28f5453ba1409363f40c61a1007cd7f92ee0e75accbd95394b4a9f6c67154ba1

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Size

1.8MB
MD5

6ff0d7a2aa108a18889a6f58b3ffd9b6
SHA1

6a5eb33cffafa69d5a042b6c4a920f1ec48b49e8
SHA256

28f5453ba1409363f40c61a1007cd7f92ee0e75accbd95394b4a9f6c67154ba1
SHA512

57c64d2a545116e25431c2202e6f25ea97214897562b2e27d66fde56a92820f90d8f153b5b5196bc6611ab68ef414564bff6c5c18b7473257ba6d7e618f31cc3
SSDEEP

49152:IE19+ApwXk1QE1RzsEQPaxHNhXvYMLprznyDSga9:N93wXmoKpXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3968	alg.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
3240	fxssvc.exe
4172	elevation_service.exe
1692	elevation_service.exe
3756	maintenanceservice.exe
2168	msdtc.exe
4592	OSE.EXE
2876	PerceptionSimulationService.exe
3716	perfhost.exe
2108	locator.exe
720	SensorDataService.exe
3676	snmptrap.exe
220	spectrum.exe
4268	ssh-agent.exe
4748	TieringEngineService.exe
3368	AgentService.exe
1188	vds.exe
5072	vssvc.exe
3756	wbengine.exe
4076	WmiApSrv.exe
1676	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44834c81b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b0cc37534aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f65e9e6e34aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003525767334aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036508b7634aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5a31d7634aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe
1980	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeAuditPrivilege	3240	fxssvc.exe
Token: SeRestorePrivilege	4748	TieringEngineService.exe
Token: SeManageVolumePrivilege	4748	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3368	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	3756	wbengine.exe
Token: SeRestorePrivilege	3756	wbengine.exe
Token: SeSecurityPrivilege	3756	wbengine.exe
Token: 33	1676	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1676	SearchIndexer.exe
Token: SeDebugPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeDebugPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeDebugPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeDebugPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeDebugPrivilege	4188	2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
Token: SeDebugPrivilege	1980	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2944	1676	SearchIndexer.exe	116
PID 1676 wrote to memory of 2944	1676	SearchIndexer.exe	116
PID 1676 wrote to memory of 836	1676	SearchIndexer.exe	117
PID 1676 wrote to memory of 836	1676	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_6ff0d7a2aa108a18889a6f58b3ffd9b6_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1692

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2168

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:720

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:220

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
b7f207774cb15fa3634c949bd91038d1

SHA1
f44e0dfef8340384cb3142105442f9048239d640

SHA256
eaf3a37d2ca2c60bfe6ffd1c1b8f04878774813f2c936169532e30044802bac6

SHA512
bf2f84b864d00a7d09b771cfec5fa6f74ea752ce89298905e36ce6c06ed763c169501cc782db7eaca6f2408f26ea5e87e5c2fac1b80089b1c38a4e52ae249747

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
64491e6fab152d6b1166ad2215beff24

SHA1
b5db8bcb8395e1fcea4c56980319fb1b5566e5c3

SHA256
4ad3001fd72f07445fcd4b8577951c23d236a6cf0b6ac8b3ebe3a84c4d1b6dd8

SHA512
9e7b5bd6cc199b8b2fc111a627ee8166877168e4982ead24c26a81ca6ca68210836ca484b7a75e5786a1fabcb96e1aa58b9381cfeae7c9edd258141b03d57cea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1fac17151b0194ee413f150ccfb45b70

SHA1
e70f0b406b26456023a67e389031667026dee456

SHA256
2d1ae8791fbe3a28ac3b403fd4587c1685d25b5eed51306b34319a08bd08fa1e

SHA512
e8950c0049a4e59229324d92c862df38e5b5b1faa9863b6963a9e0cf3938998e8e1842619a3ea717b7a2a2861c88ef76a20bf62b7ca9bae2274e1e546c724dc4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
171ff00a8c9243c340800899e18598d6

