5c4e414a9df742c7f3bac4ca14282d038dbfa96eac4c87570ecd67de7159c2f5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Size

1.8MB
MD5

05438e7dd1965623cd07875ca8d1ec17
SHA1

74f1bf2ac9af65c8495947fdf1fa6d9025c17e0e
SHA256

5c4e414a9df742c7f3bac4ca14282d038dbfa96eac4c87570ecd67de7159c2f5
SHA512

15c88c42762502a076d1f1ba4abc31ec047427ee10a28eb808b31ab1dcc1eae171351936522971f42ffbf6bcb7347a91ca2ba131950e9b7151f45e2a5c64c3d5
SSDEEP

49152:TE19+ApwXk1QE1RzsEQPaxHNm3OPV6Vp:093wXmoKe3C6Vp

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1236	alg.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
3584	fxssvc.exe
1548	elevation_service.exe
1748	elevation_service.exe
3720	maintenanceservice.exe
3300	msdtc.exe
1012	OSE.EXE
1204	PerceptionSimulationService.exe
1820	perfhost.exe
1600	locator.exe
4528	SensorDataService.exe
2984	snmptrap.exe
1396	spectrum.exe
4188	ssh-agent.exe
2244	TieringEngineService.exe
4504	AgentService.exe
4532	vds.exe
3556	vssvc.exe
4288	wbengine.exe
4624	WmiApSrv.exe
3140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b546d85ac3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092f4e198a0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000283f2e99a0a4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009441969aa0a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023c75699a0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afc91899a0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a15ed099a0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000196289aa0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005679ee9aa0a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004a4f298a0a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe
1404	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeAuditPrivilege	3584	fxssvc.exe
Token: SeRestorePrivilege	2244	TieringEngineService.exe
Token: SeManageVolumePrivilege	2244	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4504	AgentService.exe
Token: SeBackupPrivilege	3556	vssvc.exe
Token: SeRestorePrivilege	3556	vssvc.exe
Token: SeAuditPrivilege	3556	vssvc.exe
Token: SeBackupPrivilege	4288	wbengine.exe
Token: SeRestorePrivilege	4288	wbengine.exe
Token: SeSecurityPrivilege	4288	wbengine.exe
Token: 33	3140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3140	SearchIndexer.exe
Token: SeDebugPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeDebugPrivilege	4264	2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
Token: SeDebugPrivilege	1404	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 3096	3140	SearchIndexer.exe	111
PID 3140 wrote to memory of 3096	3140	SearchIndexer.exe	111
PID 3140 wrote to memory of 4704	3140	SearchIndexer.exe	112
PID 3140 wrote to memory of 4704	3140	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-11_05438e7dd1965623cd07875ca8d1ec17_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1236

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1244

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1748

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3300

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d1610df30a545e970cda1748c509b5d9

SHA1
7cf4779c9e0c59d65dc4b0993a47d73bac36f59a

SHA256
2e3e42eb3216646b0ad3fc975916dba108c77b8de97bbfcb06759b3c58addf5e

SHA512
5727f0fd1b2807b85ffdd303d3c451446e37ba657c7dbd16b189b2945c968b5ce5247de5f681ae9b2321ae346ccc88e81574574e43f8f3031b75c5a63b576fc9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e75873a1b9038cc9e5d706c1421806ca

SHA1
76d69955e834ec5f034fc1f578417b17f3cabcc8

SHA256
b83428cbf6ef648135a6844b467aa96f5191c5b9fe9fcf3bae13242cda026dc3

SHA512
2ea79c7ae0a1ef1390104c3ec8b2fbeb9ca69d2efdf4453097b52a43ad3484aae269e086dd0681c5fa81b859f146cf01578922aef751402f56cbd88f781d3dd1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7ce0822017dd58b88916f9d405db61f5

