dc48d4f1565f7186bc797f6bf0e26925667ecc894c14807e72de2faebfaad798d4
SSDEEP

49152:Gf3ZoG3UCj5qzWt2skmzb2R3NBHCYcMbCqy+XyTmp6IBCM/XxvYT/u1XMHM9:uZP3UCj50WtQwb2R3N9cMbCqy+XEM/XN

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3208	alg.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
428	fxssvc.exe
4556	elevation_service.exe
1740	elevation_service.exe
4208	maintenanceservice.exe
4460	msdtc.exe
1120	OSE.EXE
1436	PerceptionSimulationService.exe
4892	perfhost.exe
3644	locator.exe
4884	SensorDataService.exe
1468	snmptrap.exe
1828	spectrum.exe
3420	ssh-agent.exe
2796	TieringEngineService.exe
1956	AgentService.exe
2020	vds.exe
2128	vssvc.exe
3860	wbengine.exe
3292	WmiApSrv.exe
4420	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dc5d23e065f51a6c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065c835e43e1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088e87de63e1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000756c98e33e1adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf2fbce33e1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000606f3e33e1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000948a59e43e1adb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085ff8de43e1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000750512e43e1adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000724718e53e1adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe
2324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeAuditPrivilege	428	fxssvc.exe
Token: SeRestorePrivilege	2796	TieringEngineService.exe
Token: SeManageVolumePrivilege	2796	TieringEngineService.exe
Token: SeBackupPrivilege	2128	vssvc.exe
Token: SeRestorePrivilege	2128	vssvc.exe
Token: SeAuditPrivilege	2128	vssvc.exe
Token: SeBackupPrivilege	3860	wbengine.exe
Token: SeRestorePrivilege	3860	wbengine.exe
Token: SeSecurityPrivilege	3860	wbengine.exe
Token: 33	4420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4420	SearchIndexer.exe
Token: SeDebugPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeDebugPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeDebugPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeDebugPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeDebugPrivilege	412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
Token: SeDebugPrivilege	2324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
412	2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 184	4420	SearchIndexer.exe	112
PID 4420 wrote to memory of 184	4420	SearchIndexer.exe	112
PID 4420 wrote to memory of 3980	4420	SearchIndexer.exe	113
PID 4420 wrote to memory of 3980	4420	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-09_bb64fa43d42b05c2de5b49420c6f4315_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4664

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1828

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:184
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
67a97a04befeabf6ffba3e79a5fbb98b

SHA1
f64e4dd2644815f7ee5d7e13cfe7e1c2d5dd3973

SHA256
b29bab3e37f1425f7adfde4726e114a2073db9caaec7fe7b4e61e7626bb90957

SHA512
d837ac21eeab4b7a969564359c169f06da986d76432e1607d1bba12600b7b53d8091b78cfa77b200f83372c66842f192ecabe892fef3de27f84a8d2f67ea3d98

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
c7fa1bb80ea42cd839b8537113bca106

SHA1
d371954b11da5939d9d6e12e56e0ad9b51740b79

SHA256
02ba7818256cd30bf868f51672360c03ed84b2b08918576963570374480a64dd

SHA512
a86e6a1c9b707050087f2e0d3883e2b72294d2097eefe4d9e3ed5b8301adf1d5cfa741d3432f057597a488855389a37bb936a2b046ba2b23442ef556720cda06

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
025653e6a312b86373bc07850de965c2

SHA1
7f42f636f05bae47f2cc3a884791e95116c9395e

SHA256
75d9fd00bf848f75df5a420141e4322325473836123f33f1a912d77ec65a1be6

SHA512
a53c51f92b5a319d93089be57dcd300eb4a6afa173ddbcd65d557aa84aff38e0234cdc961a9af73ec5e44168bab2d2729b0cf970f2a359ee61c1068189c5949c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
abbb1a5ab023ddc1708bd0d3457d7673