SHA1
8f518debb435838d18c945f324716dec60ed2f77

SHA256
712cebdddcace388e5331f665d918b2a1d11ac14e8491042431236d5bf7e9bd7

SHA512
e3caa42ed02aa4cee4351a0d74cacab79d8352cabc4c50e8d028c9b6b20d739909f151566435d165b07a9c4acf83623d86367e7a431726e4914e1fb66b66013e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e3a606fc724fae84a57a43171a74b7f1

SHA1
e0cca55a024aa1dd258c8bc2b6b00753a9d27eaa

SHA256
9886ac39c57bba791413d6ea35b334b4e8cf90db04132d15a2c325968d82dbf5

SHA512
52483f4a73a313a2dd52e8a062765eb0649d16510ee2a1af52762cf4bfb2111f349acdfd3bc0bd22c3cf1b32a72eeb3bb5bc3a8b10ce2c439da3c46f79d20d60

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
55f036e7393f8869df01bde3c7768055

SHA1
cf3a0950f91398720b1bf7bf6ea980344d50eeca

SHA256
f117bb84f1d3a4e2d3fd0135d7ed8e48ba598cfe797f60bc1eafec2897f29c31

SHA512
549f9e9bd84b2d50c71ecc75a67d3001e3a93a953dbdaabbab67fc8a10daa6f574744176b96bb2d34988273cf059aca638cc7d078a677c7c58c139a186be2184

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8094f9c35b868b1ad21b7a302e7426a5

SHA1
9c015485db696c896b8b2e3490db0cad4d5b4609

SHA256
d4d8d09024bb9b2050f60bdce8fd9ddf2b290464a497acefb9eb9edb0ac499da

SHA512
5d54177c929583e36a8a5c81806ff4ba2abb129cbafdb6139e94cf921e1833762fc944c09923fe988912b554afd76e74be712ec32383f87a82589bec16a5f2f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
90db52d9f02254d9997fa08a09314bcd

SHA1
c79a015ecaee742f4f0e37b26fde89740da79b31

SHA256
2b415875c91bab12523c9b9fd6043bceb06f6fbbef5088bceefec61a04d57b66

SHA512
eb50ff93bcf4c3a07285e72fb52e29226afa7a1ca446342a45fea927f024cb9932c9af28b506a3d06666be551c923cbe4a0d56c4e3b3219a567707e27e0a606b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fb1f73e51fdd5ad605bda70ae5b70d32

SHA1
41b610f894a3b7d2c6b340f04384c1e47ac34177

SHA256
fe55e6e934b66916aeca1a3f15e2f88ddb87a9ef65baff85438230a9c80217bf

SHA512
d88b3a4b6ccc0e7b00374ee10aad63d0e08bb92f60eddda1d70963836b5fc620a77683f2e1d38516796b87b68f246b36e1c2f028358b2f0d2381a699bd37c8df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
883763f06053d5c41219789a7163d6be

SHA1
da79a34607b658b5cef1513e2e407b1a153099c9

SHA256
7b221607666b17a14dac78f2c7a717ef8a517e086fcee6b437a9cd66ebe23fe8

SHA512
8d8e4cf24a223d12b73d146da2236590010ce7e3332fcdaf21051739e2d6babf2825e12f55768f6181c66b7b33858a32180f9e7ef11e44df5509b222feea3f0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d9d51449119eaf5384168a66c9e13251

SHA1
b228e567f314134d444af5df08c612c17c9dd43c

SHA256
dc4f39c1fc215df200153f23b897cf758cd9668596a92a3355f46002f07f98e0

SHA512
edd0b81b5e923dd409f38e95ad644d9f333cdb6ed84f7660d0e6808e6143a9f1c26387c42962e89050b49bd7400dc04f31a3ffdee9d179594920b9ab6ee5d568

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5fd7d87c0682b6a01d9b580c2b09761d