SHA1
6fd199b65e57a2e3070b13f0e3620e91993569b6

SHA256
b349d94fb8abc0f41259f83b09e8de170250079ccba8e63d3a9fd01b7971bab8

SHA512
cffb4833d64722a68b0a30769d0d0ed65a382afd33e959614b072ab82bef3be277af3d6321880985b5298db3298ef09dba789771d3c95aceb24ac32ef58eefa9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
513c285ba1c0b47375c791801c827bb7

SHA1
62a80d6bf2f5bc49a4fe5df2275d83cab81599a5

SHA256
54c0584994ffc605399c57fa9a9da748da657bcf098e3cb75bdc485b41c6dcbc

SHA512
c71160f3b1cd4f05bc4dd4c8e770af48cdfc4253c5144797c67fb71cbb42177458fdb300759b4ac6abe2c805ad2cb543bdf97a374b3481226ec796ebe586d881

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a52f2d3fa75996b7c64c8a1924d78c60

SHA1
f4aa6bb82f5333d43daacde7d4f1f3316647a818

SHA256
2d4e2ca34e39fd94cba0b7431c1526cf1eb68f8a15f836f7bd0bfa0b794e23ec

SHA512
1cb4ef689dcf180b26e4518785f41c0ec62545c0867ffe752894ee259a617cad8c1f8abd14f91a71e48d61bec07e8f6f48871fbb3c6ebc22b7840c82d8c0c191

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
965ee21299767aeac48b3dcdd67a3359

SHA1
a5c181e16948aebd8575cef33b819264583144c4

SHA256
ff0ce2b2cdcc242737e9f8a052415041b1392498205986a00336615411c13b33

SHA512
78a4a5c133fefb696942ea1855389cb8fe00ae869aeb2201e074f328caf979e5d96f5d59040c3552eede533fe319683de6b80542305ec88afde1b78cb279083f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5c1c21758190d714ddbddf61c3e77f22

SHA1
637b07cb7f0055b7a7c83cf1d58b04928572079f

SHA256
ba11bff8c021d6b70b2dd78a80eefbef57340ddfb138495814f0f98ef243d333

SHA512
0b0d73ca375024ec61b61c8478339ed245b4a86d9acf99da9f37480bc9966727163435f20ddc796bf7d14516f399d2221a346add08f87e9a06ddcb52b420f424

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5479f88f4ca2519486a4fd10a1086d30

SHA1
cc292efd8e898dff731439813824f8e5eadfc0c1

SHA256
8707a27b2ef9be36b66d78e164092f5ba0362d93492fbdf8b0444c219c3d6244

SHA512
c46bfb9263838fdc6d4fdd7f019e30b6da35c8d43c9b2dfc4547e55518c7bbf415dd22699183747c089e17aafeaf23d7254d5c49e7dd59cc43cfaacc03da7ca8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
db2ea6347890b19bfd5b64c5934bba26

SHA1
8ba4424345b1f1dffcd2f95cff99f6e4631088bf

SHA256
a3100c45630b4a701735f86af408b71037bbe126d1bf2e0b5da323eb55b98d3b

SHA512
ab41fbe7320d8d4bb03dba846b27a31e031075b299606c40f182cb624fcff635f66fee03c920e31a44a638f7f01ea79b9173ad073e0a2cb89fe80f3c020b7d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4b828b36f5e6e622b406d35714ecd0e1

SHA1
9254a851f2dc5fe6e36091706b36dfb4cbccf2e5

SHA256
ccaa34dad6542158853a08579134b0f0f715dff92c6289c7162d8d78d8d1b9fc

SHA512
4510c50cfedcf628135058c20658635e374634bf1dd3a4fd47951f7937a14a3dce41b3c8f6d32bacee1e07c80d32620126bbc2819df8ce1f10a48d89dd59d5e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a73e1a64571de7c6e87d954a7b4cfa75

SHA1
42f5b9324111f74a86e366a892b0768cd88f4f8d

SHA256
dea10c2dcea0967efa0377926b05755f8270707f4979bb57603fb579d803710f

SHA512
163ce04d7cab78087388fa58c59b335e46fa3c45899f3bea156dcea5045f779da257f92a89d79384984a0724248a14738c8f2f2e51037e9f49a4ed6402c1761a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8b265141f324dfadd16782614719222a