SHA1
932d1e140114f1f1cb8b8d969a05bdb1eab641a4

SHA256
e6b64ad4adb796d771cd9df5bda3f1c3ad1b01537b64cee3dcf16057ca2143fc

SHA512
ea084c2689e6c8341c81fde33f213e0418145c2ec26da541f5daa5700fcbe0e2dffd9a2d9c27fc55ab5e6a1f3b5f15db52c4bb5fc5d819d61f5c383244256840

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
5e49125f7ef0bc72fbbc5e7d1f6dff63

SHA1
2bd50ba37ecd7f7808bdfd22a8177dffef59c8fb

SHA256
315d53b5b9f70e75f2026c090d2880a519cb700077d4817ac252f65b82d656a3

SHA512
2911ec70f00fba4e52623ffee9cf9dc0778272c5366200b5349d1a695e559da575377872bf80f6ca3dcaadb612b4450f5b1b79b3bcfa7540c336a039691efa82

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
d84db43e9655433216c57164e770eb8c

SHA1
1cbe73d82a8861fa23acd78ff10ac72c12b80be7

SHA256
2a76c37972306f8146f2848490eb5b30fc2853c9415a633d340f32999c3c9c53

SHA512
60912e511db8553be684b0f2f437a4d8288563edfafc7582e2b740493e42d47c896c1174844b146d4e336f3d87f259641d40c883d1ed89e82b8b8ace5253927d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
001ec96d8ed6885bc586007f5acafec9

SHA1
a13b22628ad64595af8af304df0c0af38be422e9

SHA256
8d90b4f59f533ebc82c09e9bb1cfcdb4b780107eefa8d0813a2b796e81b7be33

SHA512
fef4483c92477049267c256a77371bb1c981094c3779f65f382ebcbac609f7b613605663f71171d4e248a28205cf6603c1f857fe17cd599f42f0f980e6e22c62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a48ca007e44211c76ca4c4daa25e58c4

SHA1
1f1d16ac1713566551956c549843146880d937cd

SHA256
2de376aaeada25bbb6e84e1cab72a7106aacfa8b07cbda83767e7c0ddb28d28c

SHA512
802e015b4cb7b880fb898edf4d172f2d954c2a4d69bf2cecd2796b45ff5d1df00aedd1344e21e2cad1d9c11f41a0a31ecf4085a1b05c4c68d2d208f3fff4e9f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7b4c290ad3fbdc2f600f8cd01e5d9af7

SHA1
351498b22397ee16bb07efe07efc3678c08494f7

SHA256
e3a7a2b2cf2d8b20e3e0d9856c248b098a2050a76209de0fc579ed3b94a0e65b

SHA512
6d91141497a84a6975d7940066c936f05611090282731b53f91c4100d60cf31ced1788af50e0ae1328d322ffbc5881d770024ce9436ef1410b08b7f322432986

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1587186171e7f185a5fe3c96b741d620

SHA1
2431b98b31acffd567ea9f609f13a5fe5337ee4c

SHA256
d2d47bd9a2e0252dec5981c8ceb8cd8130f22ce1f41407114b9a031214c57c69

SHA512
1df3320425d117da23a9ff2ba1f02ec2bf574e821441532082049a3d8ca0166a294235880fba584bcfd28f9ee86203f6496c8d0305609ca2826c4c2f935527d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9ecdb7d2ee38f5e8425f7c5c61935c08

SHA1
30b58db5423467d22334891082ecaa90670c6878

SHA256
32afaf44b9f9b1a49bd21fe0a0d178a40cea1647e93bd10a3f12fb5662095d01

SHA512
3b2179a735291257ed222da497924b8be10bfa747abc5f074b0123692eb2e7d3911ff4c473d78a8466ef443140c7b41ec835e51d836ddd906c4e4892bca8ceb3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eee5cf1e0d8d22cf973b648b137f9db3

SHA1
1199088225d1d1629b4061b3fd627eafbacef9d6

SHA256
5edecf31eeb37d991ce44b9ae81a7c09336a2b6c8ca1b0d5e326965485a817b0

SHA512
edbfa75effc3a4fd1d7abfe714ddfa048bd0eca553ab5a629c9be7704389b61ce50705c2ed1242f99934c1b381b89c5199e73064b00e1c4c01ec680147c33e13

