f10a69574540e1154214fea3df954f7a1dd8b7ef528f089488a1e784ca2f7b83

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Size

712KB
MD5

c5eed1f5fc2eeefcd513bf9e071105db
SHA1

861d8e8bd24541b2d7b065b34bf04a4f6cae30c4
SHA256

f10a69574540e1154214fea3df954f7a1dd8b7ef528f089488a1e784ca2f7b83
SHA512

fd54dff6dae8444b560f95cbf9b9f8a94608747714d0b6e84d4d3ad93cc2287f8e60c2262c707791499ae4f358196af47369d3ed0288f9794a781f2ba6b97eb3
SSDEEP

12288:BtOw6BaLVqKNdQ8yRK6rkObwsToHOOWGgqvoEWH/lInNg4JYU5a0Cuxy:z6B2VqIi2lObXobHAEW9INFJY0au

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4232	alg.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
3324	fxssvc.exe
1412	elevation_service.exe
636	elevation_service.exe
4532	maintenanceservice.exe
2064	msdtc.exe
4440	OSE.EXE
2208	PerceptionSimulationService.exe
4812	perfhost.exe
4544	locator.exe
1020	SensorDataService.exe
3684	snmptrap.exe
4752	spectrum.exe
3716	ssh-agent.exe
1708	TieringEngineService.exe
1696	AgentService.exe
4540	vds.exe
2392	vssvc.exe
2980	wbengine.exe
2136	WmiApSrv.exe
3516	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1f99ce18c3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000138641da39acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034827fda39acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b576d1d939acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a01475db39acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea0ff1db39acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0f3f1da39acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c9b16da39acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d54946da39acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe
5100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeAuditPrivilege	3324	fxssvc.exe
Token: SeRestorePrivilege	1708	TieringEngineService.exe
Token: SeManageVolumePrivilege	1708	TieringEngineService.exe
Token: SeBackupPrivilege	2392	vssvc.exe
Token: SeRestorePrivilege	2392	vssvc.exe
Token: SeAuditPrivilege	2392	vssvc.exe
Token: SeBackupPrivilege	2980	wbengine.exe
Token: SeRestorePrivilege	2980	wbengine.exe
Token: SeSecurityPrivilege	2980	wbengine.exe
Token: 33	3516	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3516	SearchIndexer.exe
Token: SeDebugPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeDebugPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeDebugPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeDebugPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeDebugPrivilege	212	2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
Token: SeDebugPrivilege	5100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1516	3516	SearchIndexer.exe	117
PID 3516 wrote to memory of 1516	3516	SearchIndexer.exe	117
PID 3516 wrote to memory of 3476	3516	SearchIndexer.exe	118
PID 3516 wrote to memory of 3476	3516	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5eed1f5fc2eeefcd513bf9e071105db_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:8

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:636

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1516
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8192106696963d1b62e28af55dfc5746

SHA1
37fb758b0c39e56a09bc11716c09d370be0ee83a

SHA256
c2e20d96be79d26f47b10591e49d4bcfd9f159191bf3bc9cfb5e7f9dc32a01fc

SHA512
89a2786711f172e6611a17cb00b84717c6b6073bce674a0095c376aa948ee4acbfe7a0badb39d24278dce871b6a2711a1b5a584bca0e314f78792065ba2e7136

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
24c43111d450fd4c81e569bf732553e5

SHA1
db5ba00b7e65349efd79209bf6c33c0d7706de15

SHA256
24e5aab337002e6f2deff6915f82157e6c0f8ed71ccb9f8e47fe6890978bac4d

SHA512
404b6347ed560a233755e0440f337c2fc93714a3468439fd1c79297902b6e328d2f36ed5321ae2d51d56f6514cfb138251078a109fffbd1e9c3d0725edcfee64

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3345681d822f9114d349c452c22c3ee2

