dee90f9389c9e3d770999d076b47b045532f90b59467388d802b62af91bf31be

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Size

1.8MB
MD5

dfe8d0dd9cfa68b232d57f9c421f7a27
SHA1

1d5c5e3926bd5436efd16127ddaa40fa017aa617
SHA256

dee90f9389c9e3d770999d076b47b045532f90b59467388d802b62af91bf31be
SHA512

1e2122cc078f1478537ab4cc093584b122034758ed0506cd27e17ac696cacde9001bcc32f31e9af3fc791b65e91b66217e4f0d0892b81599244a9ff9dc5404db
SSDEEP

49152:sE19+ApwXk1QE1RzsEQPaxHN3mgiTd8DsMcDKGfWbYCGE:R93wXmoK/BiTLMiKGu8CP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2680	alg.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
3832	fxssvc.exe
2828	elevation_service.exe
1392	elevation_service.exe
4176	maintenanceservice.exe
3536	msdtc.exe
4608	OSE.EXE
4520	PerceptionSimulationService.exe
4624	perfhost.exe
1484	locator.exe
748	SensorDataService.exe
2064	snmptrap.exe
876	spectrum.exe
3916	ssh-agent.exe
5040	TieringEngineService.exe
3676	AgentService.exe
1660	vds.exe
1068	vssvc.exe
2200	wbengine.exe
4320	WmiApSrv.exe
2528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\467a9fa6bb5459c0.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d09fdd9b3ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005785c2a43ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000056faf9c3ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020c1bda43ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a596f19a3ba6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf81c29c3ba6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a236d3a43ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000109459b3ba6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c86a3a43ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021d4d0a43ba6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe
2208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeAuditPrivilege	3832	fxssvc.exe
Token: SeRestorePrivilege	5040	TieringEngineService.exe
Token: SeManageVolumePrivilege	5040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3676	AgentService.exe
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe
Token: SeBackupPrivilege	2200	wbengine.exe
Token: SeRestorePrivilege	2200	wbengine.exe
Token: SeSecurityPrivilege	2200	wbengine.exe
Token: 33	2528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2528	SearchIndexer.exe
Token: SeDebugPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeDebugPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeDebugPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeDebugPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeDebugPrivilege	1656	2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
Token: SeDebugPrivilege	2208	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3656	2528	SearchIndexer.exe	109
PID 2528 wrote to memory of 3656	2528	SearchIndexer.exe	109
PID 2528 wrote to memory of 3308	2528	SearchIndexer.exe	110
PID 2528 wrote to memory of 3308	2528	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-14_dfe8d0dd9cfa68b232d57f9c421f7a27_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2144

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1392

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3536

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:748

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4120

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3656
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
041459e3800b42bfaa9780d016997718

SHA1
82aac95563274d4f0b1b88b270bc0407627f0dd2

SHA256
993baf5b3afd417b8ee8d00ae93a6aec2007a55992cf5b1369cfd952988da303

SHA512
a45bc15e287480dae03169ef483b6127e1d194e53e40c93117790e902891af9fde7ae8d2d14b7529410e3aca1e922045f60838250a489bf775cf7c441bb15933

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
115e851614787b0c7ef2dcc941215cbe

SHA1
3c2649b491fb3349c0281dd64a4814542c84549b

SHA256
f77fdf56d99c31ac19bbd0d1f626b879010998a67e2c2c8e656072bd4bfb7580

SHA512
be31af86dc5e237fe7dbcfadab9577a5425c4832f14df32e488cafd26b777336e1a2434e9c2861a9d14f5259e81bcb4ba8af42e350900ff53e8e4efb31918b7d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
6661992367c9dda14da45f15050c7f2d

SHA1
3b3dcdb9b27f1e29c78f6f399bf821091a536879

SHA256
66a5930efd29eedc00b12c08349bcacd519c8d29ace1aaa40d0c29f571d2faf5

SHA512
31883ab45cd614db08dab34cc3f4c49ce7e729ba8641a561aa6718e7c55c2db3aa7d4c27f381ec8b47aab3a7bcf8fedf5de0c17ee7cdc5d0cc10719d1e30f690