SHA1
ae1f29a71e7cb2b919e6e992387e5751840fae4b

SHA256
a360357a405afe8f4262c9b8a5bf67573d61117cc2ab434ddb1d1286a583ceca

SHA512
133dca764d89790aa676cf37a3cb8e1c121e88294e1691cf4ee3700b91865ee676c430c3cdb615135b627f43e2fca4364738196c3732c36d7461134d4196625b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
434e482d5b2492c61440f125bd72ffb9

SHA1
df1758f55abe83d34e62d6b7486ef7e8089b9cf4

SHA256
8af21942ceaf5bbdc4c79fa123e9edd30de1fcf9182a25a50287bf27ff17c87b

SHA512
709cb571e351c4cf982001704e5a2b625ad33071fe6e75f715c141c319ba4686a5bb9d6cb9ebc3ab96a836c0648db8ed2f66f5c780745b292b093a6af4d2c9a4

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f59c5595c716e51b38dd4f17533e5997

SHA1
333e2f681359c987d248da777db63583abb4bec7

SHA256
47ead799ee86aee1608d3b244f14bdf81a97d0dda2a920c8a069e99ada6261b4

SHA512
a6a8efb211f929d4789c55096cf34c39420ad0aeecd82b16495049bc02bac9b92e8b4212630fcf1194f0b1cc17a7ab53a9082f497b62d7b575ca3e9f1cd58c87

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c8fd2178a0710c4a124f9531c8b91bca

SHA1
c724fa4df8c31f872f23e8af2ca13c3b55df93c4

SHA256
90be9044406210898a7de4bed2ff5ce10f8f8765e166eca241932f126d507e8c

SHA512
093bf128dc61e62504c4b1c07ae4f0cbbf154d3dc7ae62922543eed61e1d9f32010fd433cdee77f3ddc9b23dece0d5b5d86053db98ef61dbaa580bfa267671d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1cd6574807ad9be23a1e4c74cb401078

SHA1
2ef76f39f14ee409f9c051a273d5643040ede592

SHA256
506dd5fd4a6959c6a9dc6f7e2a58c12c59480676aff099f85d05721d75cb3aac

SHA512
e2784d749039166b3693544f8aba901cd69c8344696080c2db5b2d61c2b227e2133a523e337486d64dc49e35e9a69457852e0b7bc1156ae998d606291232e4cc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
cd44943338a3d185e81c2269ff29a9c8

SHA1
317956b8afb4e896c286ed0446e8ac0548d69caa

SHA256
75c5d855a8ec9393f2a4d4d024d054a7dccf86e09de103eb1b3922ca0b1d9c80

SHA512
9d23b3e8190a415049d02d4410c804ca7b4b5383cc3c61dd4b5e241564eb49b5bfb79cdf00fe86a06c65d1830a9b70f71fdac9bb8043b4d2997d358db8edd6a4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8c9514c70b1f7a4761c60935f1be260d

SHA1
efdf5cfcb16591bad9a24745048af5a4a3d32121

SHA256
ee71dd20bbdba43745d56f639ccc4bad15115f8ffea384c1c07434c3a5d61bc1

SHA512
4ff8c33dbfbfd53871d6a11213e098d5c27322dd65d64d3a4d303433fd182e2cd37f7ca9fa35fb52bd56a64c3fe7af7eec437dda64ac6c41505370e3d18de8f6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
dc1baf989880b06769049ebe50c40411

SHA1
de55d28e964151a378c53f09e167397b9b2d0928

SHA256
8cc9cd5f1dce25edb0950ff8e3920ec7c426d1a907e32606f894081286af5739

SHA512
ab617b35cd02d03acfce1e3f790df254da21f688d1fc36958f9fe8e2e3f1ca4e6ef2ce69751c7b47bcd76fd70aa5bc48f2303e607749fb8a3fbdb77294c73fc4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
15a28d7d370bc03e339f661dba124a16