SHA1
dcbb6ab37d2ce7a9dedfe99686f75d3eec41770c

SHA256
98fcb75394a9f564170a8c7f4626d854d2d37bf4a9112b25cdbe9f0625142e2a

SHA512
ad4d5f8adf1e7217ff890f315a1c4e65948cb6405a26ac707b491505d167a68b9aef1d008dd51518c64fcc3a7b2b493968cfe40ff913d18cc9e725069a0f68e6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7d1368fee2b644c4112a6938d8b38cd9

SHA1
d10cb0acda038545964cf2961327842c38f39385

SHA256
70915a5ad43e4e1590df2c39cc6f3dce87651bf3cb5b2a4b70cb9dd625631fd1

SHA512
2f89c477ccbdb33699a07f21ce6192da7a6a40cf94821bd27865f7106ad3c90c1092322d1d87924a38e8c3f8a7930941565675d351402b020f84468b2c11b16c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87d808e1f5102feac7270b052b04b5b6

SHA1
b6fa65aefef950ee7254fbfe5eadace6e292a373

SHA256
d7c8a397c650734505534e0bd9987de2cd9d97a406d736e50ddc7a1508a80b6a

SHA512
cf1e9944daeddc2ceb5c2c37d9e483dfb3f750d15271fe548da5b82f73ee9666560360a0367d8a6f9d2c4e656eeb22b60b5e22ef5e36f2b92a021ae71ec65b1d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3b81155cb6dc7418b3bc911765250a6f

SHA1
96bb3a071db707a7b68d959779a2b6c61ee2f23d

SHA256
86cb1637bf7fd9a2261c313b021cfaba414c7f0e8a990e3400480c82977210cc

SHA512
608f07c022fdb494a06b7bc9b4cac262a65c3d0a79594fb0d75ea1145556f8dfd0e9c482426525acffbbca46ad242c383e63f1b129e133447868a6de0419e241

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
933caeddde364abb92878432815fc025

SHA1
7016af8ba8d3bb324313b19188bd59065614e2ff

SHA256
bf4f37de6b78a9d6f1f5b6c8aa4d0adeaf97cd2f81352dfeac51da31b1544a64

SHA512
98dcb3593794893e28e8f009e5869d6b413597017919ac9d6120d12b14fbc325b813d26a6a6ab64cdd48f5455cf9540f598094001dba3584ca0270334a64d873

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4e3b932e396cf56c4baaf0fd81553a5e

SHA1
9c124525df5dc346593932e9a6cb4b5019362829

SHA256
c4341019f3096fc31a4c3b082abaa9a1de1567ed18b6ab5c6c9da370ab0c668b

SHA512
3f6c73c9eccdfd7423357c006c90b8140a0689543acb179ab8fa79582c6d0521082c0a41a213fd152d7854230d9ca6d09481e5f36c435a1b420bc1ead6412feb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
42789e242bca96bdd764b498053eadd7

SHA1
4b050f21fd1cae181c673606bf13c6b9e46b1359

SHA256
59e5248a85587e3c3a834ccd8c2faee113631681653ff92d2f7c1472ea8b5f1e

SHA512
e4dc52f29bc5965794d909c5315a6a3bff424d9bf52139b3b088ecd22bea87740c9a1d5fe84dd91c9f9e1456ad5928973c8fd1df3f0515f50e2ef37c3c5227ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
39365dee492fb100ccda191c79031ca7

SHA1
f61522c6863541eb0f36a12e7dcea152f462d388

SHA256
d2a563166579aeac7fa8bd80e923ee76a45ba136de96d8690928477b66f5d11f

SHA512
4b5871e239119091adffe21680c8fef3d4dd9438e2c15302d3facec455b9bf5f1a50dbd10b42f2ec859a0338a7010c88eac0aed1ca25dad16d771b10aac84f59

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c4ae36791a4d77f87c8d1e2e66780811

SHA1
9c7a7c821614d68609e6341e73365525052f2cf1

SHA256
94b52af956d8f8d3aad884554a1947ad8e851746ac18494584498b691e404dc7

SHA512
f4277bd78122e9d9c00f4d1e92fc1ad1f2f39f5e7bacdc920a878bf3bfecc086f98d7b93bf80fe03674daf103bee328823b0d3b8fc82ca9b4c87295f2c31d8d3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
16f9ea6f9f195b1a8d17f6e505d30797

