eebcb375c2a4ec1a0225ebba639800f91ecf6980544844a038b5a3f9525ab408

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 20:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Size

712KB
MD5

ea29b303e44c81e5ab9e4c171f42c323
SHA1

e962fd858d0803c7559914fb7c63f0d05dbaa9d1
SHA256

eebcb375c2a4ec1a0225ebba639800f91ecf6980544844a038b5a3f9525ab408
SHA512

7a5c43de425fdd9d9b66f29225d54e4bcf33a754c2249ad8a96de6e2e231ed34aea1ce194ff2c9edaa728b35c6a92b501349eb71734ebe531a01fedbaaf68f1c
SSDEEP

12288:4tOw6BafgfwWZF/xZ+2r4O+Jr/Yo6hUGCW4VP5zZWZG00B:G6B1HxP4O+lwo6hUPVhx00

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3928	alg.exe
4024	DiagnosticsHub.StandardCollector.Service.exe
3776	fxssvc.exe
964	elevation_service.exe
3752	elevation_service.exe
2944	maintenanceservice.exe
4532	msdtc.exe
4172	OSE.EXE
4916	PerceptionSimulationService.exe
1984	perfhost.exe
3008	locator.exe
2144	SensorDataService.exe
4896	snmptrap.exe
4908	spectrum.exe
4460	ssh-agent.exe
1532	TieringEngineService.exe
2300	AgentService.exe
4516	vds.exe
4940	vssvc.exe
660	wbengine.exe
4356	WmiApSrv.exe
3988	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee6a6d9d38f5360d.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CA9E0780-5A2C-43F8-9E63-52BCB11A02D4}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\java.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b02be8ecd520db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000116521edd520db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a0c46ecd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b0a65ecd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bff570ecd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a98b28edd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000023ffbecd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0ff97ebd520db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fdfeb6ebd520db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000551d78ecd520db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeAuditPrivilege	3776	fxssvc.exe
Token: SeRestorePrivilege	1532	TieringEngineService.exe
Token: SeManageVolumePrivilege	1532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2300	AgentService.exe
Token: SeBackupPrivilege	4940	vssvc.exe
Token: SeRestorePrivilege	4940	vssvc.exe
Token: SeAuditPrivilege	4940	vssvc.exe
Token: SeBackupPrivilege	660	wbengine.exe
Token: SeRestorePrivilege	660	wbengine.exe
Token: SeSecurityPrivilege	660	wbengine.exe
Token: 33	3988	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3988	SearchIndexer.exe
Token: SeDebugPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeDebugPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeDebugPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeDebugPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeDebugPrivilege	1288	2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
Token: SeDebugPrivilege	3928	alg.exe
Token: SeDebugPrivilege	3928	alg.exe
Token: SeDebugPrivilege	3928	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 3372	3988	SearchIndexer.exe	113
PID 3988 wrote to memory of 3372	3988	SearchIndexer.exe	113
PID 3988 wrote to memory of 5096	3988	SearchIndexer.exe	114
PID 3988 wrote to memory of 5096	3988	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-17_ea29b303e44c81e5ab9e4c171f42c323_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2052

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4532

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3208

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3372
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fe7be1340f8f8d21d8a8330b5e071b79

SHA1
81814f4a1ec58f9c26177ef4ac791269594f9b12

SHA256
d78d1082482428dda03e465a343ed827cd46a3b6d7f2e39604681ef4f16e5dfd

SHA512
9fdb7bb454a666cb279857e4cc972e1e840b5d392de6e6beb4ab056b63286c9aac1f9c7d7f62f4e41a8203f85cbbb3b42d3b4dad2ad376de3f53aa5d098cf9d3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
396dd7ce02c9cd47a33187e4b656eb38

SHA1
74780243256b1abdfce1c86b496c0b89365e77ef

SHA256
83b14e29dfb307f84321255cf8ded3a0c97fd1655201e48159bf98dbf1a8cc88

SHA512
27a4091b5b62ace28b7a0af34b3d7d72008c9e4fb6213c8a2df9e6aaa4f6830b21b99bb48c45fc8ef6e8b78d2fb2fa55fa0c66b37cbba2acc0ee7b1cabc291c7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
581b54b82259714f976d83db4ec34975