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
8fe00f3d7886d0929a4418e6eb8f1144

SHA1
b406a2ea6e21702a4f599bdca04c4a613cb04720

SHA256
b0cf4ad214d61b23792c049d7d363062b787c6d8f6da9a472d796bea9c5ed5d6

SHA512
8d4ded619fa578bfdba4ca7f5f901aa82fe7197a73044fafb373c70f9df2c05b57c6f9601f0f632ad1bf0d31e6b7472dd992358d79856742a0eb96689e368d2d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
bf589754bb761ccdacd5e80d816da618

SHA1
209d4d9872d5336d6b86b58d6e84cd88dd8052d6

SHA256
61bda49c395fc5aa4ad74b01b123b94f90421d43bcb902fd0f2b44a50982ee3a

SHA512
95d3ebec5ddc8f86c13d6037c65814832fa81b7126ea53843266f75436b39bacbac2dcdb6d9f9a41f811d91736dcd90ed110632cb5ed5a0c3b818b238bb0536c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4de27041b9c3817d18847bb6f741e095

SHA1
50a8f191a85a4916a08a65ceccea01d7eac1c7a1

SHA256
0fc8c5820895b4ea3182c0f3465bc0e29f05bd4e5de31a2947a6d94cf30aac95

SHA512
0ed54ca979e4e7f551a7a2d79a0e39981b6050e217f2d55de238a22e6a6262e3c33fd0c1cc2b4cd323a7190b5bc8500c8568b578e9bfe3625532ed31f4b41010

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
e8331325410abd6ca8ac97e176902e26

SHA1
627bd88af4c45a81746a81c73baf91d09f1fb9b7

SHA256
411fd34b15cae60e011de2d9bcfd1b89bfe80b578915d19df55d0396f6c4a692

SHA512
9f38305fc414542edb347a9c0f10c9c73392818cfddf1aa49bc37c48b0ae3d4ea60cd06bf49c1596e4833c33e031902c82ebb6ce4c12824431cda7424d36b81c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
d0ada8e859f07c41a6d868d7c73f2360

SHA1
318f1d63b7167f1c06cc859f4bed4204073ab4d0

SHA256
a1447cb7dc69a6e8a6ec9715fb7a1fa04cabda7914c7e636e7b9007a10bdedb4

SHA512
1403b6a4919126a7bf4e1b7a5079085c864faf8e17a919d62c1aed775b237d7345b88a3d800c70a9556869ff398208b1546eef1b259c57114082049aaedb1370

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
454ee3eecf629daedf8c695bd20002f3

SHA1
4319e11646c3a4a95059c3cf7138c1d38cc74984

SHA256
3a565f7d55472d18a302ded590a60576d2ff0d1ee5d88cd2c434581025188ae3

SHA512
ff331dfe4ef3cf7cb2d37d4173e6b21c40e7b9e98e2bc4c453b76eaa51167a30a5041fc3f3c765d20ae68b6260767d3896c88b71b54281421a10091bb4a31a24

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
0f4d0ca0a91dbe8edc9901ea54045de6

SHA1
c0f2fc13be87bd3616c2fd6710d8ac31735f269f

SHA256
eca82641d85664ba4c7fbaf3efda331a70dcb7a3b74c4d2b5c1589b89af914e3

SHA512
f95d6f963143e284226814b49dd6c3bef82cac39c4f89964df52e16b3817818f8516adb492be9e53de922ecf81146d2c9a3ce34a7f96ea2c5a94cb4a7f808857

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
126dd7b4664a004d548c7ccc427e01ae

SHA1
1a4611afc45afa4d27b3c37a0b4b003bd805d2d5

SHA256
9be5ab4dbe11721053a752d2870fae600a1ce4e921b14fe0f6eccd5f60a09a8b

SHA512
b1daa4dcca78b8a88cf8a24d45633bb09c96e21836ad455a50a119812ad4c3fa3baadc06dfe0310ca36b3633c4955536e9b8318f5b37bede81308157744f824c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
5889cac740ddc30cd92da8cc48838b0b