SHA1
6387b4c055029b6c8bb2f5776c8d5a0088f7908d

SHA256
766fda2959c1fa8f98d54d6014f93c8d041279db2b21470f2cbe433ecd476960

SHA512
32620ba6252aa70527d19c7a6258971222919704992f276dcbbc6190b5c9457360595d858f43d97d4406b1c3451b4f9bbc76ddc348cb32e52c3de1e379b9769a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
22c3193f7900ac21843708e950e71c1e

SHA1
00600f5957ed735ea4d6df0a63f8dabcdb47bc21

SHA256
a0046e714930e4e2b72c5d41a189064bcb156a1d8cf5b1fa917ee0d405712e4a

SHA512
294fdc25d90fc5d0f1b6e84be8551b6f0d5db0504ad38c1d6c464affcf71227647cac67a93027728bfdd18675fea88ef6ccaed75a66ba0bcb4126bccff002dd2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a8b9efd578446184c38d6de9482e92cb

SHA1
22a8f620aba0efd03d06838c33d8930ca8b28149

SHA256
b4f0b2d0f622a299026c5de4d901182e0eecaf9e31006405f94000f01d1e7c85

SHA512
92a36482b6554625d2e367ef2f27cf2a3592a6e5157f0620c52ef96e81edb165c35c44b2730aa6641230540c5a4cfe6c4cf5df355691a178c19c3fbd38793eec

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b63479ed848defb356833549f144cc2a

SHA1
061241b2d3fff0d31e80c946ba712360956a80e9

SHA256
28942a9b029005601e3f3b3f77cb91f0234fab2be0c5c68ce5f1fb03652ba4d9

SHA512
2d0dbb86b0257ccb92bdde929b274ee967ca5a41d75adcad48068ad585a8e41d1ea9467cbea03c6c840fb66f56c3038b9853d68c886a1cb4bf7ac31a997572a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
38143dcb403d0e4c39ca02d1ee7048c6

SHA1
df5021e767e0c207054c3814aad0f404275fa651

SHA256
2997308f36a83c31706b68dc8cf2e511e5ab44f57fbd9d55b02f8746bcf2ce52

SHA512
6a31b50948d4a543c26c5cb35ffa35a9d78d6750accee2238a40c8f4c7bd17049363476af6c20cc652a1c3aba942df7a177dd076ad3099dc8013e6fed3c12fcd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
91f5893b4ce3f69248df3116b2dba669

SHA1
d80e0b1c54f34786f69fab7fc230572f5dbbde08

SHA256
e03699fbb04170813a4f2fce8f4845e285a6e17945a95346eff5c7f54ed99d94

SHA512
8865158c3fc16519afe3753e854787cfd2f6b7b616ac673e3e4f802a4e1cbd3a853d4441f68ec49546014ceeab8912da8368fd6506dabff59bdf483646079d10

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9262ad95a088c9767e9a67335c1a4465

SHA1
d1de60038bcf749f254eda8b474904670e015d2a

SHA256
6c1fa1ab094440e5cef6179e69d3297d04cd380b66408f246cbc2a8f3b4546a8

SHA512
635e6e416129648ff6fb9ec5ca7cc1414d55e66da36ec3ec7f53b0b1758f61508eb9b253a1ad87c8a70be6ebbf63f9cc4f3b5a15343ee7f879d1829c3b3ee034

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8b25814beb0e62ef401cf969a16caf40

SHA1
58abf3e82b110468c4507ea92ba6eeec8c16c024

SHA256
946aab1a2da04958f9137cea318f95db07776ced0bd957f2bbf2959fd693e2b8

SHA512
2229b2e5c44f5b57d17c90471ec2f55d94f40be719c1a70651714e50cc6fc7d55b75bd47ae143925fde13697e298ca9074ef22fa1281f33935ca479d85511a5c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d18f1b48a65ec3f32000f4958feb722a