SHA1
17016aa41f17857c6fa5f5fb95d3dacddd6adcf4

SHA256
66d191cd3d738404d3577f25916c997be0f91b780a2b526c1c0f198ddfa78a78

SHA512
0ee77d75ed837a006909f873c1383af3ebf4ee88ef36a6974deb276127d440bf77750fc4b6c433da62270bc6861f19a9b464341163e04f96df26688118ced0e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
78735c3aef73491a0c4f387514481f10

SHA1
6cb11fe3b377b33ab70abc403f00eea099db20db

SHA256
75dfdc1874346151defb38065fb2ed3e493edf6f8bdc23398540aa28b4b0ea37

SHA512
d620dd90397c56b3eddbb65925dd921a1672a1d39a1a788722491bf87c0ba5eb524180dfccb5cf47c55d89d3d98f7ed20389c57dccd023ae2ce70572208f36de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
21b33aa5f0d03433eb8299a9d70b914f

SHA1
28e797369f323337f87c54dfc759947798a5c39c

SHA256
a5d8dde17db0f8180c3578749579ea0f8903e5da133521411f0059f1e2b8867c

SHA512
3ea75ccace38e3f8a92307a81c5aa0cdaef2cd63258494a16d23b610750a6046ba73fbf64d466f576f9d608af79f70f4041800a223660dc05d224e6845c35713

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
eb32934ff9e7d0909d3831344067cf8a

SHA1
52f7a112c5faf2b347a804822b8a93141fcd7325

SHA256
99aad6dfc1588d6ded5214dcfec3170b174498af7be741046573daa3be34937e

SHA512
8d43825fd2e6ad34208faec1780a95e8a040a93a0bdbb4787851df6274e222f648d28cd42cae2d5df79ed851da681d105404561703bd65b0aa4a7addc214c898

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0cb437d1231fa004c946bd89ec3627bc

SHA1
7e2618b64c1ec9079493340e563ddb522fd15900

SHA256
6e6f7f38ffa5762ed593c050bebc42165d61c182d5d7e8a4cee05c2468beae83

SHA512
d41ffcfe3f0dce65752825ad069b1212078d8918c93b0bef50942a7b9512325aa6fab8d59f5553648c7723d8c3b60a8535c0851bf098377ac783f604ba44e91b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c5979225bdb42fa12d8f41e15e0bc4f4

SHA1
541035c02740665165ece0e66601e924232ac18f

SHA256
436c3d9480ebb7aa54975e1cc90ce18a065889b4aa16ec61ad7562394614edfb

SHA512
37909f24aaa40bc37d60e00e0cb01fa9092644d21bff9621d20722975db93423092c76e99e12fead91daf81a1fa721c1d523de2cef12dc26f73782157f8e10a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
51d7d74ff609726b9813dac338260111

SHA1
548851234c63e276d7c31ef874be1a93124f59c4

SHA256
5c5960ccf796ee64d1cbc0ee8424af95cc841effa78ed68cbd3ce27904a83e55

SHA512
cf2226cba4214d9fb2693db0551fd6820377ee0681abcaf48dbd82e6c8b296677d0b170b2ec4bedb1756f30b015fabf7ca234f2feadf187a4dbaadc115fdb49a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0d8fae20f619dff68e49287949acc6bd

SHA1
999fd7e713c6a68efff7ea459c046768960dbf49

SHA256
c43f3a145e620a6c1bec9ffa08f9837569265dee2b365218496b2d42e314fd47

SHA512
9225e57575660196ec799410470d328eef0d81368d6774e92575de8b4a7ed64d7d74393d0ca88db6819ac5e67d5d815d4b8a6e33be115f2403866c1b99e34653

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1ff5f8d2694fcccb66448883865f643a