SHA1
52a416deaa2c706c360d632b5a31f5458a3911b6

SHA256
35da39992f397e6c6c029494c47ebf688ef145cab02776cf97baddd698dad415

SHA512
902e82262a6b0f80974130786c4891464a0a08bf1c64faf83e0983e142d68b6d96cdbdfeec0da96f646969531bc4a569ed80fc4d0e277779e0275652ab159676

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
44217062ac5c6f923a608915f4d32143

SHA1
8f6dea7cdc545c7f1bb8d6c0de14d0618f2140a7

SHA256
4ec8640735fcf737bc4d2141f1ab206873a9bf6716a4c35db1f08b01ffa81833

SHA512
15bfd14d2e09a0c5ab4fb46396ac8679ae55c575500f7487f165486533b6269a1d609d2720bc71174ab2ab8bb9f904e8bf8faf5b90f50ff66a09c0fec169301b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c5c5c0c9f08d658d79f703da1d4fa420

SHA1
564e998eb5d0afb42d4778c9c095f218015d41d8

SHA256
f0af47e9e8554c3b3f5cd4216e74a187cbd8ef97b762deb0041eba19965fd155

SHA512
f8e32633f377b33c049c367f0f2c2ad0df58150854632332e2e9342640c37bbe6ef87c109be82778b404e1aed338cd6c3d2d16d0929e777d4dcdbc3d065a2296

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2d4bc8402e6a3d13e2dd6e98751f9f77

SHA1
b96d4710f3cb98483f5c804546c4cf17f3298ff1

SHA256
f50c4bfe32e153176ce4eeb37ad4058c37cdd7f1f21a1e26791036bf4da18913

SHA512
50e2cdb6eb4155491917707eb28a2162ea3763de918f1cc3e3cf8b5b43d7eac3c7a1fe5597686e808956227ac86b24ebe4a71b94c97571539e3c1eb4a623b3b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
497b54bd2bd028dbe5ddaa0d7bac56a7

SHA1
25e36ba122dc99327a8d42feb343ea4c29c731b9

SHA256
cec933e220787d9fc085b1191bed7116b0ee094b8dc7af8771c839f51da0aa39

SHA512
3e956047fe60b1e6fb39f3e0ea5e959343ac00960979d265f2d3ea250d7a1c06bbc5edc5467bfd568aa558c494b55fac230c3b7e951ee31cd5d6b354ab18f3d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4890bd699654be481bfe81ecfbdc4652

SHA1
24230cd208f1ff8f2f2b65d2ec858a3eacbc5a73

SHA256
b2787327dfe4b0693a082a17c82e69bcd3653f7de750992231dd5d3df561ff28

SHA512
4753b1e242d1ea54c7e164b18116a4b66a6dd426c6093be740354c4706546c1abed156ae5b207e0c00c6eb3d5d92867a8ed8a4edec1625930022b6098f740650

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
17fc304e6eb4f126d303096bf7c4ac61

SHA1
83610adfd41c61a29cf03a66270c11d3710f34a5

SHA256
bc500a3c379c9eba66dd7861e4b873ed1d7562a269c0ee4f7049172e967b7807

SHA512
b560267ac533d7b2c2fc0f9e3f506c9f0e318128196c9770832ddfae8ee79c0296d67668666efba3c75d3b260bc79ef20d989bb91ddcb2a5fd03add9e7e7d521

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e9271bd1c328eda64d75292b2267d9f3

SHA1
4b4df26c08cf4f46c0449021ae4ea068a8926692

SHA256
06516377074eebf46d9860cc31827f63b33aa4a7dbc327af1f1fc79b0682ffdc

SHA512
ef07d277e27071c6a9a94c8c15784d929133561453b70271049b8eb14dfb1f4d55c321ab78693108156514cf83d8d7a8b3681618906cc7971cd2370a9f0f291c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d1d3d1cad4108b94776d779348e6b36d