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fe2ca8fd11c207cbf4f9411760f91776

SHA1
e8834bcc9975934c1708f0af81ed5da3bc7b70f4

SHA256
736598a0359c5f838b3b3bfde2c48ba046ba4660ae0696ce9bd9bd6b3c36a201

SHA512
a408b563536dc83b2404e963abbbcdc5448047063bc981f3a1b9cdf3bda9ae1d471c91d3ffd7c83332f8cdbb9377cd753387410d70a5d1c95bdba053964f68e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d67bf9b50f782549f36b9600165984b

SHA1
4ca715de5288e6e24cbb80a7f26d198275015725

SHA256
2edc000accee2118a67256f5c279ccf72a3bc9fd53a6b9f17f1f10a4423e3af9

SHA512
4fa551b123c57f10624985fb8183ba8c1d8c0efc37206f93ca84074ee099aa85856cd11a3f38c2558c4d6eb82b5ab156c2f4813387d140edee14ba9be91671c1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b09ba9d35eeab27fa820b6f852aec650

SHA1
26b67770c3d017fd26acab56a67ce93882f0f3d3

SHA256
25d546437dc65f336d7ed88d4edc1113541ac8724b0ab394017a162221bd11ec

SHA512
ddf23db7dd39f7abb7b53a22865b8afa1ba4576e9471cb9cd0929e49293014fa179970dd585ecc6c7f50adc7151e87ce95787d17f6cee49be719703a9cbaca60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
fb24326e42d851b982db7bcb4bca5b96

SHA1
2b2dc0b576f6d68338e4ac8364c04f6528e05792

SHA256
ccd75285616fdc6afc368dff0d431cfa0d611bef94c2aa7f5a12d9ff92a340d3

SHA512
35bc3df17c4119a5aa6a33f439b0ed6ff3c0c350654f3071365057a161fdccdd258e5a963dabe3ebdb78a43523834a634172a0c8d9e1462ce678ac5529230c33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a44eabdfc60b79d6d998c9992e83f362

SHA1
1312e6ab456b93a9b08ea0e345b63a34128c74d6

SHA256
62fdd190f16079c679e7fe057b3b6ea10816cd6610342dfc22322fc6ce45ed6c

SHA512
3631beb894683da44170e9059fa1d60d6448b4584b62c4fa047724f4192275b200a7d0e9433b38c68b81dd0b37ab0d350d03ec740979e8ee0b88ab2dbaaafdcd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
b147252efa7c3f46ad59c625b9f5b627

SHA1
5e490a98974b6aad65e3499978bb28bf49cbb4b4

SHA256
aaa873f1fc7a1596d808fd324406e52418951a333f2d3f0734cd146136f5a63d

SHA512
fbc0ddec34a6c07282be911ada9be4ba7efe2f2c5ed466facf8c88d1980f1167c5a70039dab670b11767aab2dc42ed67ae7665a7f28e92a921007d97fe1969b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
079744d860bfe605eb0bd83ba4326796

SHA1
b8857479cdaab17d2c86ffdcdebfe411402f607b

SHA256
9616aa5b08166009514893119232135d42f37039ca8a8267537135c4fd79c1d0

SHA512
9392a3ef0d6c7bf8e7f479435d1174f2b0e59da55e61c3758292358347b76a291779498fa3bd228fa96fdb3dce8a3a8f9e5fb47ec6faf4ad4c54eb3e6e2d4844

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1e57a774f867fb0195898b0d9bfb2d50

SHA1
91692f6ef61a4d548816e827cfd8ccaf3878741d

SHA256
11e5ba6ac1df5b6b0e060c5b7adec0e22775fb0b7ec4780ead37b37700c449b9

SHA512
78fc7d05140c49b8a00e03ebddd3474e11bb2f1b9d1275c1200d5d683a8969de04597be0670e6dc67f13e29efed35845b679b7562d7dd36d216f1cec4c78fa6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ae82b17041808f2b2e25d8240eebf24b