SHA1
6f0f19fb9c2d0983c5791b3cdc8e4c564bb99647

SHA256
aa19fa197a384deae9ce189971922ae186a02a6dfd12bdf8c2c272e3ea6625c3

SHA512
fd8f4268ffeda1c3e070fcb2cf2e30b6d4a74d704a65be18c04b93a28919d89f0b09008777ad25db0d26c8c25e202d454a97f0b8f8a074ef754f3c7e3213a8c7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
420e4a50708bb8e62db64c6c3aa15a22

SHA1
5e01c8a10d54ed0a7d84ef253b7da5319624b558

SHA256
c2c20f5ae67fca9c14ce3a2bcf663b5bac8d13dce5665f836f6f5727156dd107

SHA512
88eb62b2b7c13b36d857ae3f6b0fcc0380fb9e29a671f43b6e0fd482e149639903eb6ce7dbbcc61e4695b877d00998c1b7672d8ecd6c287a143bf46c0fdcc04e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
544c287db24013b9696bb4e4e4406e8f

SHA1
57edfb2608eb870ef65de8db4366d384989f3c73

SHA256
9401d537e3eb039f2c5e15ffa5bf9228aa34a4c6d1779d20b0b0b47d16470227

SHA512
02339b9b6ec8bfbc7b9b999abca2731fd3c369dbe933b20e084ee515ec30454f5b969aad210ad477cf5aeb304824635a3b59836d0e336c2644412597dff5e77e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
37ef0ae26512ec0fe8d468d8c21a2508

SHA1
38bb32eceb30dd4314d98268516d7accc5913f14

SHA256
f7c3f388757340486c7a894c4d28768980cc08836cf43743d0fc3874bad12d94

SHA512
5dd6431a6f30374aa5e70ce01f2db7a11470be94dde23d5172c0690fbb5618b1d6fa689ff5c130798afe6fa80cd31b77467f990d1552593f5326076c64bd5896

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d799f0aac98a22c98cc0ba078443e85a

SHA1
1fc3a3a88ccbf2fa894d53c533ff03b6d44e44be

SHA256
3d649c8540f2e689d54996e62ad5626f7e5a81af73cacff82ec61340d183249c

SHA512
6adf36a13fd9cf1e0590f2b8ef92ee671bd4f836a20727adb813c17d22c5259e110cdaba7a861216c10a2326bed68bea39ba1a61c694204ce9d3e34980f6c326

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
861c796b330c8bc1230b15183f4484f2

SHA1
b2a27801d10ae82224000a1c4aa2138ee11363e0

SHA256
d7cafd2b4d97c658a8190a6c9ce1d08f9301b61b878db108c3fe118bdab1fcea

SHA512
bd0a9f67bd788d442eddef677750e9a1a22e668997a97c8bbc2cea2e7eb21a6c03895080f6eef6e0b7ad216f1ca4c603b57ac507b0c03a5ad256ebb63c7859a8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3cdb45c61c5fe5ea74243e566aa3fd01

SHA1
ec3feab75a210e46afdc27c825c73698a489df95

SHA256
b1acc4ace1cb21fc6b2fd5ee873600e1d8f9377902337efc21ab08ac47c4bdb1

SHA512
9e5028ae960aee0afe85f849e209ad09ecffa1a7df55dbbf22c14618ba94396a802f1d818679a0d91dd3154f411040c87ba73a83a454b92746fe7bc84c0cc360

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0eb516df3a3151db12051e005ae4ef4a

SHA1
dd711a7c099d2b85f9cc81a5c951157a7af7ee70

SHA256
b1b1641dd26dccaeac3bf4f67325ab6c3a87e70aa471693b86447f66d08ff569

SHA512
082c6645f859e71f58be074f338633ca7a607967e12c19e16a1a743b72121a6eb514bd726f22e13e5407cc7d0dd1a81ac837410c5c15ec5217db391bd34b6a06

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
67792d3eb4d8d7a63510d97980ca1526

SHA1
96292eb3c706540c906d8db11e14de729d5e644a

SHA256
7dd855a95a742355d1869fd0ea77d7d790df677a57e49eb5b0343e266f1c0abe

SHA512
ef4a1b27f6a1b01e1a1a582c452e927c2cda710e4b1a8768086ae0b2230d1df6a7366f050024a47b3b2f486998a23bb680b6d3406eb47aabaccd925766293347