SHA1
a3b0834f2228d57942fec0a6da42d9a239d328ae

SHA256
c193571290195b7b3fb697877c30ef07f034f81ae579ba63ace6d1ca464f6836

SHA512
cebeb8f6f147c1873395a9d17039d91f296995869185eaae3ef6ac36d708519cda17d40466af3e6994eb795de74621393e15ada811b9953b062a6595845b5e61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
0b439276fcc90962f759583781929bdf

SHA1
dc50977f27abf3cb400963fd0998016292c40a95

SHA256
dcebcc7306673087c424ec67a74d98d487b8e07f3df5d4eaa716a93195c2badc

SHA512
7deff9571429aa8ee1a431e9d4ef950abbe725016acc5596be5114c7d42fb22ef2a97526eddcc24989c0ff8ea1358c54bb49d4ef28a6ad1b2489aae0b3421cdd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7ab55318e0d99df0c17b4216cdd2fee1

SHA1
3c9de8d76adeff8597cbac50a6162dfced67ba84

SHA256
a5ffaf66e3db1c1112edbe967fe38026a59b10ca0ee679ebc65eaee71cd840b0

SHA512
49c4dbc770d886c160cf2a88b0a1288bc4416b3b541c06f8d653945805b1503f59a7ae18cdd1bf5d170587284ea28925a7c76bab9c97740ef3dc82e21352e162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
db5d4a40ce3e3ae60985197ff3a5f3dc

SHA1
defbe831d43005aeebd4780d83cc9eebc0d18f3a

SHA256
cc6246b01575236a164118215e3f15adf3ebf512ced07fa85b293c740dce8788

SHA512
667c322e4d6ff2de692b5c721a051df13e615ba989f2e9cd31bb577980e17443cb34beede2199bb79f8040b001499544bafa28c0debfaa01c261cf714522dee1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
66f55140e19dac5473ecd5d505ac07d9

SHA1
81a2ba50cc277adb0c1e7d02bb74f2c99ab88103

SHA256
18cd0fa3aa3b84c64428aab6dc3d1ae6fd5ed08cdfa0f06fbec352e6db3b807a

SHA512
523094ec5006e2befc3bec313b827c3d3c53742b4e9362e8656d2b2fa4608a90c8b423570a1193a358f61d63a5448c00e18f5f6daad6c58687d2e35c7a357fb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
60368feee7b82067322b647b8e3f2a1c

SHA1
babdece95df6e96e1ae8c26165bede249f264ea2

SHA256
23a79f9549776690852d7a4dceb07817193076329bcda4c266183a11b5781cd7

SHA512
90d3ea0cdc34e6ab2901934aaee2dcb7078cf18caeafbc7c5108faa24836c381d6c7952149fd41c6de9272900878710a06245ef80bb5b8ec1ef1e75479c51daf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
90cdc4ea0ea82203b619ed9773a26209

SHA1
3104d1b46ee3c85754d0b70d794739e9bf76df32

SHA256
f8e80046142c56e2c7c2c3ac84ec120d6599b70315876bab5526dc785b71f650

SHA512
8d867666d723d1e654239c59113ab0f576f1b8a2018a25b549ca3db8ef92a769ede3f209c4d394b9313059e76fde2e3527c0d47303e6adbd4a47fba9cfc152ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
48722fc98c6d28cdceb346469c1ceb08

SHA1
8d5dd6a9fcac47d8959f8f1dafda7c7f45196eec

SHA256
15eb88b93eadbc4ddf897e674df985052c9d9c4c473c94a5eaf637d95eef471d

SHA512
6ec06f337e6b16eb48f3c518c38e65e0c777711a1e6407a16159e6c242fe3e21094236a866158295048662f81fe082582371eef5fbb756f642e5c1f794c3f348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
2b3f5ea10d8ef202b35819c2aa3ac1cf