SHA1
27247dc7bc760946930e05bd4eb8e98ba1faaa45

SHA256
4824965e42ce542c4ab71d2f9aed1a26ce780f17a7307ea688a27a3017aa1150

SHA512
08167df75af0587c9a0229519a82013576a299908963e53fcdbbc751d4e5138e4a43ff5e5841ee6550671621a417b614c08981d9ad0960d45f9840c3aecfe452

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
c519f6f05d2a4927ff1ba6ca3af53cbf

SHA1
a6722fd197ec037b56ca6afa2bad0e532770bba5

SHA256
20f9ff10d2783a4976779829a9e45da9d8f712e3142092b5644392de9ec5f7af

SHA512
c507434c9e3e2642d0ef6cab5c25fb6f1a8b50057d33c87b11bcf006c963caceefb4bae5273f8b7c0ac36ef22c9ea2e36258cd3aae58e23f0e98cf254ffdc664

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6c02cdd244f0fac9795d34fdbfeab630

SHA1
425a70990b711767f0df2253b16cc9ae79b7786b

SHA256
bb6da30c105bf115fcb0d3445df54a96539f04427312daa63805b670880a64b3

SHA512
846b6ac127221c8b5cc2ae693a6fa4fdb3baaa05a369ab8e7fc29fd5d7d5cab6a277684c5c57b4202511c1eff507e2872f88231b106c26ef53a8bc19424bf629

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
2b1b130b1d8d6a14f559e924e02fc560

SHA1
97fc3e0dcc2c464c4e83a795ce93cd796673d7b6

SHA256
e2c5bdaa45ed4ed493d53ace4531c2337f8bb2816eeba6a2c3d09349d291a6fa

SHA512
4f7bc4bac1f8e8ccbd595518835be5c2ac6c63975ff1b119ca5ca68154d9c4e8fad75a2a448d54a05183be43ada46c7476ba15a62a8abacfd5fb4be8c902d361

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
baf575c1e4562feabdbf4691ebeaa880

SHA1
252a06b830c4b5e90bf5c4d8a3b39ccb9064943b

SHA256
e0a338f39d07c097f03c067d43a7125c8396c98c37037bda46e7f83f88b66243

SHA512
8f46d184de0c18b00bc20addbf3fd39d3b9ea958b21dd52384b46a7d9e8370751e561620d54ab9c5729531fdc6e42a7d57e9381f88f2ecbe3d4728477e9206fe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d60bda854ae0c4a6ff0578c623070600

SHA1
c878efae1da63bb4ae5314fe01dd4e27f8adac9e

SHA256
c93c4e551027b95d6b59a5e25907896d70ecf3facb3f7a86baaea63ada7a6e7d

SHA512
0e8ccd6c134510352b4a420b7f2103c6915a86530025e4e6e140266e7f721ce1b4bada328cdd329c46bfd60aacb7e229a5fc4134a052888e89978ff15f49d2b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cc7afc7d153ff95b65dadb40ca2242fa

SHA1
bc244ada89e5bea8df780252b4ebc0f820987c21

SHA256
e96b8aad2b2a3dceaa2ce7008b7da515f0e61ebfbe0ad2cece7f4a3af7c135a1

SHA512
7c09ca1f8a429937b09e3639d0998039b773165223aa67456743bf496440f2d97420884d03fe6779258a1084a798924a0746f73b599d3b6d6c4c201803d96457

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4b7946e40098735d5415e257c77d2727

SHA1
044f19ce576a4864277fc43f9fce8e10439a2ef5

SHA256
131b67cdabd134cbbdd71ddc90235d62da872e94f648c623e59c82eb0d199953

SHA512
fc284120ab92e9f90da8fc7ce7d4cf059d94210980cb21157a6844298d3c3538f62f706d59edba3b1f319f9506b63eff636422e1ad42a553ee5a65d327eb6111

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2f3f972c9eeff088b029395c96e87920