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
edcaf84eea51354e77466dab56953109

SHA1
d341b17c2ded47d37d7024b6e4b549f9e4fbf330

SHA256
a34523560620b05d26978109eef382ee13d8d4359a2fe06732fb06474158f0cb

SHA512
9638a66640e26a0d99d61fb68ede7083ae46670d47a5a18288afad66f6cda20de24f598418abcbd712bc681470b0f6fb2532dc90610273db82b055fc6ba91034

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7ceef8d056090f2a7593161f6d2111e4

SHA1
d6ae1ee0a3676dba5a94f7e2000f287386ff9874

SHA256
d2a3ce4a6ff202ecfa6cfd2ae3601871ad3304bae588875231be2d7dc8661abf

SHA512
f625ce4341759394be2a553004ce4c4e6a266819d6ef9af677178bfd10d61129d5e6762e5809a5fb3a2e394f17bde1673f678f240d7f1d783fdcb67c6e81deac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
8a069bbd37a4815c979b55f85556d2f3

SHA1
e0da51b8fcf9608eb323b28a8b661e31334af914

SHA256
fd204b5445f5d8966f93e3dcca76a958fcae3319514c27a4796e4786a47ff537

SHA512
eb02272b19a03ce42d4f3b9ff2ac1e3fe63eb21888d619ec39e0db776f1041d8acbe0751931a526927c1b168df31ff94b2a75facaefeecdcb699f8424c6f746a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
853fad8223e31f9efac4856ec4c7668b

SHA1
b8bda0e0eef1123f1c036539f2d7fa0592eaa676

SHA256
965552d0832936ad1e7dbde4c8be3f8bac750c8383e20a483177986d5be9cee6

SHA512
1c8336002f3e8350f3281a4dfc5662d336ede1dab4a8a4036bd54725fa6160332aafccb4de8e7e84b4e2a2263ab01b06c0b4d612145b001a40f7fc6f9ebf04d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
d00159dc8f8caebf8ef1b14a445a940b

SHA1
447becaf00fcea437701a053f346603530973798

SHA256
a13bd14dfe94098ed922b3e7a4fce2fb78b936a6a133a3a52266ca29c29e9e08

SHA512
fd914bbfe08701e743e584a3bd5152e05191fc6aad8a05a4d13764453bbd8a5e80de09c79474d497cae7f9d9b427523fc6ef85280057778b9e1778552e15f419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a814193573fe1cec781da4b8fb862750

SHA1
33f58c75e560e31f955544b64e39a892de84a018

SHA256
ed69bba502e294b8a84fd8f167459d351f858f8c86b1e5419a9fdba64558992c

SHA512
cc8e90a7ec19873ccb3ecad22a8b743135667496bb9c1318628e7bdd7f7859aee438c99ccda35fa73d0b9a6c10bb650d1f0b0977b3b4b8741e706690b40cfc02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
14a74041d3c0e26810df114e9815e02f

SHA1
1aba85ffb555018aebb767fd7adecd3b29020104

SHA256
22c8129f5498a63c2b4f4acf4e8223a3135ff9c1db6bdb7654c0f9030cf06573

SHA512
794ed39fa136bf4581b16579f5f437a70a076573de68552d774cc359d6a800d3c346406858e836386c3774631979e837162a144a6092afa6e159f7156403bf18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
25dd32d1cf8f5c4ace859f9bff65d0a2

SHA1
5e03865689c8d31a864a8b6dddf4de3e291003a1

SHA256
fe129e07da007e8c3a4648a780da369b27daba385f1905a4c0550b24bb2f5775

SHA512
2a93c2e2d6e21718f176b4dbc322f36fc87358b6da18472676dd366dcb862b302a3e27636433c4ba51ed1e9a6bb13da86570ccf974b1c02fd832419c75bdaf7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
dfa3a9940afd8d55a025e1c64f9659c4