SHA1
fd91846998f91f48b9a04d839d4af21bc026605c

SHA256
7b24be87f4268f44dee615f34248aafb4c26df88f1edb5a83fd560b35fd77e0f

SHA512
cea456f33fdf94d6975c35b18b32d514e723a18e9addfe304b7b2a08f1b1810c86de9e04bdd9e2e47a338516137c183e66e1444487ee80f121c6a6f2d357dff4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
03c7f558f1a08e738d2718d1fb64ea3c

SHA1
a9bcf09bd6fb63b5e504b2df2451f8bcd9725d9d

SHA256
7a8a1dfd698273717a80015327f7b7c6f7030decb9ec4fddc21561db6d590c0a

SHA512
508e5a40e9831060c0f9c6b31423c4d51711ed719bbaf7f59712a3fa1efc1dcecbda5cdab3b91784fb95a86c6043445eddd69256eb65a90d24a2ed77c5043275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
2e43ec9ed1c513e37693920bdcd4ce07

SHA1
23ce13dd79dfc8a11a911303589578b069bba493

SHA256
5c72b227de0e7ea58fb4e10a23c04677f9dc5e239df4fa0549caea3d4c2bede2

SHA512
97d46f19b5f50468c28c2737d6b82032fe95da4a08ff5026e97b89fe2fd8797fc65002a1d29d292cb9479f60560940698cd7b7037e4bed02d0c91caeba2e64f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
2b74876d1bb69773b7dfc4717162efd8

SHA1
e91f446b6fe8415cbf0909b84505570e0b3f79c4

SHA256
c95f78b9335cafabb38172d2e6ccf9b5ea1b060123b05ffe9aa202f92058f901

SHA512
f391157d502fe7018e222ff3c48530ed94e41f7ff30193875f98528bca14126cd18ab3987e7acf6feadf693bbb9f4f9f67f0a8a8d344c909505ed63ec2e5a945

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
e772b84afb49b272a4b7546c732e53c4

SHA1
1925b9d5573b7f9c9307bcd457925b8ff17c6146

SHA256
53b8c98941970b15234537501995b5d61f813c1a0e9fba426bacfa464cb34289

SHA512
0d3fe67ab309cc133a4d85d19bb584cf6bb349afe94e2faa61ffadd7aa54b88bfe3cdf598889504ece31ba9c7018567819315897f4c8a5bdef00fa3258e67165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
6e66dce6a5aba128032040c7282011b3

SHA1
e8ed3ce1d1599ed8acdfbbea8db19c00bb2ccedd

SHA256
03326d182fb8d1a5cd29581e9513c90351d63eb7bc7ae43442712bf87778f3f6

SHA512
d8f2e4c2bb10ef57cdb610ffb63cef66d40bb079dc14b44eb83369d9e4f2b3326c59d51bbfe0d676a7d92165485a0ee0cbf966c4e550fa04967a11fd5911abd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
66f21244e2eaa65d0416b1ab740dfa5d

SHA1
13a9748154d8fb5628334a93679578b5fb363ed3

SHA256
536bfb67d550e1a2bc230e96d6be0d3ec56470de8b049bd0b7d5792bf025e540

SHA512
fb51c74ecc307b04c53133c6d7acdc7cbff34e001fcb1bea7c2e9735bf56dfa40352349c92409dddfad1726bb95a1878d06f43d73d562b5a457e3a6f8690aff2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
175855a7dfd8589da496018cd16449fb

SHA1
8dc26a87a8ccecff364cb7ae211282f97762ec76

SHA256
32a67a8cb22cc8b0f25f1369fc1b6e458d97732ea8fac30945a7dc16202a077c

SHA512
da585965f6c74eecf1d598394cd1d5e59404a342e88cc3f23e789f319a6ec40e3fe890796faa2ef09c35a2c316bc4ffbb60dba960df4081c96331cb9d5ef309a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bc83e762eee7047ced0a3848e151dfbe