SHA1
c952462fe270fc829b31d1f96dc96c0aa0a51835

SHA256
147dc7bf11b112b20d6415af5f337f9241f2a9d8b81e3bc701c94460cb4749b1

SHA512
59d77e07694c85718041d3eba9e466db187b7f14206040c6a21ff5400916c215363911358f42a07bfc5606e31ad0570269bf97b9c7e09ba6495272da3efeedab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
56e72fb5d96369feb1a3cd7c095d561e

SHA1
ae96d12555bf06616a9253af0bb3821d6df59061

SHA256
c17f1fd6544899d9fd6f96041b6345eca9293f06ee40d02769a86824b716e972

SHA512
f8cd05fd52da9706905f7bf717d0bc97f7bafcbd7f9a00feba5d22e3e5b6c7370509a5a9027f28f155fd23a8ec7c79cc2e01fe7e696947889980fb66ebdd11db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
4022561b8df2fa76840db5814c8af1c4

SHA1
46a2ad5e79d945cc9d8a3c332fa9c8faecdd9460

SHA256
bbfacc7f8a7c50b3c237a161199ff15f4a708d80975b72f77561a59e0278a025

SHA512
a977359f06cf6382fa28192974c7cb5374aae94b2680bec73bdc1cdc12c41c19d137f9d11d6135cb4754618871f4cd8ba06b660cd8a1fdc4509fb18feab3b14a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
e915b1bfa9422ec429ace1fb25543167

SHA1
0e0d85c7984484407b3d35caca6b9b43d03111a7

SHA256
5506b7bb2c550acd47ade3f5bf81aa469cf45d5cec888c80d74d2e2ee2cbcfab

SHA512
f5785f50e9ed9ae51ce8949907b40e18953016ae044abb773ce47428139425e911e0ba307cbf3d12301af4b916fc3d509e4fcf996dd759d345e65229c174b7fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
f53d18ea507776b051d7f0a83055b403

SHA1
b2b153380690a0786f27e4e3de1d1edb424268f8

SHA256
9b219186eb8677d2af448ca41c415f515e522bd023fcc63811e97236f7cac55c

SHA512
fc9c7d78ccbbc0bcc14e1716551f0314e5b153565cb6f0df0b54795076801942e15627523bd0206ed4fc8e632e347b78d8ed24c72529f3b4eb5c101fa70fdda5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
e48332d9f1e6aa146495c5e3296517cf

SHA1
2f1d0839a88bc1d9e26ed34269fe0beee8d7f512

SHA256
0210d6e1a5e9f0153cebb765274ff1c6362e6e1aff4bc9984a0245fc700337ff

SHA512
4b679531c9628a7f30f7c4ded81e6e43bb6e579384ab6f51437349dc2519f05255bdbf1197221e1def8e85b7a9bb4be6ed6a5f764731018623d4c2506b5121ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7d2fc0755b303aaad06154ee415f442a

SHA1
07da28736d7c14730145ceb1f149b5285e582f1c

SHA256
b9e2c09a4909e3b60be359cb4d6a856969f9cba433e812c29e3af5f39bd2b944

SHA512
e31c8c792e41540edff4f59d6f50ecaf7d03edf957fd4801f881d173d53934b595ebc734a8ccafa292a242f66093bba8429e6f2dce4a0886a87290d96a5c9a10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
9aaf58276103f385e81044419664b9b5

SHA1
9498f64777321ca6526345f30e63c4eee9c02e29

SHA256
17c6fc5acf88bed761a3f6fabdda7beb18a5ac1b412220cb9d114cc1edc60a83

SHA512
213a7cef5bccc802e5c0924e3358446c9e5dbd0397f2e6aa5d19e46b5bc85448dbb90b9f5c9017569c58d0d997239255a9261f5fefe72604097d9802b4421cff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
0f8aec365e7cd317ee35e22f04571158

SHA1
7c9c172879e62c6bd21fa4fc586019a458d802ad

SHA256
bfe1867e33fd30715fe9b55fe7dd04f872a53eddca8cf6084ae7034b210fd090

SHA512
235e1a1863700f44b27d032cdcf6865a245534257e597202fe45ab2af5f26354cc25b1e58fec098a0986289177cfcbdab25359aee40772f6060aa29e626f4a2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
208cadaabd539947ecff097a480d2bcc