SHA1
8bf29c13577fb7dcf4525893bf5f8930795a6475

SHA256
f770b492ccb0b6edea964746c5e9c1fab311c6f47d506b261aaa5bf00e6012c5

SHA512
006ea3a008571af0082712725b89c557b805db8600ed94c75cb093f0d394118d31d8bf34622cf5c2fe37cefc1018fd83a8a87f6f5995c92e17139f83de636896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ac92bb69e7851bd1fdf9252fc36e9104

SHA1
3ef7463fc247e38cac2ef903417a8eb764da130d

SHA256
c08b9015712f6eccb1ea8801b81f7e0707e65677bf4f1f00a0562d9e119c08df

SHA512
b80064884d39c990be865ed158949556ee5ed5980ace702774da1156ee5ae71ea32bcdd472ac7c41b5ec28e11e4a2b297c0d94bfce8c51ea4b9373bd017f25b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c0c3da74f86f5ccfb14efe5d1895867d

SHA1
6e8e3ee462932eadd2e0b04285ddd7ca74b743a4

SHA256
152723b57de87accb76679340b7d71df4b6ba66b4e4cf3f2d05db1803345d885

SHA512
67348ccd28414ebbdb233fc14618c8e8a2e3a54152365d3f86ded428f5ac4f1e3eee441ff605ab24fab8509fa6540b6c047c5b209cf5fa60e2a4499ca434c0aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
08af605f11a6c4f5fcf2bdd0ca6bfe3f

SHA1
e2812291aff243e5482552992e3cba2e64bc4c4b

SHA256
1fae01a029cf3a2d79aa13b1c76a87128d3324a997ce20907b46ebbd65e322cf

SHA512
d87f05ca7c695f4ff0203c319581d018c2923d2355491aa7475c435229957f8a20bbf998eed0e705be65c4f544aea6e7239d06758a7d776a05bf893eaba19356

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f645321e5d8bd6d10f6e6e2b3ee097fc

SHA1
b3269a2bf91dc78a7206e0d3beb9266919d4584d

SHA256
e58af35054335196aa4cb8fd5cdad186264f07e7823fd1ea7479837037587dd8

SHA512
5fe430c762ffce770a62938f25346e7f3e56cec6417a42d070f7fa32c5aa21b9df88fb1acd3517decaebc7116a1b0b1ff0d0de658a7be30c3f2897bcab9c000e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9fd937043167558f4ab598dc49a7316e

SHA1
a203020850efbcfdd300e1886b0ffbc3655597b8

SHA256
04db7d6ce2c2a44e432533ebab188fbed7ed754a5539e9dec1b427760fbb1b90

SHA512
797706c5278a669e5b41475d3d6eb517e18300e8c356b14e4bdda11ba6939c72ea0a56d78ead92299744f31c42fc94576244b3997c06891cb90086bbddaf1cf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
2e3ba3c1505e13d4297114969e31cdc5

SHA1
c4d12a0aefd942e042cc00759f9a90c93c0fabb0

SHA256
be20dc8332aaf193b9cc67b69f4b33f8fd055d52653b5f32a98da9cfc77deb23

SHA512
0b5bd8101a197f31657adac06262cc18b1c197da212651d50f4acc900fa39eadf8d69bb9f415011b078c354f6aebcc7c69762ed27a923ee145355f0e34c777b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6ba0af9f662498a3af9df14b1fa28a88

SHA1
012526f3040931fcff1fa06328ec30bd61e5a41b

SHA256
b008b60020534c4c90ba2bcf47240e2dcf4125e367782fa5a72f60d62c9095b5

SHA512
21ffce9f3a2047e588b39385a36d3892ce355edda5f84c75793cd4848e0afa67070b175215bb20aef2f490a8a856903ea2c363b65811a4a9d51a628336562895

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7961f7ee11216a92dcbfc89e362f5c73

SHA1
618004eb363b2d8bbf8b4e1ae0295213be73c297

SHA256
81dbf5a0f0bb8dbc86fb2959ea165d8984cbef4b0bb62b3736d4e58fabf79776

SHA512
d320cb640cf73df77efd061583826cc1b2864dea2f693b075cf83980ec3f331b66efb24e7a8691294569b0acf6564e60a75324213d230e539994908ac0b507e9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b3915527edaba0b2931baf2b9f2aa02c