SHA1
71ded957a3f703a452717661ecd4570f4474b0c6

SHA256
f36ea933a30a0fad5f5437fd7c1564f555013c350e9acf12e21768740647c16d

SHA512
fb9f8acf87b8312a99f68378337741386b76baf5ed34afae72b3ed86634b3c9a7265353c7df11e5022008ef989c24fcb157d73358268d49b66d82aee066f361f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
2f0782765866c79cf14be6550a8bce7b

SHA1
63e4b6ea5b2bfb194736ed3396a08063af1f2a7c

SHA256
5e976ccc4951527ffd327346866d957b86207c1158234ee78ac4f7ecbfef4a8f

SHA512
99ac3486ecec179e9383d1e7d5a8c407feb0cd867a34b0c77505e4f1b86b1aacb99a49d1d6c228b6e41dd3927c8caeff0696b0fca8aba9f99ed98345110488e0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
a2380b79f205d317c1346cf3337ae2bc

SHA1
6709b006620363b868a86554ca058954ef4fbc04

SHA256
e66088cdd7f9b83eab920bbea98f00c138a500252cd83aa507f03f8c944a2b74

SHA512
a4cb44c18a871817971adae9bc8b6e3c6223608b8d938f22203e6c0244bcbc04ca7b37b993212d32708e66a1cbc36c7ef9bec6264cbb1ff0062b7a6cfaeca136

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
02ed9bf2bcec22c615657632785c248f

SHA1
7e823850b8fab64931b809f94e9a4d172e77ffbe

SHA256
9d2bd10130f2ea732bb2e214f13e939d5a2852f9821043897fd187698aa5f743

SHA512
1fe5f24fed512258744978314dd1a765a1008651ad2ebda71f8fc180a22bc46c4d5422f1c601981cfdf7f374c08eaccb604b84faec22ec6c55ae922e4e9d7262

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a37abb9e9041d06ebab4fb43a85287e2

SHA1
2629e23de9deb37ad550fb448c63ece5746ec94c

SHA256
91d7d7333e8c869e2c33bace6ea1a61f34c5cce0a6cdefe0a466c8bbdcb81f42

SHA512
5f596a0c14d78b44970b88fdd07e2604300a2a2b8c5df3827c35090f75a7696e8d221ad7f7d59c862e86d1620e94e8743587655dfed87922e844324dd0cee983

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1c3367a69682cf8adab96e6307fd7176

SHA1
2926c98062207b2ff0a2020cef50f538d9d38801

SHA256
0a7b5c5f07bf11e7fa5a065fc6515782173af69224c09e509c5d5ef6118bc2a2

SHA512
0845a4c5730d2ffb2e5c20a4d802d4b5c15f32d55d901f89e9b3c7b66b6aa7fea6529bc56bde40a504b5e27fa1547471d9c10cf932dcc208dc300a24b5fbb9db

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
7f8e53a1d7d486e216a501938807c678

SHA1
3c0b818b5d080783d8edc538b04c13fead760735

SHA256
ba8ad9c35e76e6b8a6891fa23710ae89887cf0d7779550c62a6460fb867a3525

SHA512
67a5fd6bb81bea119b5cfd971c733833d60e33e9a4d548d986cbe87de50de926f6fa9342df91d206447370d8033ad04b7436622361c199d73940d1b47687fcaf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c3b01f10689e1c855ec9edf89a6275da

SHA1
aec1565f144b26267567955d49cadeceb9177f21

SHA256
fe1b0374059d011b27c306b8afc836490399bf6e6c931c47dee9db2397e34b4e

SHA512
8e89615d9d4473371ecf78b99a82e89fb9f4613a658261b015bfb54431d50b59ce4beb81de6847197cd7d6c84d68ab842226db3e0318bcc405cefeb22949f640

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1a063ff805f4f6703d84bbaad5199cf9