SHA1
d35b0d45dbd5c4daa99f2c8719b7bc2a818e569e

SHA256
65849ee15f4ac02c1ed2126310bf1f7a98d531d15850f795680f0e8b82e2da6f

SHA512
84a31df09f4ef25640a6d8d69e397ff47c529d80be0d1e834a1e0d301fd68840741d78290412b22772f39c8408d978d930fe4243c4ee27eb37f93a31a6a0b33e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
64d999af2120ee59fdefc99008f6b2f9

SHA1
6efab5c3b6391e32377ccb176fa49bd58c0d68e0

SHA256
8b2cb15e4cb524c334a6d784472cbf09902f85ab7c7627916a9661baab916983

SHA512
68da664dafb5014b57f7f0be06525d0719a01404d12a8d404ee46a1fc0a344884f79ffa95d623f70192bfc65c8875dea38216c4fd7fa842254592ed8aae7159b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b73cc36fa0439b9bfd299562db3227c1

SHA1
2d801c6e68cf1580f124177db7df3c7c6166b475

SHA256
7d16e77bb277ca8912d7aa74ee92ef292424a2a5376a3e7e0723a50365b39d53

SHA512
9b2e3133a14c29331fa541c04d6dffc03385f590c33c9d23c2d9b2f2a0a807abe31b2896c00bc4211f0de764b5df19f464d9c6e7744e0ecb50b2d6681044b870

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
04a1019185198722c067000e939250d1

SHA1
eae85212d82b0f006db67657c6b1b8f52d2bd5fc

SHA256
f1a66440630cced5e8a19d54f39d1b1f94c04f45f356dd238be96a8864a91a47

SHA512
4177f7023ecdf1724c63acc0c5a55a0edd1df8bacb8b995ea8c69cf79c2f4debe2544b2c359d736c2420974475cd55f20a457dfb1e3d71c9b73a86da27868774

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
c46d6a4b37b9515b2f123e14f0e9397d

SHA1
1b11be59d7a2afb742644cd4050d60a05e559797

SHA256
26e7d86738536085660e9d9b04b9b8f4d27cd3b97d5a6643a84f8929b81306ff

SHA512
c87c8146681445788012a339656fcd38cf157fd1b9ab6b70910c3d89c2cc932bfab7f3a2ecd894eb23e32d680bd1b47e8d4ef13db173f11ca203e6a2015e1ca9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
880e9e6995fd140f3da20b123b4b377c

SHA1
2152206aeb3d9399b6fbff47d6f439ada845e94b

SHA256
9a3e13eda72f8d109b99c2a353365b9422f3a481fc549bd6d249e616f8710e87

SHA512
37c0c6b799d26aa51e5b9710bb9c6e6adbfc11567514c6a1be3c40f394db0ab246730956e491524b9b3e6ddc84f5516969d1372efcce43ca7960a321b7502070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
15fdb17a8264c843f618131b8450c557

SHA1
b683375ee6da7884f9a26b16ed9ce4a52c586376

SHA256
7878d7f06dba444efc70c56caecb8481a59a2d650c8f03ee56c8143271e5bdff

SHA512
61133568df2490fbf7df63c17de683039262eebd9548ee2bc24d9d8e967a4fb53cc498e0f841a83882797e74225e988dab9066db318bfe10cc7beb9b80001aa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5055bc1533329c4d9dd381b4de2bd900

SHA1
f5e557045bad2bff00af5afc0611f9f037be6b31

SHA256
59ddd137af180809125655b6ddc32a709e809f2648b0d558526af54507d78dd5

SHA512
5a5f734983632762565477d92a2bc8fa04f388dde52b05ac534b10f7f6c86b6fd6870501ca45b80a2fb0329ff87fd67ea8825ab632b49b5c5d3aacf189cfa975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e6e847667af9ef41a4c670a1af1e4546