SHA1
fa0b3434236b67a0619f28d936f7c68662ad209b

SHA256
9fb1b822149700f8872f07785dad7ca9c669a837fbcb2598cc67e274d1275346

SHA512
cb6fa2d8c6e05458abdf7f7f5dad88d8eee992b0c6c7c7bc7a46d8c3d9e1f3a3ab0b9cb36a4e982af02f937a2e98a06d22a323b6760c55ebb43dc6e343ad66fb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8070b077dd70ab5cc3f226de1f1d38e3

SHA1
8d71560b1e1e2bf3613da3f9d81fd88c80f489d5

SHA256
f7c825c13abc45534adbc93cd14cc02e7c1b5cef3d191916b04d0b8cd201683c

SHA512
4b2f3d69a869159af513e3d73d54b84d740be2637bab6aa209899e13f573e92634a037eeb48973787af5bc71985a44f1f60a0814a5ce0da10809fab644a87773

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ab5967e907392bdd00923966a80f80b1

SHA1
9feb2805ee4cb2c91a24e8377b25d969f4f7322f

SHA256
f3cc88822d4130242c91e34ab9c9304388d08115ab4580378863581086f658ed

SHA512
c24df96c5ee5e9e6977fbd2b2edcc56502f0b2bfbf021365ae09796edfac9df9df5e88d08df72ebf6f0f86fa174a82512cebe146e9dbc22f296d5a2f0a55830d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fcc5581a12a7bf288d883777661a9e7f

SHA1
2acf2da06695e840013761c7ccd6f6d9291dac8d

SHA256
79e11483a2af2974b8a1378c6dfa2ace8af01eacbb858408d6764ee7841b4d86

SHA512
ec3590043d983fcc306a0201f3030b1cce583c01a7521480abf2d6ee126d1291315032a1bcca05982c5ce0d4dc9117ebd0779dab194a6455f9e85a94ed9210f2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
13f595dac0edea0e8626faf4ee6c4b90

SHA1
487a4b29037c8422f991e0e96bef3298ff40a31e

SHA256
1bd5fe6c64501b85b804c8e39199878910d3e3a7aa79f83243d5778816857735

SHA512
e752d1ceeddc21003f0816b6263daef0cf3c751d806faa12dde123ba85a49d0f5d834f4840dbb9f955b43a4b4749ccbb57039e9396c03caa0ea7d126ee406c04

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7718ff9323c1c7e4ac2e39c3c89aa2e6

SHA1
0685c8d8b6b82c6811c9dfbc508686339c6b95e3

SHA256
26f6ff5cc425a0b0aafe822e9ae064076f325729a8ef683b59eca4b5eb825ead

SHA512
84a9c6b2ef8e524a061811b36c3c01ceb4d5a3df8d0b10467f9d5eca7eff4c318e265b081eedf12a4e5ff51dabb8e8b2d9cc35f5419ba7227903c24e2e4a7658

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bc25c77445d2efea7a792bc92031d1f2

SHA1
064b72cd39c5fda6131165c736c3e96c3207a17b

SHA256
f4f29adf4705a8c7ab1af1a496f38c6f354c42cf65779a7c064b309e8b9a5b27

SHA512
904fe93dc22d6e63a7d45966381605e72635e8bb20138a035fcd25b2b471c87612f7514572b386f238ae7fc7a4967afedf6c257b47c023814852aa2f4e48f179

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a8df678fff634714a6017083c134e324

SHA1
1005eeeed268b9923984868e5bdeab75ef66b512

SHA256
b9e733e6d656c26a79545189f2be2e74c54b5c9a45bfe6e94b56263d4b61dd3b

SHA512
cf8c18f728a8784b840f258757d7a05feda064f120523c53916605ecde15ddfeb249671b204cfd252ad218ec52a3c9fbf7638c24dacf9c18dfefb22e11ce1420

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a604ebff21c9d24fe21c184d43187320