SHA1
f2f4eac4e1e3b562f52ad932181089c23ff54513

SHA256
abe5ad55483f090c1062f8baa7b131d5264f29e4ceb73bed0b8278d519bfa602

SHA512
53dd4ce8cea6903192517b01225cce93c113044039585cafa3ac71108cb1ff6f6cf4e40ed111099a69bee4c464bb139a2287af8295731f210699bb477b3f1d80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
eae7026ca740a068a2aa311e3ada9eed

SHA1
40016e4171e4efa4bf7eee8514cdf294115fdc48

SHA256
5dd8b7203f21c1dd419c081fb726c3f5fc0f6efc92ac33c9b0a357d6104b3b19

SHA512
dfce1489155d612e23aaa56bfc02e8d4731802dd62f266452fa5040f40c99ab287aa240ad5cc47891007b162f0266471ebd418abb0fe4660735b34b4e20d242c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fbf773e92f2eef6a83cfd792b059a4e4

SHA1
df5bbea3921ad84c9ff9daffa2f5f91ec56e7123

SHA256
44d23e3aa158c4847bae291049226d36215dc5999c35262a0a714ad8b52b9713

SHA512
78880664f3421958a8ca787b2d78e54ae78c257689fe0b986d8214841c3d915d40c5077cc7f83daf25cc5e5f67350fc97b679ffb1393bc83b05f08d7e4b2373f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
8adc425547b72083c9aa6eac7859ba6b

SHA1
f009dd615e36054c18295683589cd43f763de87b

SHA256
9d66aa634512e490cae261242f9b0b33a676822c7d17d0f00782b3fd7813fd5c

SHA512
e307f0de9f55962b9c2ea3785d213560ea95eb3955451108f521bcf2c0078ab0613787eef71c60341f10ce6f765bbd38561aee6aa3cc471ca17d1b53e3be24e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4debcb4af7c51cc2a71a41d50a1760e6

SHA1
dc163c9d5d3865b6a2d608d4a2d6fac674ead491

SHA256
53f8acdb7c5c30a86dceb16f88419a87ab8aadaa11670734d2b30a85fe2c733f

SHA512
7e1819d448d942ebb311333fb6a2fc62ae79dba8973c23e3f08e73e6645ff753587df568a3b9c21c411fb1e4fefaf1252a9d239d3800e139bff6753e57d50fca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2974d7e12a2157ddbad32ea465020b06

SHA1
bc5605f23f813d8e7e91601fe63733043bb2d9ac

SHA256
81169fc2b8643194ef84c0d3e392e04adae502bb4b4d26d67233aa4b2d222cc5

SHA512
9b1e4ed19e4ef882e19ed900c3cc8e1dfe51c3783af27749498f7329d26589a6ac5cbd8f9d0828b8acc54c895527dca1574677cb138ee191fe20fc406aa4d226

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
08aadd7b6fe17b45558bd1ac7461bf7a

SHA1
8f9f51ab3ac3cdb72b5f317803319db9654618bc

SHA256
83908e076ffce54cc25fd993f0aa40c991602d34ed17dd50ed69323340d2f8d8

SHA512
831b8b8ba452e9ba72c17b7c7598fb5cd49ef6434aac67b3e64c7797523ff4b4390b438bcdad241471bca515824c3c6b550fd17c9f17f732142671da4db943f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b0d210a8111d8f57acbd13f184294065

SHA1
58f09098e410bb314b6bf2ed9b8f190bb349936f

SHA256
8bbdab3260c21797ff38f8ed49d9ed1f8e440a9856d566a9e039542c16dc22be

SHA512
6df774e1e94223a5bdd07fe3f0a4521e73865289b17618e5bb95b83054603651a30c377041edae5a1af7ae0a8571d102fb02f01138ef0049e18282946b682a8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
09a57c88eb6754ad44004d623b1bb12e