SHA1
d0810b39965c27adbd378733e20a11db2a2b0639

SHA256
951485aa7e37fd1019d99b904addf9e1ab62b0bd2e4d5420edbec1fd877f8c0a

SHA512
0fa5b6513f6152f0dc2c337ec07e1d2761b3d24abe29ed37d679a7d66e6ac54a7dec6643f6e0b82d286c41fe185aaeb5167546e53030283947666348a0f4feff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
36035a1ad1deff0f4ce82c9323ffafe9

SHA1
69f55e604bb94ed59285e91f2c6e59f981598dc2

SHA256
ab9f4ff4f49cab2415d46f193670804d4af3d3a9e43cd2f36a6e0b42c49fc50d

SHA512
0d11d465a0db3570bc362f10001d61ec1ac40b363efec047f91a81fd6fcaf4d18c4d32a223a474ce9b09d1149e73a86ea5672d07c031c25a7cc7b5c28155faec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
23001950ad3be10d752edbb2c4ab18f4

SHA1
7116ed83c6e64ea6ab053e3eee4caad411022bf8

SHA256
ff0ea5aa9bffeecbb844c0b48afae886caaf6a891574ad0fba04d91c5290ef5c

SHA512
25f999fd6f666dc2669ed0387b875f187236939c161fc1a9cb3400deb4d007b320f05567f748a8bc2bd007f307571857a28ec419f881dd9b586c535838372f8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a688f0c9430750d26b5b055304167f74

SHA1
23c23f666bcb7168e5722da4c813d0ce4f1ad2ff

SHA256
59ff621591318db1075342d2d39b72b344d540cc17c3bbe6b162792196d7ddf8

SHA512
2ac134536364b3e3bacc869fb403dc32557c8847187eced2c2d705df37f19489493277559e2438ea072178b8e88658892eab1a952d3eadb4c2e5553c70301e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
dae18c7cdff5795447948878a95af3eb

SHA1
ce19f3c042290df530e51c32dbc6fcdabac074b7

SHA256
0598809d23780edf807212b0dafc8124a5cfceb5573057e15fcc92b221ae325f

SHA512
03f922e7891e966fca13c2ac6d83c42a210aa9de2e694d3c11db2dfac6e391dd6f600cbc4e276328ff74848f0bf87d1b8c3f2fa537a999b7533dcd295085dd1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b6b6842af547499eed90b2b2923946a1

SHA1
73adde475980f898a7c7eca250a7112c6e2b62af

SHA256
7f0349a5127688579f78835569a68d51346e436b511d57e4b7f1d58bd5e0b9ba

SHA512
b69ef502970f7a1eace8ceead6c56eaa7b1a67aab105115294b15ab4055b9361adf011ad0d1e8ecc1aec76ac46f09fb1a6577921fa31533101a7e7c1813f1d47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f85cdcc2fbe3702805bb7c1864b72c2e

SHA1
105fd9f40533f6e1ce7f37e1f4ee1a050fc16de1

SHA256
3a0d65851a1160d1b57b7fa92acd2e0912eab16e81dfe8f9f43aa1aa4e1da850

SHA512
8a145a730913b2e2190be5fdd93cb41bbd5e4a7fe0cc48ac570129c39de7d22a58f18cb5ed8cff8078eb34d1d11825072dc158b22448546f63e1f2eb62fa4929

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
3f64427aa1c97cab1007b67ef88fff20

SHA1
00b60a40b7a61e7c83e5871d1a88dead4b7ddca7

SHA256
54cdd0cee2907a0d9c19435a3bf72c09ea71dfb3b6f14af608ca58544441ad6a

SHA512
f7ff490b89317ba64b8b8d023b7adae01a59072cad489bff7146b98235612d2a1e870910e51da999945fea035c6a98901b74d030ad6ede52d31e6bee670d6cbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e17b346971dfb722e21ff4fa17a0a89e

SHA1
b171abc7048206aa7afce059553f4178485ba3a7

SHA256
9c40b35037cbf0adcc1a59e3d7d32b5e0e8f7f1a07576b970d86092d73c45fe4

SHA512
ce8ba303cfaacedec6cca0dd1f33689104821742770a5af365cd50673a73a194a376ba2c85bf5d664b5d13898bbeb9267b1c3ac1ac700a622255fc7532c72076