SHA1
f624235288eaa246e9dc3b648353e0b244ece3ef

SHA256
98a64b651647284acd18232356bf7cb114c12906e0563fdc31f4867c8abd0a72

SHA512
7895eb14319f64f7405f8a74dc5049515752dbab04b6b901e32a4f643c80ec52b00ae5503bd411fcc25d793ea842d5a46ef45119c35a235a5e3ffdbf7c63962e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c4130c98403dc7c8c13d46802b43e66a

SHA1
7cc4f562ba5e142346c1879cee65976e1842f97d

SHA256
3a295019e416195ca7d3ca0f1c21338b5c2e11599b1d9ad48601b2002396eb32

SHA512
704712c89b51a235dc15363b44f005f8eb282ae2c3075269f20211d01da39e8e3df02488b1a3ae0d169fc843df60ea88eea70466bdf2d3361ce667483471af89

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c01aa134ec63819afb2942405352a1d3

SHA1
b1c3b30e15b61b2c41722f9942917642468115ef

SHA256
be19c4b54c20ccda6e103b2c6bb3a206aa4dd32b7951b326f88e55b39ea97e27

SHA512
edfe7991897599cc447cecd5ed5ad932c092cc5bf4db7d3aee7feeaf38858c94fb20324120fdca9abbdb840151509f3e0573cf2fdd9ab12d18fdc4c62a17cff9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
70c676ade58e1ddcf75da9a47c643d2b

SHA1
ce9fc3eb82d8683e97632b343a25e8c6024ae8fc

SHA256
8574ff9d183287e2378d72d571b4ef85b2ee110ee646a091b0bf7c2f25b9a4bd

SHA512
4c7360abf99077ed9bf0ef87e1fcf0004302fa08ead5355c816165f00b37259ae8879312f0353bc5e0ee8eb8e6d9956e3fd17d070f8a41b601668c350265dd2d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
08cee45cae4c876940e919ce157d842c

SHA1
07188d92ef5b3b58110a5e8c1b3f78d46073c71a

SHA256
66b7ea2d39313180e9741388a1fdf48853d4c039af84e12a3cfea420665303a0

SHA512
4fc0350b5783c075a300d9cf0c4cf39f622c8ecf09b7e4c710658e2abf64dae731e573d5ca702a91cbe22057d202fb6b7de4178cba243f0b7c7f6e9d257af3bd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f1eee00cfe71a4a1afa5aaa9759ee30a

SHA1
dc7dd83c9e679e88ee6d831040c8e94a94b989b3

SHA256
84ca1e99264cb4cea0dfbfe9494a8e0e0cfae0399a55a1dc580eb7da5323afdb

SHA512
4286ea8f52108ee7d5f9ccb7db2bfa76042d40793eef5ca5af956a70a82049b66658988b3f1b7e74ad00c2d73d509287f363b7e7ff2c7056108bfbb167ccb8b2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
85bbaf5dea306676a257483f2fbdcbac

SHA1
9838b6888be438726a90fefaeb39d9e41755d4d1

SHA256
ed51f4561f765c9c60abce009b7b4cceb705d5ce56448a3904d1d05528b09baa

SHA512
8a591d64f3a3bbc2f72e8e8dc1d92210a23950927a4ae8c7540469c8b25ed1084a32c6b140896a6fdb57cc66fabdd7da3db4490968a7d088115f57ae50350e4c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
07818a12f86f80dc2b212111f3eb7860

SHA1
f86faa6d74fb456a59b4fe744dcef3bf2238f4b7

SHA256
175facf5be5f96e65be76da7378a00c7831ae17992acf49a25db80de352c38c6

SHA512
a0051da9a84803956a4d61b657ef30d381ef4ed226bddf6831a656f70d56425e0cbe36d09125424052f2a960ee76d42ff524d6a282ac7e8d851ad1b7c7e1596d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
56455ebe44952a0a6f42ddf2395a242c