SHA1
595448b5c4dcc039149b5458f506bd75f3112096

SHA256
c7b487f82a1636b52a674012955b0eaf1dbebe17ecc508aa66d172126ca4e71a

SHA512
03a9330fea0907aca39eca2254ed6971327c5275aed6617eb44c79b7e61c98521880342492fa04baac109d56a1427ffa26f3c0944d0a51c912bb85c80aaf8f76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
88e6be169d03902b1dd1104ba2307b6f

SHA1
62f38922a6d813af6a179b3756178bd5180d7c27

SHA256
f8045bb374b809e85f3a5ffb9c04ae95de18d65670ab29e0e2de351deebfd2e0

SHA512
0e18dfe2f6538b7e8b094d0ffbea1565dc21cdc5bc074ad99324d37fc7beae942e694a721a201be3fa16ef3956ab1cc53fc1cd0ff78185146cdffe3691e98679

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bc045cf8b9822a53cee6692bdc3421f5

SHA1
5a41316eade6bbb781087bfd42c79a1e203e2159

SHA256
5d16374f587be04c2918da006c8fd9e5627b602d5e1350195fad12a059df8261

SHA512
dacedc4d02d45a2c2635a223edab6d492f9bdd7400a58861644bf1dde8185cd01031b1487721fd63932020bda75ce4a9d7508c917cae3b5787fa53f6ee6e80d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7c5016ad427795b09870bd8a25c84bbb

SHA1
366ba35ef4dda7a4db5da2762d53c57969e15da3

SHA256
402ea574939ee13846d488fd3f45e842a126353013f78f02b4f1b03d1ebe92b3

SHA512
1472888d5986e8ddafe7b2ea88c62b29b1a73dee41885d4689eccd7fd7c6e471bc2797d2c6a4807480c936b395b1a8fef306d6a390af3f29e6960b46f4f1a120

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1d0e3e149a5f77e0b99a756ac02cd1d0

SHA1
02a27c80958c2fcd86e6897cf4de371f0d01e81a

SHA256
7f83a0e6e356e3bfee4c7e79661a75d384e9fd09eb45406872797ba7effd9f46

SHA512
092e60ab00407375bd41de194c61221e7db162fd8b9f015c538331cf9d53ec2d823fa686b57073bc9f15bca4af4a02a807b07e726e249f45511f4f30ff607a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3ae0fb41437c7b10cbff3d525df8903b

SHA1
287cb41f93d023e2ca48cdf84ab6012a7c11d088

SHA256
eab763d84b433a0f71e818420d2d3047f111c066bae68e0124841fe9713ac5ec

SHA512
78dbc05fda709cb6cae41628c455742fd21bc9bf9d1a073c9037009f45a29637834a39f57f3db297ef372b7eb8d8cce7bf4817880a634b8ce13eeb6b3650ea15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a871af3645582077db688f93cd7cf7cd

SHA1
04719ad3622e7f0c4594e81452251212fc78104f

SHA256
62e9456d40b8ea8a5e5741f0b3ed85b68b368065d15387d8c9f653955a1e6a41

SHA512
61d589beea906d65590880d3475a0113c6a614667db0621c803150c3920066925b67856e366d253a9f0ec2715a67c6672a394366206ea95bde127ed48085e057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
b6697d42c510694f9e329d744ab426ee

SHA1
b915bcfef43eac6c2a2d85372fad54910ce25eb8

SHA256
c9ffceb44b85fbc5510df9c239a7908518ccb45fbabdfb70310f4b54f3fcfbd6

SHA512
a5d3b45f64f5778203a09a4d766f1a0897f5fefdcb65a3d8bd0ce2b54b0f94a7d1f1f7f39a2b4b093fa624a60195b1b973dafcef6adc2c0695050f431f6d9dbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d6e1f80a401e5c0ed25308a47799e055

SHA1
1728f95bd7189f0ac25e49c9b7010f3ae1007987

SHA256
620659a76e952f9d10d646c4cdb0afbfe19436c3b3c4bc324e769a6d55b7a462

SHA512
c1f9b536fbddd3e664124061f79d5a85330ed6e1b23c531ceba5a844a83fd3bc47bbc2d39ecd0f0d40bbeb328809dc9f52110b9c4f90d652f0c06a7e8ac214f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c31c71168131f37030f60637ad3c23df