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a22bac2d5dec9a27bf5cb2a5f813a27b

SHA1
4f934403bc3f1e158cca9ac0eaff49daaa538994

SHA256
b3dd864b3d00e4ae1e73c7a4e32f5390d2314128d09ffa523d253557c9d26310

SHA512
d779dc012a2227411942e20bceb8ef7a208f2fb5ebdd247f73bdb4d619d94df8d27507feda14bedf210208ed8a5be3ee96d32f0a97842b09e144853a92dae149

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4fdf6701d8220a329b30815752d65e10

SHA1
2c665b59c428eb727fd0f28dbfe75c5d110d520c

SHA256
8c143233f5dba7f9822955fea4c41cea56e805e0e52333dcb2a64bf770644d13

SHA512
da5e65318e16d909cf34c9da4514d0f935f7d0ea39025e44a8e2503dd2347096102869041451a4eb3857e2adf790c7012a8c20efe318879e554744160f8a6876

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5272a64ce01b52997409baf14e175f34

SHA1
c5ecc5a1af45e81e7bbaa9a96c950dd738e1d396

SHA256
237b32a334f0a64871a46439c5a381f9d667f01cf45e4c6fdf478871ba94fc96

SHA512
6353ece705d08307fb5566036ea1910e103ca5e8eea537aa726e9eb0387deecd486c00377ac5de5a623ec46dbec5fd29813327b9e2ae02a93a203af1ae849247

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
78f88d4d42a1a5fb9ffe7669c4192fa0

SHA1
a11d5d7a379a6fdcb12119997b906b4e67f8fb3b

SHA256
a211c3310d75c56a34b43d0563c79bbc592830c0e1408366a5d1384d884fedb6

SHA512
bab5a7729e42d7375db942adda34a74420b9238f1333135e369c59b9a5a38e086bf54af167dd85fbde09ce1b92f99d870a2f20bf7908e5945a4fee381eb7fe02

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
76ff0eaa53e3f935f90b14d3ec4aa4fc

SHA1
e5e7b8575d44696cfce98b5df1f7e2b834f3aa16

SHA256
339d9ffdcb86a7fa20ad1ea2db4afe34bb550b6bc74ba566a9f44bc59921193d

SHA512
0469ef0f34d058192180b1c561adbf9315bf4bca18db57b39e4290d6500a02fcb1ab082c2d2e74542ff1763f4e900b35c9d8b6860b48313313aedf212760cdaa

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6e119642006753d6759c37653afdb6ad

SHA1
7a75e94b1bf4f7d5812df0ec7123276993b7ab0e

SHA256
5448f92e0709a29b5821ec0e4805f74c2106d4e6a74c693e243ac88bd4b2b51e

SHA512
6b71d1ac3579cd741bfc733fb7d1561225bb666ec31e98f273e371ecf19bf28af145fb45cf7de1d376149323d8e02e3aa4f91be0ca27c824f20e0a6ed37e44f6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
69c9b0082f5672d58c173c969dd7cbb2

SHA1
aaa2933f326dd812c310b96fe2d9ce08ec01727a

SHA256
dfae3358fedaae06d4124ca02487f4742a6abc9bf9a25a3bc4574e4fa6263f00

SHA512
b8ac7f605de60a30d4bbb7a918760f2a3b43576e3c386dacbecdad99bfa0d207e7204096ed855b73b7e826db1c835569d546ad4fd146667426987b1e634c6985

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e8099edb93fa34707a93504e1fe8ac7c

SHA1
78d40b425061c3a6647036c376083081d6587454

SHA256
4a5f51fad27cd56032b6a95eccb9fe09b5eca55d7ccd58a6c5521e68fa12bc80

SHA512
6eb972a312573eb2f7e020e20cc8353779819b6e6ff16437e49824481a5eb9c98e196ecbac5828736410fefff64084b86db12c2919c659175edaf943f192b718