SHA1
1dad30b824f9087bbed5746018e52f0e87b52061

SHA256
6ca8d551fdcd6e1d0e57169e91d9fcac348e13a7d93d8209f8e12dabb4ebdb48

SHA512
4eede39d2d1682ba604ba7042eaa6f9a17f0a919754a4be6f66a9f8dba65db96d5a7a10031b18bc51ba686b92a4f6b9508df9d1137d5b264251b25b1459f8f18

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2e5f35cfc4fc66d24a71e49c66a0a5e0

SHA1
aeb833635f4f284abecb5a136ada264ac96a1d25

SHA256
421cf6894f203f2528506a8229c858a0ddaed01c40bb8e9aa3e4552d5940fe46

SHA512
f5cb24f4826f20ce80822ac9fa5797bc95660572ab2e0b6d30a2dc6726f6b31229ce98302b80fa027915c3a62549fc022b1def4396599e763f13b80c136c6fdc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2520b4552ff288647a74323f98ee2482

SHA1
7f7f25d63f73fcf94c5a056cf2d6a9b649011367

SHA256
935dbb32a1afc22e4ed0ec89cded8e4ba5fa791a2a1aed93793961cfc92c8c30

SHA512
d5fa2f72ecaa08d24a51cb7b00222123231627b320ec9e07accc9c87705cff70693886276f17bfa7ff2cdb08635d1c5cc208e2c1d3ce0d252ec70a17cdc71e1c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
524a43da85ba0bbd802b4e917ee38e49

SHA1
dfa1bd27864c69f6904dbaa5fe6c78f0623801b3

SHA256
769f5e24be3975f230fe6e8be68816d5fac0135454e8e3dcabea4348c538d1d7

SHA512
ec6532360ac6e629a2d25f0741f27c62218eaa3788d8f7b2d8908df9b68f45ddecf5884d2e45d46ab683f386238dd1fe7f7f1c263994d67f93acf3269933c3fa

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b39fbbe1405e215b68c567b15c8d6332

SHA1
627988772b4016eae4449c43cd9f0fee83c24765

SHA256
621e83b4fd8c13f7e373df3e70244513bdf5cfea1969d2138e737128947c75e8

SHA512
0ab6c23001375f7885ec41ea99fe828fd8fe985ed26aca5f098b96607c5788007fbad981a12adfc14f995eec2cd40eeac7d095bfd2609fadf3c731235ffd889f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
915a39ca155e0f020dd87238ad0e07b3

SHA1
0278839e69df9ca151eaadcbf4dad415eba5578c

SHA256
a54da971447ad131be088aeb06363918731a36cb858a8de88de19b5625f48a7c

SHA512
82158d06af1ede0e92e19dcf67a89bda8aa8f21ef61b7458b47266eb9097ae7977218fb815f9a74552551eaac3146fe31e5003def7f74ff30f671e90a459c751

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c272d40cffb7b32b0b5cc25128f4e4d0

SHA1
360d53df1dc6e3bcf9fca93c167b90215664f900

SHA256
2c00d364c8d4dc8aaebb9bd015325e15334b1db286a65b41ae1c1e8f9ce76c6b

SHA512
e9ed88a95761303948ff2134b0953d746412e78b4defa442e7acceafc294a726b1cb5faac78fcf9df3051e07ff1fdd6c1b238a51ef94e14868691d5cd9c81483

Download Submit
memory/660-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/660-540-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/964-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/964-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/964-56-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/964-50-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1288-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1288-8-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1288-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1288-75-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1532-192-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1532-467-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1984-250-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1984-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2144-543-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2144-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2300-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2300-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2944-76-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2944-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-86-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2944-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2944-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3008-141-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3008-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3752-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3752-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3752-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3752-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3776-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3776-58-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3776-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3776-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3776-47-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3928-13-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3928-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3928-20-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3928-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3928-19-0x00000000005E0000-0x0000000000640000-memory.dmp

Filesize
384KB

Download
memory/3988-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3988-545-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4024-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4024-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4024-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4024-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4172-218-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4172-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4356-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4356-544-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4460-190-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4460-448-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4516-471-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4516-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4532-203-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4896-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4896-349-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4908-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4908-431-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4916-230-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4916-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4940-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4940-497-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download