SHA1
e8686e6cd80eac6e69573858e441cf586443cce7

SHA256
9f33d8644dde51d4d2d98a4a3ae2000d554a8a2edb7f8ffac060a6b457dd83f7

SHA512
6c43d69bbab080d47623937f7661fdf91a804de2fb0e4d235490908028450325111adc3ac5631f9862c79269695ab767df6e0a57d860d39d9923437cabfe7746

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a788769c6166366a6aaeedb527183ce6

SHA1
da49c88d8d4e07c7b8f237e74fded15249ca7abe

SHA256
acb91e166d0d78b82e3a9b2a4c2f9d6f576160150b204d3b3e265c8131dfa396

SHA512
69258c2ce87ae1c8151c0449154fc2aa74ba6359bc206179954e7a012c2a2b0187bb37f86e7be851ce60b5beb9f1da56f668e2e1a1b3c689d242b2cde9e6545a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
cdf9f0960a5f2f383c0c251c15310e15

SHA1
d328d0c5964ad966db2ab0fb087f617ef21d9708

SHA256
f778a570b578eb8e6d1af138efdb32733fd54409a9ac118b9db55393e2d76757

SHA512
2a6f2efca2f431cf4e88a6b7096ac66793884ddc136f8d7638ef75376c225a16a0b96f5ce8dfb7b469e3c01347b882e72b2e05dbbbffaa8d20913ac632798429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
1be3a7fff0d0d4ba887e173f95a25364

SHA1
90a37368b98f0e811c709d258c11d8c5f3919937

SHA256
33707a0fc2418a6ccec8a567e528e31015c94bbddc8487516fa976b1cddf6fa2

SHA512
54445b0a6e27bf3e887b4a242d428dac43ef95a8450c8733bf0f86777624e462133f04b49e3dd60fb9080862e268d530dc255e5d5cdb591a691decb02ce0fe8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
3afda7a26cd22c4ed18401043dff0199

SHA1
b107eaa4fe6e43a6629eb4708d6f0a4cd781c1b9

SHA256
6654d5555724551b4aa5f2ecb5b2c8b804b885510ac348437c9c3247e32f30d5

SHA512
68ad96b57e49d1ad4379723ace8af2193c43186afa183ab5cd8cf7d10b5fdb02d0ccc4ce770df17c23e1b1b7fec4883986fc2afcdb84afbc0b5b8146cffaf4a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
447f534a73b2fffe6cecbd3238ffaf10

SHA1
4aca9f5b4b27b6712e164b7fabb1e6838eb8e71c

SHA256
4f00567eac24f9edb8675f9efba7ee978773684ddb7cca36f60b940a6936f64a

SHA512
534b19a4c406d899f2264a400967577146086b907b381219beeb0fc1d0f6fd5f0511370758b20264e3410791efcdafaf7064b511a6a7a24310affaaafc67d44a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
c3b3899da7aa65b3a2e5ecc69397f970

SHA1
d11b7646e75ff06ab4cdb1a5f472d65e487ae1da

SHA256
c4aa2d7f6a63ee15f18e0935092383de026e868e50797b44d66f71a1658a4d31

SHA512
1021233a6d72a947227319226fda97d6d7a47df2e1fe78cee2798eb0342da541eb0468a5dc57c789a37ae3a272d665148594e9ac4942980822fcb71354bae078

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
987961be716834db789185380f3b5bad

SHA1
2ab6e6b721b0c9cfc401e09be5544ecc23f1ecdc

SHA256
d334ff46ec999ed64a9e9f670034fcae475493267e4b9d7ca6fb507fa83cd04f

SHA512
ea3c98c7ad0dfff7f40e7f84b812fecf0280888d9a8b2b163d1de71362b16b065f6bcfe9816bb6286f487811f9e9bb0aca0411f98dfcc9326a0d2164ac0f9f1c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c75d53462707a95eb0810a85c3743fba