SHA1
a90b4b899741ab7db76f503493b9b7559e97ac1d

SHA256
3027874951a4713490458a9d0c68b1738308ea366128e986131edc59cb0e4ac9

SHA512
47445034db69343040a4aa3920e82e9db5120eaf9c8efae7603ac3c3b5ee47f5df9a5d3951848c929946e698e57aee85805f5d0c69c6e1dbb8dd8e93518515c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5d9190bac22641ab1b588c1a4ad8621f

SHA1
4510eb8d36bf7b1f741d36634107cb81b83316d0

SHA256
88baa672456edb616733e13343d04b0b2886630520f0aa83e78146c446a36b90

SHA512
ed7c248d3c05cef665bd4898713c39aaa83538cb3b6483d5f8165c45d446333c9cd4f7a3f6d9e0f6b7ce6515f5cf5c82c91c1d2126c678b5d8f3dc113f3604b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
58131b4e33d34b2aab265379fc23091d

SHA1
d0d5a05520d8638edfacc03b7d1792f89e43f961

SHA256
1a5198d221303e83f3920dbcc52e1374460de63c91b3a14408144592326014c2

SHA512
064993778c687c46c5ab085a4c24aac6a67a93b87941c5cec1b12ec585bf2eda4e58cd73109f7aaa35b3b674db2f5aa3eb9efc9ee70d6dec850e0e9e82968a48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b69b4606cb9fc06c6789e89ea718e128

SHA1
31771409b4e1a00bd408cf19c8752fcdd8c65be4

SHA256
cef2530d2549bc61dccc073b26f27c3946d27eafd6c36bbf92cbb1e09e0e8429

SHA512
d300e46a707501198ea217f64d3b861f2a2381960c849bb41fe6365efe0709079dc709dbee76426a3b364b16e5bdd738297b51b376c06e49b76ba84e19c5be3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
54a44d22ac98cbca602d4869762e3ada

SHA1
10b6721044b2f8def14596c0b26665dcabcd5132

SHA256
2e057843115e560118958d1274e939b1daeba2940392c95042ee1235fa28d514

SHA512
30a179956fd263f68e7dbc9fc6df76405f1ac1c6c78f15902fb023bdaeffd3f0ee05e3f89b48ac37a92bf736c79546befae538a6ecd3536dd01ebbfa3968add8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
04c85d194f1489171de04851e21010a5

SHA1
81a9321c5019d4fffb8ffea15e0054ca260c3638

SHA256
0deafd5137f8b647a8afe230d37681d2794d497b1eeed0c59a4c27c98c138c7d

SHA512
155a00dbc46f6b4d56b276a937f6eadf1c6eaabdc9550486308fe6ecb1e08e7f081d146f06913da3d7e5ba8accf280af091dbeb902303525d9395653e4739455

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0881778f6e9e6e374a7c59c6620ec0ea

SHA1
5bcbfa11b13d5cc2929e728442b726f415b4697d

SHA256
90948d7837bdd778348879db6e61a388dc3f89175b8914ef3215ed83c138e113

SHA512
deef07f73009f45a877a5e02f04f5677be358a65586b8b99c4bd71592f7a4b236a8309d7522a8a77c72c6d89273569a394886410e8b800f257cc01c4b40c075b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
665c37dac12be203bfc385a32246ddb7

SHA1
18869d244d9c75fe4519400eb28bfe41e7bde763

SHA256
d3da36c8c34936aa5cf3a078f4be632c59bf95789990de34a4385a48ce976855

SHA512
11d37b0219f4df0a8720aafd2ce90d5ea5b8eedf768e0d1a2d934151464542985efc2be3f866727aa5800910c8fffea06f4a2474b44a16ac1ebb40e598121df9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
d66e1d9a0cf778ab284e4d3ce7ea6291