SHA1
c5f0f0380deeca1cda0f0742eb8a2378d717b34a

SHA256
8bd0263c9b3ae4910826b15d7e4011faa721e50b6bfc86706a9adf9d98b37070

SHA512
626951b17407fa709e581271536373e96cea67b919667cf6dbcc752536950232eefb07ad3cfc24e607a594fb8ea5a22b4456fd8927958006bec4e3ded636c26f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
06c1fb92ddd481c109087f65921b1108

SHA1
7d361daae4e669536baf82609a33c8516d0902cc

SHA256
c17d9a6a2de1e29a41b31047e249318c3fab8d546f9ceedce5351983a8871f89

SHA512
5bb37e4dde6c004af519d4fda725f85c4b93b636b06deba55f4d42626fb2dd58432be0c9fa04d9cafcc2796c3d8634fde4c46b33105ff0dd632c29fbf34166d8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2ecee1588d62679b24a4bc621edaf1cc

SHA1
c944c91ec17a39e3c36b5351fdca42f82e74c924

SHA256
676336c518f0c41583810cce89abc1d5e0c0e48cb45585748b7073b2c33127b1

SHA512
59901b4f2c5d96ea845a5073675875371f5d414a1d5e94c8acead9f306a08e07fb918698bb575a446b84561843534ffb0ec8e9b7aeaafc43ebff28283f40f326

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c7b6c475ec8e72c4113dfbceb446ab4f

SHA1
f92f2ed4990ae32280a8104ff6d65c0a9d31cb84

SHA256
2e3278b8b312f16d5221d2559a9c6a257c0df57fd7c4748336fa0d50a268ce91

SHA512
0f3a7cc7ff4a83107f03e2d7edbaafc293cd784f05bf558276ff2e537623b2e9cb1dedd982a0ed1ef5fbc9dca7e6cea4b25e9661c10fe836c864b50d8d2d640b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
65e363f4ee7c07c5254791880b3eb8f5

SHA1
e14486a46700ca5d0dbd8fbd1e825fed656b1c4d

SHA256
1715019a0b1dcd66be70375681ce6df675914fec71566c1fdad4b2a7b27fbb1c

SHA512
248c7e9677c7125d10bd82c706846b9463156d5cfd4f9d813f15af0c82e5cc6d21c2264a8d3af8cc2fec4a67d39c486fca310c7e385ce1dd2691f2135f900a51

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a0c43e0a743d837f95ae11dc49f3e0fe

SHA1
32bbebcc3180e56c267a510f2da48cfcb013e2e6

SHA256
da066a2fad9c4ea296041df1ab955cf829dc45070537dd0d834a904670a707f1

SHA512
d40f9369057618c063c8e326dae31409e3a8dd944e21015d477bbe482fad9b8ddd5aad1b39444544e13ebedd6a5ee49ce3f93af5f1f2d4747c68d9bdd52cdeed

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
13ffcbc0a18d96de01bc3ea3c9184ea1

SHA1
82e4322cebf235adab51e0457b5c9c4210ca3711

SHA256
d544628dcbd62dce15925f031351a35ade4d01794c72a0332267e13b74c157a7

SHA512
056cc6936207e807b5b81ffdaa4421e6e2cbf94a407ed008b0be4a8fc4811389e5037accced951a4479fa6f21be17ccfc1e691b04edfdea4106adfe46fde67fc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
86158eed28e5fae01249d64be60a3fa3

SHA1
dc9d3667da51bc920aa29892c6d659c8e4506154

SHA256
1f3e159032fd4c25b14c1257da1237aaa53d9753b4bc1fbbdfa9724f20d7c692

SHA512
908d4da064d9a1afeef2a40634449b2db462027a02f94af140baf46b2e69ce74186a68da78b5c286b068116d6dcf3bb554ee292339d6cf97e4b4b63bac68c614

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fd78149540b38780b4143e8614ee53d5