SHA1
ed3bd0074b511d60b98b9786afbed5dc26ee1a7b

SHA256
4d9d7ec6c45eeeab8b76a1352e912434e118f994eac783c957c5f4e709945ec0

SHA512
2d429b111f709d801cf73fd35c1d6ff6824c34d55c022155eaae364d12310c1edf5ddde5cc999f6adb8d691c8256c467dbac1a9e5d525531d6d3d72c2d60f6d6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
0bee41ef22578f44b56bc0ae4f81a097

SHA1
7617785476802f26cacf1dde5e4b5acd4069442b

SHA256
1c79e341e98132d040bcf5d2662cdf8f4b651ee081d4ef26fe15ae96d2aa844f

SHA512
8318bc6262ecbe25ded2fdc8c4f581ba211e2215cc8fa555bc98c176785f513f03b9b6265714d4160d39f798346bca5451f7ccb7477e0283e57d461c294e100f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c602bddfec6c634cf44f1abd200ff412

SHA1
70fb713aaf58eab636cde034e36661870d3773f2

SHA256
71d6c86b2945c54c0c6611f790292cc255e994928c8895fc41cbf478358a2133

SHA512
b26f9fe38950217c5e2cb8d8f8367f1ccfdf26e3288ab6bac70e118ef2fb30f952bd64840756419ef620978af782b133b9b3407d6544b8f8590c519ca2dfb924

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cb6545b369c5b65b2cfb012c64523ad2

SHA1
fd96209b0e894cfba1782347cd5b992090bea93f

SHA256
16a51ee00df05e92345fe83b8521abad93d034ae46c6d1c3e53b18c63b3ec0de

SHA512
373d4ce795ce6ad13e05da05deb44d8042b0fa6896070faf647db4507f3380f88332b3a18613922d60ec512a888d1796bd34d7065e004772fd9c6225ac100488

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
afda38e4a4d8e661e32ba37b3eb9d979

SHA1
bd8e156b49336c31e1211988f92a686948753dc2

SHA256
082176baa94d4556ac2a5dae8a75cad1e7c53bd41b0459f372d67abf1511d292

SHA512
0352915bd48df7d6e100f9af134cdc8ed86eb42d496132d956d3181d5c0a2c8c597af342897b7a8c3f4b3c921d7715ed4bd3fa074b597d44fae6ab71a6258cf3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6935bcf5dd35a4cf62b21161162509ca

SHA1
b635f8cfda6b06f5d1c265e38aad28b4c425b27e

SHA256
3281daa16e5da5338d2c55cf5b6bb29c0f7c6180c9a1eef6bc860012795dc541

SHA512
507a62a8cc7caa135c6546b325257091e6f2e3037864ec6d12a6865e308e2510a9925985fe7e610bd1092856342df56da724db84f39567e7e8b3b1174729fbbf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5bd20be167d6a6d0b00eaa3dcc2575e2

SHA1
776a95e58020f73639c7b520b64105fe292d2a95

SHA256
68805db80d615122bbc5a61714a4b9bc96531f6197eabfb136d11d45fb365323

SHA512
567803e20119eb3089fbbbefea525c11db5a3609d2ae6338ac37508510645029570890a69140f133c0e0e1fedfa4b6004d0c2d70e9a39d9ed97858b2047a9c71

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
0c25005c5f54ac576705ef43472a1d97

SHA1
e7efbe2d1f76e4ee7847f8af7f96caaa5cd58bc6

SHA256
5c1e3cb590fde3ca5bc60582438342ccca2546a458a2d13883d4ee31ef6cb22e

SHA512
c9a3a8c692b516236e8ae2b4a6acea99f26f2a0da1c679c8f1cada2299ca23d80dcec6db057844cf1350670571156301485c0227b175aea1a6b81d4339a4f4f8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4ed020b9af75a8efbd8466c0eb036159

SHA1
fbe8680949cacf024a0d684f62544b87c9e377f7

SHA256
ec18480d4668930bfb1d0a259fb703f44750fdecf44e3875fc89c5c46d8a4b89

SHA512
be8709e896741650ad336e0946d0e70d874f29adfc54a503c11568a258e81e7587fa14a6f71b13d26e23f474da4eeaa3bac99af3a0060293cfb1fa7825c15748