SHA1
bbde27ddfd5ffa8ebeafe2b4406ae9dff3a58d1a

SHA256
12a2938fd3d8180a35d720e16ec39b0fe1d371c07a1418eb5e438736954cb919

SHA512
b100c35762cd18d9e2e272f2e9574fe21da8591a2df98119dd104a1d2d3dc441387011a5a3bc18d88025253e6430cd4d2406e07b66109b6413fc6df8c8f92899

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8c45193b276e3f0e7d05873ce212e2d8

SHA1
a8d399b5866f5f9ed38e306e5581922e033c1b7f

SHA256
efc07bff988d6750a3138760122dd19b9101ba400f666a9d4ac2b119bc6d8452

SHA512
e96278d6481ac75818ec2d8f084e9af91b11387f1b0697333298f708076a683707750c9b52d5185a1c4c8068fd757d641753d64012a7472823656e116a9789f5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aad5d20f26d5f9e554568581a651396c

SHA1
9ee2126223ad8a47d238f7ce943cb1815ecddc45

SHA256
f0b833e6b8f44dfc9358c20ab35186ed7adc222cc8221571bff49dc5dbf113b8

SHA512
1d75922133509e27f5c27230e4ac0b4ea504a85c870bf632c4041c208fe4ce6ad154472906d19e1a6da48a57a34b5d2d21793160c697247b38a28f46faaed9fd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f16cd0c6dcf8ec2ea7fb7ad8af56a79

SHA1
c27d115829d20981bfbde59c5fc5b64eeb31b73a

SHA256
b56964be0a42c53311c55bfca75b6168cca569d552bef51c754a4b2cc9b9662a

SHA512
278b723c36e35fe35f2713e4f1e82c150c8a76ac285246c032d88045b6bbbc954c66464ce84a5a7f167d39f7db34d263df02a0bb1b223fee4dd86a90524e4738

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
15b4fffaed7d6bb909b045ceda3d7c1d

SHA1
8291d7ca6f531ecd412e9d428adb0c9b50c9f19f

SHA256
1c590d55fe7ecd329ece3c4c726872e8ef4a11b33ad91f78b24fc14cbe8cd032

SHA512
4907a3ba31cf7b27346d485beb53755f12634436e4597795c4937b2296c07bf5313967264a0f73c043edd5ed90252841cbcd6c21f9021f456030e4336cc24eba

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5a17e2e6284bcc26832a3691ef413e86

SHA1
c3633e25c7654a595dee11419394afcf5748c33b

SHA256
97cfbdd0f4cb6f18c22385ad689487af4c4e2e74d057f44d54ce1d35c0214593

SHA512
a291b87e0243860c9a81b18efb0c7e0945655566695acbd796c5f3ebbc5b95b0773ecfe4028c4e686271fdef75acf4383306a9b97454d5938a345f8d2af28701

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2c8d620ef055c920be9593f310b03b18

SHA1
c136bdff40a478d1b80027be0b73da4b8a8519ca

SHA256
b9d30a70b9245e100ef9b84a92f5e9f076d2ed67a6f8712b82b7924ec44cf536

SHA512
21d75a623b30a4fc73336286d56bc827e779400c31afe7a04fc57b09bf2d9bd263bd92a1f79ddb97408cd6d21a47f5e046515839c354b3c4673fe9af80edb9d6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f8f6dc6ef968e266317caee5d46f670c

SHA1
c9efc7eb5604e79f3b7dcb1e898d7597d746aaec

SHA256
2063379739d1553185ed454190e87bddab8d0a5b42bba3e3dc7cd4d0dd40a0fd

SHA512
2d1f046876ac718a1529b254851f72229bf8d65dd9db10e687573a8823faa023640daab75ce0cbbcf5829cdce2b71f57225bf9caaba2fae3f211858d49f1c89d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b615cf2d03eee4398281b200af74b247