SHA1
ed9d0c09aa8707439cd156da89845803b7cf5de8

SHA256
1fdfa724c737b3efc18ba14e4597ca15edcca81e38f5c5f30a26adc80cc27f85

SHA512
ed844314889da7c5446bc59f0eb5e61f15cb4d38b76c95f25ad404bf853c4dce3791d8c76560e064d861db8fb9ffe4ee1ce67e57174ca8f49ba126ba8f762679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d174833e5220663f942c5fd008fbb94f

SHA1
f7a165836ee5229294e0869db3dcf9c8a832e0e7

SHA256
29b2a37568068575057fab04131b08a58e83c4f677ee7c8fcde02d711901113d

SHA512
8e1601b7167296d4ec69c9dd785f1f8f7cfd5cb44ea174a686cccbc3d9e4b398e9245319e0af0000a9e5c95fdcf742f3ef6b3c25ceda5f8a8519dcd905d1c84c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1f2a0b8da4ce174f033b661a0d5cabc5

SHA1
5bb0d3a9089de7f5df8b2730b330a7bd836a7567

SHA256
5e10426d93787e5bd356948c14eded68e77529be40b652c49cd9e2ba4326267e

SHA512
4c5c66ec50156a2b406233309e8b7b529a9fde4169a4a16ebdf3b2c6af2174c290c8ced61a3884c086894f578e39c6d9f324ec2b0ceb34917a44930bd21699cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7d288a97bf7c177dbbde965229707fbc

SHA1
2ab759b4bfff8f3bfcb7502c84bfbf7a5e7b89ee

SHA256
9fedce1df0ec7159bad9d2cb13ddc4055a7d8202e52d6f84261f79ce30a4a98d

SHA512
1a68327c32ae23f2789c9a576d78442b1f27b3fb4f82c4f95e00eebff1244eaffdccae7279949d1e89789457b8b14c76bedc921a2d61b776e45b6c56b1c8c933

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
de6e083b70a469b49b836dfe1c04b456

SHA1
0fa2fe20e86392d81ee8adc21be61ffdbf4ffcda

SHA256
5d556966f432ceab736165698fe470a9c766686f7a7a116566eb28df23964bf3

SHA512
888f502801b77e2b8d71c003d886acf3e94815598ab2ffa2f68021fe626572098ebed69db108dda60793b40659755c89db1f21397f94dc93bb2d69466382a191

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3d2d96bac6134a0ce4eaeeb1d6bfac6b

SHA1
b50812740f58a04ca0f66eaa402c6e4a203ca412

SHA256
37406c10da5d2deaf03460f3045d398508d0e4fdfbae9a1689facb807710a0b0

SHA512
1509cd6b22d89411b23f487ca1b7a25e4abad2b859b79a03e72af224c5e1bf56cb1d5c2e57540ade53f75f7512031573e200297828bea9755e35a6e1717bff7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4d655e991ea27e1383b3675cfdc68f6f

SHA1
23f6a04350a9d1c8a76d6f54a0c29a9c5d00f16f

SHA256
05fa28fd3c9be3c83bd5e793797fdffde3c9b4e3769eea76a362d2cf1d0b84c1

SHA512
db1805ebb86e38f72045b85c658c4f0c65411211ae8856fb91535d3794c3079d0018a5f38d4fcc84c1363ba404ce9e502736b991a124ff1c503f4d6486de43d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
904faa20a62a4ae1af19bfaedb4305ad

SHA1
6ab66bcda263fbd688ad79f049dd0aa1f57429b5

SHA256
0f702caf37dd123a973e573880529bf00d5784786c7eda6b3f873ea1821f81c8

SHA512
2cbe6f430fca732e32053ec1301c686391be48b1013ec20bc3c9b9908c24c8834db4edee169aad8150b91f811d22d812f1c5513db98f427cda5cef7466b5ae70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6b07122b4ec5dc582c6e49153bee0e14

SHA1
d86f1818b7a7d83c81818ba0eb5c2e80e706afce

SHA256
e711fdfc587080f7b046e45b47094c5f4c2058af1cbec9b23556e2cd358a7ada

SHA512
11aa7e5970c8c66250be8099b411d239dedb28cabe3045e2e4fcf26227385bc1973c82abbcb4f563d8e8bcc2395528271ceff462134121603f093426b9c5414a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
534cdddddd83d125c765348c4e6c16b5