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b5bb89937888449786bafc490bfdbf20

SHA1
91c95b65117ecb9a910c9c7164bd7f0d03f65e80

SHA256
3aada228c9ae174a89e3a16a0e2fb9d2b5fd614f9d114134bf323f40595d580f

SHA512
aa7f3560fc24dd3e2db01bd0941698023d5e5f24400f834de065703b12771c3bd81fbb70fef6104ebc8888215e857e8c6c55f7a28a168f9dc274dfb526c5878b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f486d6f27a52fbf281645bf7f0d8128a

SHA1
0bbca4067b294aa3d2e593dedb8213d869bfff0e

SHA256
ed8ddf6d66aeb9ae597a6cc1cfca96927ab96189b6d22223e24835f9d77ed617

SHA512
aa21694f2ddf2a49f6c849a51af2de8fe32c6495555565b18ca057d466ae6d22ea4be7f8cf270b8f4cd9308d062be7fd2b9949cfbf86c34323c8731ddc49acb6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
03e6f3fa18507514e233710a4531f682

SHA1
6015b8e006747ad00acc5ea6f9013be686c96dfb

SHA256
7dd108c0c5d34849a1827238678ed33d795462d696704fb5a45b062c9d4829c9

SHA512
0d945dcba1d0af3cd5d5f806655e73ee88111cf5cd6b303936e233975df80a39bab4ee9337ba2661223b69ecc43dba50039e9d5fd22789c545bdbca91153b075

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
51f3799f76a7b97513f335dd1d1809e4

SHA1
2a8932b35bf5caa0c33ab07ec0cd6442648ee994

SHA256
149f3069320140a04b870352ed8e989bf262b493239b1441b4ad2577c9a38cc6

SHA512
3b42d34765147f227849f429d2bf752464a1c62ca160c896551982db8b37a8ffa076bdc86b9b23030cff9f6bd53e5e8cf6a3676d11a9d351ce77bbadf5850a57

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9d1a62274ecc56865557f5c535ed6549

SHA1
3b22cfe7cb465e76c3ea97e60a650a9b38823c1f

SHA256
6a8a234a4cd811eb5e6c40d2f8b6c37380959a1a5818672a2154a2539637306d

SHA512
1c059c5befc73aa09722fcfcf9c605f90b41f0dfec34eeb5744c8b983d9e26ed2f087283ad7f8e0386f77b5e4d183751d740cf9bc31938fd1baa230c551a99c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
1f4dd97420a406a31821358e5897f327

SHA1
4203f5b8a3aef7be4e862a5e71f762364927d37f

SHA256
d7ae6219353c27f730d56a4c48bc145e6c99f3467447d2fadee141a943ef9158

SHA512
4387d3e0998e511f26c54f9844ed741bf141730c4e6d6e586ad30c788ff187494086ecb47f5d53e81b7c138e109e73ad2a678052ec811b4ff854bd962edb45dd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
4ff19a357ea01119358406f660489803

SHA1
1162eee022be55c77f82ab654ad51986b5fbbdb5

SHA256
9177a23e562e31182410606a26ff446197291714aa78a5d2ab0f042cc2f8c002

SHA512
2e2f6c3d9ad9f24c14857422dc96752281f36c1ed489e245bd8b5b3bcefb258ff2c731ed06d42dc0910c173091591db0bd9d4a076f84b316013d1cc8beaa92e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9f384cad6d88f1385c7cb95e2400ea15

SHA1
f994b21de0d3bc736e118b64f5db1b336f9d160b

SHA256
fe8f5bf98e172a3deab259664b51c97c0fa66e2378efc557861339e2611b1945

SHA512
1d106af56eef3c5f2a33df6a6ced4460fbf9e3f6e30083817ad58c255f50d21e42f979a6342d33a93882858ecfa6c7a6a90fb9ff9723a3df96ccdfe022623755

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a42aae5aa0d67d7b6e7e1dde41b3424a