SHA1
0262fff3862ee9e8d90c8de0d5762c194debcdb6

SHA256
7238e9379e72b19833b1d5ecc49f701da17aad3a4f906436b1fef015fc392044

SHA512
e0d69c9431e4c0c33a32022723b0ef120df354253817fc1aef74ee2fd9adb362849ee575f5bed46eaf5c375adaf91b9188584493e8d86ef06fa0a32e153bafd2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
662eeb53d1b44ee61d5a717acbd9678e

SHA1
81415fc4d6a330f0ebbe345ef7f694de917172b8

SHA256
8ffcceeb768461d58fe923af3c7e233d4a92b050319f1522b5300acc99c64d31

SHA512
745a1747a0b75b8344345ca1fa193d1fa9421a508c8b0e50f2f1d26fc661b97fa4602493fb787831586aa3ad7f6a67410a45a84ff416281af0356abb8ef9c7dc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
95dcb69e97efe5f6937dc17e7da430ba

SHA1
0a16d414ce81c3047bdf86840bf495cf0fcc873d

SHA256
eb4ed43f3e1d059d1780ab045bb6d2ab7885e8d6309edebff648c0209d3e3790

SHA512
7c65208b39085f7726587ce4ceb6417e8399fb163a4c2a92e7dd489fef4b36949ba006719e86f22f93ebf56c0175359f9ff31a3375ebf91a7775e2cf56da05b3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
335618d227c0f6e252554f7d60cb8b23

SHA1
fd0d5ab2290e4dcb2ef3208d94414fb42f97efb8

SHA256
a4efa24e68c2e965029f1021c517a18d81e73354cf735d975f9de3407bcadd2d

SHA512
914e5682d1f785b30ba3954e89fda544100d3d79e8652f950eb76f42d772b88c15f07c21bd8c85c639b1b3fabcef49b877dc9f3953aa1c4906cd1bb75b1ad413

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49984989d15a4b8344ea0bc796c43707

SHA1
f8c9e8e4f0cc6a16eb127e8f437d4e39af8077ad

SHA256
448b315772dd3f10a468e9337b11cd3c71ff720cbb2683d44c909bcbe15e4c55

SHA512
5e184aa84c3d8f1d438502fa554dae6c56ed95298d93b60f537963207872d422f3bcfa3cf4207969dd691187e776a4f10404911f2001eba151a2aa82db130f54

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a11ba2c542099cf5951b8a872c721881

SHA1
bdaeebb7c82766b68c4302ec2486780820552126

SHA256
e8d4a4828e8a00b108f2cb0163fbe261a42731c1264acf18a7bf4cbfe4c87ef2

SHA512
e44fa5237aa2fc086773f40cf2a4e42a3417e6cac75e702d37f93f826f49234c1ef946453166acf1e0ee3df2534e6654a487d5e7a01ba53650a8bf08de120c8e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c398497772b24ac22b925159f60e9a1e

SHA1
cf80893329372eae939e8c39bb66c50cb7c45def

SHA256
84840b5ae7e7c72afc4c703ea96c5b6c63f892604a4c43d628cd444effc139d9

SHA512
5c7f786e86f843de2bbd66d89a7d4014321ba48e305d40748e173d0dbf2c3b275f1ab1791d92fa787ed9bfbb7233f12be0860af49233c92d71c9d2cb8965042e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3b00c8dd4403610fd56bb11591d6ab9d

SHA1
9b24fa451b39829a316978f4b80fe04cd9428480

SHA256
c14260b482266de54d2d00ab4c6a3185e9c66f8ba6512685ac4a55721dfd99ea

SHA512
7a6b0ac0e885b5774946053de29e2b56591f72648eb4acf94374d3e90fd7ecc104a09eb28f4cf5b5fd4b5fadb5bb78bcd4b719e94b981fb76101dfe038903484

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8335ea4088a1ed7d80776bed3ccaf7f0

SHA1
4e6313779093fcea82d02a7b0de126be5d60e6fc

SHA256
ada6a402b36040d1bfe4702a4dcd3affc0a97c4e839754a2290a422168c497d7

SHA512
00c1d7a6a8d18e8cc3380ce5b85e7558ec94f9e9c15e3a42fed381232ad41dca41e746bc468c1e7832964178c9b22efdfb0af640758c30ee7e36560a99403c0f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
49e534ef7cb77c6177e21916aec9614e