SHA1
11b45395510c9e16d400edcd0ddeef53e9383190

SHA256
70f8df03d3e8d8638b69f68530f02fce3b929c364d8cbe12c134af79cf36b0bf

SHA512
d99b7869fcf234e06fd40dcd2ada2c6f0cea4b3afc925163d982593602124a1c0077a68d1574345edd9ed3cf81c774f83e8b5db6806ecd58809e6dcc4bd45f4e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5ce437f68fe75cf9e9fa9a746cb51f4f

SHA1
638a16989c5f72ed9f9c98274d35532fcd23ecd2

SHA256
1a26c61538eec13fa375fa996146c90c87062c78354fe3ab13bb9b947124cc64

SHA512
6e86e8b3ef1369469bfcb24f9fbd1db4d7bea9105b7698a6e60e0302f61a62c9f31953baf20f6d597b3cfb5d1599418f1d52fdae853cc558a3a2c260fdcb66e5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
082fa12d7a07ee6ab3049c95faea0a87

SHA1
f5276d39d801eb696ee157b8e0c26d85ed479fe4

SHA256
aafa382831dfcdb20220084c04c4556261617443f89a4fee2a7cec6489f35559

SHA512
83d29a98be50500b21322b36616827ef2af3a7a414dcb27d508e5c058f684a8e7492e57cd8d71b7a12f0365154ce6738915579c5d867f65a0990139fca33b5b2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d4b589ccff31f44c3ec0919a2186af8a

SHA1
f0e818b409a99dc7c980fef1a0c4cc8d05256948

SHA256
bbe2856e84bce0982a44c860c8e0ec5124a6491b537216cd72839f23d8d1bdaf

SHA512
4353052ca8c19178a5cc01c8eb252a42db5608adccac06c4be6fa0151e34dd6a75335017b6c6c40f01c2641775205ef854e4a0dabdcfbf48dd50d7f2a796f1c7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1f905f3bed049d0e4d2c5303406ad9e3

SHA1
deab6758e9aa5a39c2cbe6789d191ca7d53ab60b

SHA256
0f62941ddfbf77afc612ed0aa6761303ee1d4eb046067cd282cb44cd3075d89b

SHA512
943c9916066fd65358324b63b71f8d0ae3ac8589741e06072601cbe4e115e67419e17b6d2106fa518550f87f041586477c467b42f43a1069e32f1cd56bc69e7b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
83ccb3e0757c353e6358cf90b894f37f

SHA1
d39690e9e34e88d5e2ea2a6d886baff049c799bb

SHA256
aa1042ec6cff27057d2d160d0e5b4301527f75b9be196b192110e6a4e46897bf

SHA512
e666a47548214e111d5a6b0b2df8df856679c242b530b0c525b78cd03a1f5881c21b7aacf1b93fe0251b57f8b33c43d920118c6fd93e479b3bf228bc42b138d0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
56770d7da737e72b4cf0a06b99dc2d96

SHA1
fe278372f763f2884e883887d4d35030ebc99713

SHA256
43d12809358ef384c90c47fddd214cb1daf7990f7367b86ed1b13b05d4d0601c

SHA512
6b5403677fc5097844501e4d79ca3f216102f77d245bf01bc4f383b5f652ab80c3a68005d178300e9b2badeb1a905dcbf218aca52ec61fa204d3f77fee04529d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cf3cf94991f24c9c4ad885016ab4237e

SHA1
df8c3a31fe986f782dec040a5fd4800e48849e0e

SHA256
e55d71a1da3fbc2f30f030fb216e63aa9e6668a883471eedf134e3665a64a7b1

SHA512
0fe65b0fb978f0323ad5495a606714087fab5375db278908331e9e8dd4c7af2318b225ec3e597eff9fc92ae7d81642cd5c7f8db6f5f3a530ee21b8df00707fa0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3c561a5c6036764c875c92166b69eef5