SHA1
2730a6099524eb5fc1cfc8fcf085a26e30754369

SHA256
0e4b7da8b55f817f2f6a07a656b6bf9d08b0e9806d79b78698d393d3048212d0

SHA512
1fcf0e3e0fb25e8bc997d10e54ba604de1d3dcef896b75e26265df1fc42da961a3f98a3270d6b302cfc6cf8764f1abf8da4ee137960e0b37a1cee7b579e3b021

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
46b78175a55a12da5c880a89bd15abf7

SHA1
639973af2e41512684fbfb36d339ea943ae54944

SHA256
f251b70cf3a81289a2af61068085c5465991486d00b207e891f1a50fd4e93982

SHA512
47b2928a2cd91131094156c7c94f6d56918f486c9694ccfee3bf5a367986f39d5965ce4c6d215663ae3744377507e61a408f13559f2848bafc93bd486af24015

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
63cf685c4f1cc1e34a0a460c6b35aa85

SHA1
628d5cb54ec2c264cbd0047fd6ac3eee89c585fa

SHA256
670e4b6a7b365114c2f3be9e683cac17f23b19d76c30cadc88f4f534ce604925

SHA512
44fa1e8e8d237cd47cb0a180ade9bdbcfbf41a7218d065b6b1bf34ff20a91609c7cc0606154e63cf824f69ac274d49dfdab7e96315584fc2c46b695080bddfd8

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0afa8eec2e6564398406791771a256ac

SHA1
ac803f39246609924d0f31c7076f7449c5cf35b9

SHA256
c32bad8c689b2698af9b6145d3534efa0d209b7cf14baef28369c37c1955e3d7

SHA512
2dbbdd2c71e5c6066a8781f3be6b39e969e3f8a05ff664a1f7896f53677d26313a0396766c47932f758c1299118315fe93e8be9bd31c9218e9541ead0e4fccc2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
bd5317921c006bc1a7a0a011f7ff5fab

SHA1
fe56b31a49417bc662f1c31da6086b09ded5db81

SHA256
ef1a0b99802fd750266bc61fccdd0570650e4dd96e998e356e370d1205c2f953

SHA512
4819a278bc0d95b0b5e1d1343b2d2aec3f802a2e51640e8e9ee33fade382842920c00a3a8afd47f9ed05216737bce23d991e15cd7a4b57febe8415e1c0a13c22

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
e3b70ea15323d92e46e9827782d01dbf

SHA1
bfc9eb058674ef49f7d68fbd2a2005a922f6a1b6

SHA256
1fffce74fa694db9417ba15f03e99b8125f0e9d7c995167cb310c6475d64ba8f

SHA512
9a0bf0c0a75ab126fb8a0e442c5623189aab8d8408996171899a13ce160338e3598ecbd8399a4b96bdc88fa33ea4ac8fd73bae94501862cb640540f657cfc7c0

Download Submit
memory/748-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/748-360-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/876-145-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1068-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1068-418-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1392-331-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1392-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1392-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1392-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1484-113-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1656-86-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1656-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1656-7-0x0000000002250000-0x00000000022B7000-memory.dmp

Filesize
412KB

Download
memory/1656-6-0x0000000002250000-0x00000000022B7000-memory.dmp

Filesize
412KB

Download
memory/1656-1-0x0000000002250000-0x00000000022B7000-memory.dmp

Filesize
412KB

Download
memory/1660-161-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2064-143-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2200-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2208-142-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2208-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2208-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2208-22-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/2208-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2528-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2528-420-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2680-112-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2680-12-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2828-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2828-266-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2828-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2828-32-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/3536-71-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3676-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3832-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3832-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3916-146-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4176-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4176-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4176-67-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/4176-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4320-419-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4320-166-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/4520-366-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4520-95-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4520-87-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4520-88-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4608-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4608-365-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4608-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4608-73-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4624-104-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/4624-99-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/4624-107-0x0000000000400000-0x0000000000569000-memory.dmp

Filesize
1.4MB

Download
memory/5040-147-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download