SHA1
763fd028917e88c9a7246f5443225bf881b209d5

SHA256
f7e4f5b8521e28289be16a835278665b1338d18ec5e2e61a010b90e042995968

SHA512
4365c5338229609b8cfa837e2a84a02d4d09a6ea1ed49048e3dcc89cb9c3220710494f9b029ea8fce0e55ea893f72faa4e5148b2408f048df46a67e13a3aa1fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
66814ba336ebf745dc9dc7af7f8f5b9a

SHA1
1284ec8b92d9180745829637a42d7b310d6bdbf5

SHA256
7d30d6d2a6b009fec375dc24e8a7d6d7b3e3bd6c4ff4120c5879c255edfb0b6e

SHA512
fac4cb59c8f7cf5c23435ebf6919bbe24788a28c44fea07f0247acd2377cd79ed4733577c35350c033a14bec63cc1391f45a5236ae9dd3c168c628f1f394bf64

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c1d36fa5d369c984b08f193ecc8c9796

SHA1
b66498c835e3f69dc0cdb490261ceb469639ece5

SHA256
1b6febdd7ac560ac7dffff9c5bfe2621a8f92efe21bd169691760c1706bd42bd

SHA512
48f493c66e3a5be3400bc91277e84f4f6d9a268a8dc845a44fde3f75d17c018fbe31de217376f2ca699de7bfd7d98fb85e2bca941ef95b0cf9755f6a1949ea1b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
cb99e808c2aaf2b77739904a36a82d78

SHA1
72e78a9be9ab94f00633f0bf0cce7c441382b3de

SHA256
f56250161d3067cfbad9e10f4432a228afaa20abe711b781cda4d6b500091ef1

SHA512
c62787664d3717adb86d4964ec785ed0e70783bfe43ff8035dc87b7fa1c1fbf6014143868bf3557c6e2fb7e605d0cd591cc5bdf5fc179861ae1697c121e5ef88

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9feda0b6afd676b6ea7ab54fe626e127

SHA1
bf95b3b30c135e5114a88ba26a0e085db78825e2

SHA256
38fe2ca4068e3e845cc15b46e57d4177484222ef16d40f65d8f7c34be35738d4

SHA512
65fdadab700a97ef159819770bbe00db29dc359197cca9af0f4353142e614d609221c6d8002c549e2a4f0b1e776091ede2a57d3b14f08d66247a827e68357187

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
fd9fdde3e6fd4fb3beb743997972dbc3

SHA1
9ce5cdf30dcd050daf9c44e8377c7671409c661d

SHA256
60a7132620d4b06250b6fe09d97bff2ddd99279810d57521977899df68f1d6ca

SHA512
74db26ab31b9bb9f1a13ed90daab3e3d665eed7cd406a04da7106da584cee685843f5503969e8fdb93be219e78aa75c985c6d9f57454dd7fc276cf29364f05a5

Download Submit
memory/220-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/220-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/720-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/720-241-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/720-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1188-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1188-347-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1676-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-386-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1692-43-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1692-133-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1692-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1692-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1980-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1980-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1980-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1980-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2108-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2108-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2168-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2168-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2876-89-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2876-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2876-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2876-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3240-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3240-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3368-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3368-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3676-224-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3676-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3716-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-100-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3716-106-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/3716-101-0x0000000000610000-0x0000000000677000-memory.dmp

Filesize
412KB

Download
memory/3756-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3756-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3756-54-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3756-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3756-363-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3756-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3756-67-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3968-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3968-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4076-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4076-369-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4172-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4172-32-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4172-37-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4172-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4188-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4188-69-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4188-1-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4188-7-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4188-6-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4268-286-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4268-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4592-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4592-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4592-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4592-81-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4748-325-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4748-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5072-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-360-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download