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e78c27dac9e17cf9d73cce410d7fab2b

SHA1
3d3bdd2500de9cb1ddbf578dfce3cc03cd7c4ce0

SHA256
58b139638cd1d61bd1dc0c92027a36efb8be783284afe81509b91c21553735ce

SHA512
54ab70c42eeb1b33a916e81ca9cd2759db25073e7feef729d14b2a0c3b39a128db49aa0e77154d5ae52bdd42d058f87d25110b2fac63ea35e52182db6dd1296a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d3b42a84b5adde0bb766b4c59d7c8d66

SHA1
4d12bf65c846b3c677748a6087ff7bca918878d6

SHA256
fd1abe23840f595a19faf5c5c8df7682a192c9f7e1410393df24542287ac2766

SHA512
66b5801ef5d1beee15b372e677bcbd5b689131366c1ac4cb9b489473f3fcd9f0170325b660caece8f210357cdc0819300b5d98417ec9078b69fb79e0c3b3e722

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1ab93100e0f3f030fd68c3d62b5c7c90

SHA1
e29b1f7ccac5ff29080902d765df591e74d237b8

SHA256
a6f861250951316d0ea7122dbf117ad8f82f6d331c9535a7d70808664b8b7c72

SHA512
db48a6144a9b4c92e9d29852053b41672eb02c9e371ff649cf65f0c15c6ed12d2c8ad659573d9d042bfc2c73ea2bed09661a883b7813bf8fa4da60542b69bb4b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
36c1931d06bb49b55ccb6676e57e5c69

SHA1
b73b9e0dc1e8dfe809b8d798bd5fbb77ca9620e4

SHA256
6b512e5095895049eda4171d61ca74879d0cfcf808046c783885de92f6239421

SHA512
7997213ab8ad2f8029a851ff0a67a9cbeeb770df913be9af533b7bc18ace30a7bcfe5388d20a672e34d473726fbcf9361c1922d7674c4aa33fc79cfdf3af9235

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c8704e8823ce32f35e68f235aaf71b24

SHA1
72e6349c60df72455dc1fce13acbb798e1aee3a3

SHA256
541dc1312668263221aeb221b5d95be1469e90bbf8835ff2c1df356a2f09e111

SHA512
8f6748890b2f6439e8ca1cfbe1f4690938d72cf0e1a96899eb5886b6b1311a9934c6e2b3924e161e53384df1f0a50d1ae2ac011515cf6bb7a8b7864b4508a5fb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0208d3caed113090ae33e56b0cea257e

SHA1
17cbdaddcba5c28f7ec5f2c6e656b716a0f13758

SHA256
7f430233d8aef4a12e9bcbedda45cd7e29e85ff6532bfeac3a8f87045ca8c7d9

SHA512
00f2f134ead665439176e4fcf27f95166eba194798ae558b2dd4daede8fc472b9f69bf2e187f1d2c7d92bbbca8c3383078e63bdaf6d0be67491837bdc043130e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e5cab43c30c65c22f78dde21f913bfaa

SHA1
2b1a5b5c8ac35ca0a4a7b35ac0cf8244ddffc125

SHA256
1f8fde410de5fada26625328ce5f6e6ec3e04c256e19e4d705121f9806ff0a81

SHA512
a87e7646d2d212f5082793cb55c6c84d754084c1ee5f4cf1245fc2fce13fd0a67ef1992567c5d7a5c2fb4b3f4206319a43f8302632382c33d579bae987372917

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
611884a8ff52f1a4460ddddffa676a0e

SHA1
c313121ab4dc217022d33a5a933b0d5099bc999b

SHA256
750a4a1c8bc6b8b54bc767aa8de6a8f17f10369731c4ce5d9a16a82e691082bc

SHA512
e157b1ebd2ecdad66539f134b60bc4a53dbe721409ae645cfc9194b480bdadd45a217c3b03626d19cc1a3a7133e60d3aa452e136d63331c3c74bd3fb033bfb44

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ab06b0a6908140cfa5fa6fe80deb0915