SHA1
6dd0b117ef42d8a2e9fca08f9c092f82f7ee481f

SHA256
7f9ef344ca8347aab3d8a683de14eaa888120802fd26a0655c3cd71bd12d50ea

SHA512
16cce8480284e8f51db1f4efeec93cad5ee09518bbe19dce81dd645a7c2e5f762ae92afdad06335b81b045a57f4bfb05da000a15fba2f764fc52e545cf6eae7b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3b4e8139ad6ace14c4059768f21f5d48

SHA1
f47079f50b1110035554f7cda10cc2bf79144949

SHA256
9f129eaed61de40e4c7d59e60f9d9b134b40a4b5d5356ad89d526638e235546b

SHA512
f86e676ae9118d5a6593b04307768a9cfc28eba1327348578d4db679a3764a21ec62ecfdd5dfa28d9a54539533543264193df9bbb4b655950b6217e989875be1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
26736aca1efc4ac2f171ed769981191e

SHA1
8181da343b55cc50965b068ead606750e7ee0030

SHA256
dd25896f23353e625b4b0c5fc442c614fbe4947ae9c7257613445fb5d211fe73

SHA512
7529e0f582c367ebff8454c68338aadc9de105b447c2887f9b5ec88e26f375549452d43578304060ba8025324979063afcffce4d1143817d6e28d6fbb093b64a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
99045ab7d43d0afe0c7854a7435153f5

SHA1
0301e12392200e53d027fb181fd5cc86ab78e972

SHA256
188955223ab3155c402660b525e8262fd07c0ba7d26feb91c5c937d7098a84bc

SHA512
a472fcd629ac789157d4881db046238235bf134a2579e04e7314b38819482b5ba1e41a8d99b076416a0aa0cf1868594e585ebef38ba8b7d37e186b193bf43835

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
40081bc192746ddc94b0a6b2ff82cca8

SHA1
18b63b0dd6753eb5ebb3d62c916817b63931e8c4

SHA256
51281ab74ffd22fcd273b375e637ddf3e60a1baa2856e866c00468c0844aa0af

SHA512
7a4c6866cb15385f396b4f2c6aeee737e6e71885fcdc061ba4fa9581ceddb1ff54b6498fda7a4ebb06b834e986639f4d3bbb4cb89cfcee0996e4cd6f2691676d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
73c887fb6c09f130aeeb4352328ab67a

SHA1
d10d187a2217a4f84cee7ab0718894e22732c4e7

SHA256
826fe6469dbb07aec3aad34797eb22a475117137814bd3bb61b4f8ade3f60d3e

SHA512
bd1eb11781b6944d02c0bf4390e30822c31d48bddf2a7236154299cb8db9541fb00ce15450034b35af4fcc928d8e5678af0bdc77548761c1e690bbc9181affdd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6fa9137c95d04f85c8755639e7d25c53

SHA1
766353979f38a5f78dd6e4feb73804029e34db90

SHA256
724613ee7dab705d316d4c4173d74e1cd1dae8dd17f40fabcbf3b17df1189561

SHA512
22579917b8944c9daa86030ed70aa89811bcbe58c7f19549e1f71a344cfae4461adaa29b7ef5b703e02529d753e01f569613130b257b951b003a61b377a73fa6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f02d8b995679076caf5ef8dcf88b0fe1

SHA1
12f5902bc6f1dfe0e3b379c13ec0f65976e525c9

SHA256
434a4404a6d3ccad6a99b986449dcbeb634242ce2f802419b8db942a1c193b4d

SHA512
30b18db3b04be2407421e13275a61a6b8c257afc89afdaf259cbf15a5bc4c1aff16ce2c6672b5b746fe1f637441f59ce59b4a5740f1799bf205fed46cb6d21a0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b825b4778d602eadfc005f29b70c7aad