SHA1
06af1dc9dd88b2d329b5defdf7ef9db9d344a0a7

SHA256
050fba327c2e2f37400e330b742fdcae6bcb119984543d661d3f23ee9bde557c

SHA512
7fae1dcdf733b915e537f611cdfbf887660a6222cc5da88aec115705add08ccf5003feebec73b25bc7db5f31bbece8d812fdb015e80b8ba6a83ad1d8854a9b8f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b4043077cf9b01975878b53411730e98

SHA1
cd94340e7e523ce0f4a6ad059d8c870dea473a27

SHA256
0d65942b26836e0db9895632bada4719f7f51932744d7f55dc49c1b45dae2aa1

SHA512
e23d329c42f0c89232c01eec01aa07244d0a239e33197a665efd45d4c711959d3e672ad4f5dfaea28534b2f82a27ae0aa3133a33aca1f5cd8ae4347d5e02c6e8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
fe32e10500686caf35de6fa1ac084ed1

SHA1
5aa745c1ff50758c514f5c9606bfafa885739df0

SHA256
8f86b33e2eb2dbdfb5d1515e65aa495115dd3af2ec80b1cba86a2b9f47afd691

SHA512
3a9ac2dad9204143c833f95f275b471fb068a80175ede0108af3c61f4a8eebd126bfbf9d8ed552326f09d41533d18738df9bdc5db0abf98373ab20e9088d72ef

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0621c4ababb8508e9e7b90d0f724d40d

SHA1
93c77a68e13d3971e3054f6cc56cba01dfa2f76b

SHA256
c055d6262662266d2ac0e1293eac01135dd49ba10ed5d113ada5a797dd514b1a

SHA512
eca41eb69879d40bbddf774ba9a76c2e23f2d5b71d7c8299615e11828d361c5bd8975cddd1e1bde793d9116a99517b6ace50c4a30b022433967cbe625e576686

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
829e40774062d8cac6ac530b00b68997

SHA1
88a9e81195b31f147839f80992da9830d84ac392

SHA256
0159faaf5e26e2127d06e00c0644c8400f739bb116026f90eaa0b75c3c21dc57

SHA512
c9fa1ba4eb675d88de4e3fc2e93a914078115228016f866927c479a293ac2768291bfeaae75c4fd0f243a2f7691d7a38b468f696d491be443400473041e2e240

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
24764c4c459ee03f15c1ab6c1251c61f

SHA1
3594d9dda02739f1915ad7cfeb07fc1b799b4348

SHA256
6804552257f5ceb3e89e55787c5f67b871ca068c6adfccd9ab6138e61aeaab8b

SHA512
9db6a12599939de209361cf68e013df72c334ef6d7ff579bb407ba450c0e022e8395c49d6f24e1b89afa809df7563c4d97a5c71222ef4f6044a3f46c822cb9e4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
368bbd4e6c4825f7b0a717531e98e3be

SHA1
fa3dfcf941491d267b9d09f3a4bc32587913fad3

SHA256
330c25ae408b68a9a99f514f55172b7fa0c8dcbe4b699c5563222486010a679a

SHA512
14cb75f2d993b013c9a0fabc5bf0f0894fd77858f34225b9560fc6fcb42a2697439f02e0eb4d324016bf1f5be1a7d64a176a6802c8e88ac9613b8953b51ec18f

Download Submit
memory/412-74-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/412-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/412-8-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/412-1-0x0000000002410000-0x0000000002477000-memory.dmp

Filesize
412KB

Download
memory/428-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/428-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1120-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1120-75-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1120-314-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1120-81-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1436-95-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1436-89-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1436-315-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1436-98-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1468-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1740-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1740-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1740-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1740-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1828-520-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1828-152-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1956-145-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2128-529-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2128-155-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2324-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2324-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2324-112-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2324-22-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2324-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2796-165-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3208-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3208-97-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3292-168-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3292-610-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3420-153-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3644-115-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3860-534-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3860-156-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4208-56-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4208-66-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4208-68-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4208-62-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4208-55-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4420-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4420-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4460-255-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4460-70-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4556-32-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4556-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4556-42-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4556-38-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4884-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4884-519-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4884-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-101-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4892-109-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4892-106-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/4892-471-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download