SHA1
5f286bbf762767bbb0d3a0c31d2d88ffcca6d17a

SHA256
cb10b19877978a2a8fd4b8b18798ae958a2319b173e43a66ee72bc9d103cf73e

SHA512
8138acb5c1d3a1ed84abfc9f936ef4c51a7d0f20164038d79d1da7470cb161f81be6a710dba492e69e48be9df669e2e2c8de97e0b582ecd899d8cd5dc207b966

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3e9a8a0dab02e783c6b150ee20f23237

SHA1
55422ee7b04e98bbc3a7aa4a895f26a73d24596b

SHA256
f10f2e8721e0a9fd80bb8e200d8963d8e2a8cfc4623681eb218e1f3df69795a1

SHA512
119e7a98f48f379f65dd3ed8c025fa6e98e5c99153f1a491b6b64ef6dad8a8ed4297fcbaccb2b76410c97b928208b44f6cc3054b7f2aab0dd42e1115240ea92e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3e01449e6f5bd4033b5e2be467729442

SHA1
fa1be164d002f06922ceb24356f6e07912f605da

SHA256
c870199145ba95d90eae4d3ce34c651dbd26a4d7caa6d6cc9dfff1b0c0436b9d

SHA512
5440fb0e6e046488d877749795f852e63c314d2a7e2c617d60086ff910ffc976dcf8a0b5b74d99afa8a60ba02c183004e3ea0d665fa212a9b4d993845e477b04

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dc46e0ac5135617f59048ed474526dc3

SHA1
ca081b14b55b28b9d6eaa2cadd297244ab0d8592

SHA256
3d559f5154f3c779f1c1fc98edb2d77c63cf2652213beffc5878306b9dc26822

SHA512
d672e8c1204cac9e29f412d006489bde890a1f1c83c3e9d53fec863f7b08356dede63ac8eb89550960c83b8b72f187d916866163e6c27f914474992463f8d88a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd278716fb8e0106c45d7f6a87290a44

SHA1
970fe50043fad65c1def9edf1b224c670f098a84

SHA256
ad79192d0741ef471d65808c70e02239c9cfb8694afdd5f476c4eb1d0b846435

SHA512
49fa8e7860aa57ea037a2039d08c7a5001b152499367cff05616b418cbbcc77ad37e6441939e512fa011f04becf510562e08621cc16615dd671c794cc93fd281

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6462ce46e9b1909dc51b957a25578417

SHA1
3cdb7ff0dcc0543e21e70684fb08160e8d9ec970

SHA256
4f1034934168d090023a686a9cafb1f666b81290a6b4c87c4f693957d68b80e6

SHA512
7e127489f8758e50475f9e61ae5992cc2d6b61007a8c694da3d06a12979d2c2f0b281d83b85eea884aed378525717d22ad668f608950ad724d2215a664f99c76

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3629bd03a8eeb8232221e211c575665f

SHA1
9f008bbd62ae231dfc2612ed75496f20b4b446c4

SHA256
9a43b98503df6f1d0e9470f4c58fcc39691c382529ce9eda1f3c04674d4a765d

SHA512
70c8037264400bd7859f3e6dd9b395a7663dd5592b41d059058a8ebc2c7654f5fbede72dc59ea13734f47a46b98a47a4312693656d122599c26aa1ccdb2e7faa

Download Submit
memory/1012-79-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1012-110-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1012-73-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1204-111-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1204-92-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1204-86-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/1236-12-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1236-371-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1396-158-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1404-24-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1404-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1404-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1548-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1548-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1548-33-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1548-409-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1600-113-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1748-410-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1748-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1748-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1748-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1820-101-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/1820-112-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1820-96-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/2244-160-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2984-157-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3140-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3140-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3300-109-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3556-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3584-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3584-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3720-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3720-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3720-68-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3720-65-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3720-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4188-159-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4264-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4264-263-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4264-8-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/4264-2-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/4288-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4504-142-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-369-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4532-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-165-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4624-413-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download