SHA1
541910357ba5fa5fc360e6af74d57066b3556f6b

SHA256
7d8a4ec47700d5fa3ee6424f707cf910751761adc194fc266438db3831acd4c1

SHA512
7a5e91eb0e9238cf7a01784a9fe5cc115d1d80a2d724dda50702253fd428787acec849e490abdb2a1ad2f2bb4cca5b151b11959573a1aa209380297998d651f3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
95c09bbc2938fb40fdbf19e4e55d8503

SHA1
98f9a481d03d1a7fcd9d32e41a38bc6ecf1cbb02

SHA256
b4cc45c73b02eedd82429d5bbd898841745f73bc34d17e2fb1f1774696f9af68

SHA512
17702f8e3825efe9a47abbb572891076ba1b7342805634142591bc208e64763f28f05c88b39c0eb7b9c21821ae297eea70fc50e1fb0f48bbdc238e5e86e900d9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
845c0ad4e35b5d76f59ec819f2500415

SHA1
ac59bcc1e3c235c403b4152b403c26d9dd4286bc

SHA256
0683478a0bbe0fde251e464ce9e0e7f1fe56a6a67ba82f5e4cad7be86fd50039

SHA512
0da244002db4f4526b226f8be3e8f9cd7d683ae9484c5c438e9cba0214ffa0121b86047e240eabc05b614cb48df0a181e535d63c9abd03e78534b8495770bc0c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
33aceb23890e209d05bdad4bd1aaecec

SHA1
4e3758173afbfed640978d76f2deea5e68234f16

SHA256
f342a167c8e8a0a4d805c44b22f9c42e9ded2536ec1ffab529574dbe45f931d3

SHA512
5dd19d361cbde4c5ee7cb6e6f2be6b7f1f1053e81533443aa0ab27b4bd7ebf787efdc2e4d8f66bcdc7ed645c46aad030eb29bfa60de30f6910e1a17ad968547f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8d10df0c85b848226e8760cfc8cf1346

SHA1
58b19101972b04ea1f610274b7bc8bdb996c14a2

SHA256
1c4cd0a5ae63f091b3af1ad411e892469d2c5438c5ea58164963188f7269da86

SHA512
f040c6a2deecb0afba0eeb7e4d2f2dfa675e87425486cb510ddae2562f7ba93454f7eea2403e490cf364f0c58121af77ef80bef20521045f85748852d43f2a37

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fbef758d1ae07a6b6f4bfe2e4aa4b239

SHA1
3b186057b23ebd341cf9dc6d25fac65e1ee78442

SHA256
9c5d0534d12a0f9d25842ab067c4b281c97bb704af41a5fdab4caec6bbb07952

SHA512
af2a24cbc689553cba56e8cb5b24c8ef085ca7fe6cd01a39468d0244c33cc04cda92c18adc725d4957192dfccef3c91764d6f912002aea5245734aab9a6cd6fd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
fadc3a0aea425d12b5f41dc360610aad

SHA1
64fae55050e8ddeb1fbcd68d0ac79dc17461e4a2

SHA256
d8d9c7c936374d69a79d16f0998aff1e2f22cb9ac8cd8e4f367602415b3069ae

SHA512
a10d3eb515474fe2d012ab98ff69218b17361dd0ac1d8486b5e85dfaa929ef0658ed5c79c448a0fa25b8bef9a560b2ad8f1739fd4ff06b60a39c42b1a82e3c65

Download Submit
memory/212-98-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/212-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/212-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/212-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/636-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/636-145-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/636-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1020-113-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1020-485-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1020-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1412-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1412-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1412-140-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1412-31-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1696-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1696-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1708-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1708-498-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2064-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2136-506-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2136-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2208-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2208-87-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2208-88-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2208-94-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2392-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2392-501-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2980-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2980-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3324-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3324-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3516-507-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3516-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3684-339-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3684-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3716-478-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3716-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4232-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4232-112-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4440-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4440-153-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4440-78-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4440-72-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4532-61-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4532-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4532-56-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4532-65-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4532-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4540-500-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4540-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4544-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4752-362-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4752-120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4812-105-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/4812-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-160-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-100-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/5100-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5100-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5100-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download