5a2cf3713f9e3a8caf9512fb8f539f2f1c8dd6d797c6f2fdbdb9c8390534069e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Size

1.8MB
MD5

d406c6b224702029c7bb90a32dcfde57
SHA1

db0982bd2ee97482157c612e11314d9d13e06830
SHA256

5a2cf3713f9e3a8caf9512fb8f539f2f1c8dd6d797c6f2fdbdb9c8390534069e
SHA512

cc62109f9eae0043f0c5e1b5f9360112699e23aefab1a4739207f7f4f7b740e19d9d4c49e1d6cad1fe9f77888bf404f6b7206ca879a987dffea8656634698ebf
SSDEEP

49152:wE19+ApwXk1QE1RzsEQPaxHNLXvYMLprznyDSga9:V93wXmoKTXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2540	alg.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
4776	fxssvc.exe
232	elevation_service.exe
1736	elevation_service.exe
2532	maintenanceservice.exe
836	msdtc.exe
2440	OSE.EXE
4796	PerceptionSimulationService.exe
4588	perfhost.exe
4068	locator.exe
4892	SensorDataService.exe
436	snmptrap.exe
4276	spectrum.exe
4836	ssh-agent.exe
4916	TieringEngineService.exe
224	AgentService.exe
4352	vds.exe
1400	vssvc.exe
2924	wbengine.exe
4488	WmiApSrv.exe
3688	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bbe20d79c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088aed2dafeaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000372207dbfeaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049eacddafeaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000148290d4feaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e823e8dafeaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d185eadafeaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000804aefdafeaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aa84edbfeaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5b89d4feaeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe
5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeAuditPrivilege	4776	fxssvc.exe
Token: SeRestorePrivilege	4916	TieringEngineService.exe
Token: SeManageVolumePrivilege	4916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	224	AgentService.exe
Token: SeBackupPrivilege	1400	vssvc.exe
Token: SeRestorePrivilege	1400	vssvc.exe
Token: SeAuditPrivilege	1400	vssvc.exe
Token: SeBackupPrivilege	2924	wbengine.exe
Token: SeRestorePrivilege	2924	wbengine.exe
Token: SeSecurityPrivilege	2924	wbengine.exe
Token: 33	3688	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3688	SearchIndexer.exe
Token: SeDebugPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeDebugPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeDebugPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeDebugPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeDebugPrivilege	1624	2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
Token: SeDebugPrivilege	5020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 116	3688	SearchIndexer.exe	115
PID 3688 wrote to memory of 116	3688	SearchIndexer.exe	115
PID 3688 wrote to memory of 740	3688	SearchIndexer.exe	116
PID 3688 wrote to memory of 740	3688	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_d406c6b224702029c7bb90a32dcfde57_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1736

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4892

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:436

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4276

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4488

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:116
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
945bbe126683861e658c222deea6aae0

SHA1
df79789b4e2eb8e4dea51dbe64e61b7f92893828

SHA256
034e4bf27e25cc84dee6ac5c54072fffded98c21994723423ffacb247d651528

SHA512
29f756cd7ac036022b792917d25ff41ce0a9b21422fc15d00f679f8d1364f7f9a12da47d14d538cfbed2500e181727e833f9377d19ac7294b9e89be64677f134

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
8fa19d542af5fb8c409968d6d2f42d3e

SHA1
8a3c7a41b1a656f549ee60dd359406bff24000f8

SHA256
cbf2d9261000d295fc4b2d920b939c72fe42778858c05a3f9f4613e9cf49527c

SHA512
7ea771d710052d4d974d975ea3e51ae5229ff335ddf3ad75790389bff63738093afa49cc20f0bdbb3cfd5de407e5e181d67b6bd90f65c7873b27dfa8abf20421

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d7d8ad38884762f98a08053ddc8d2d27

SHA1
9450e560d6b126e18669c48ea82a9f0d838addb8

SHA256
ec6b13798b9127513743284e61722f187f11b30fecbf041cd1bf40aed8af0040

SHA512
819667b9bbb45271ec2bf935193ba518bcf7ec3fa9cdd4d514b3733666984ebb1157ad6784c22af2474a11e99c9998616d2bcd5017201294b0c9694f0c627bb8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f1af970a28fcf3f42cf1b29ffbb84af2

SHA1
492f9895f3e6a712e8f059e280ec215bf005a7bd

SHA256
1fb196df0cbbf583b2fe8729f4de028f4735c1fdf136221968c3cf5397d52d22

SHA512
3e628935ec532ca3de975861fb17f5e81c610404a5a67d4cdfe63a81295dc38c12f466d0fbfa74499fa5168cf3dfa82e616222ab813815fa6314d10fea121be7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c8dc14db78d21c04869d0c468b7d108c

SHA1
2483fa008b65c087f64fc0b7546bf64f79d681c0

SHA256
2dc44c5c7f74c8e8e576ff60c658536eb26e334008daba7ff431e90d7e8a6eaa

SHA512
8f1cf80746228de5bf5c1c12025aa32417877f95c0d458522d385b83df326422f5c6fcfd729ac01cbcbc15e10efb1c23c0cd16406074dbafa1c79471284a0ba8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
6be5c495c0f97accee85afe9a871417a

SHA1
32a74f36db7f75b8abe0ccb141821b19678ff180

SHA256
c05bd80ebdb82474ee2f4878b5458faa7e220914aaeeae33b6a857e37d54e8db

SHA512
0c2d854d55fac76fe32afcb0476f0d500e347f4126d60efb4dc98dc99158ec337b54e6877239b28e94f929fa6095db8c622809e01b2599460fd32ad888cf7786

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
fba873db0a62e022bb527bfe52e22f72

SHA1
0d0b5c610f6f7768ee4b2d6191100bf6405076d3

SHA256
108edb7df27ac512d59b780290b5ef6398908883aa5db32dceafbe7211d00f69

SHA512
01fee8876aada33f915ca61344b3ae9bd3263b60ffa2eb7be2b24194c80f52b9a5023da5e4e2034b1101651b5e5b71e9e02eb5ab3e515c7875864b1e646bf33a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e2b8b7ae531d411903660d848e69d0ed

SHA1
67f6e1e5125fc671a5570510e11f6973d1441f3a

SHA256
c80542a1400fc5d45e0f0303f5089275d12b540d2615b2d84acae104b8f536c5

SHA512
0c8fc958f9275bcba72757ebe97f2c761aa0b19a10d71cfa34e37f21e6122e339eb29a23a835a7e335a4ed2d58b434bdf66f5a4862e56abb987d399bf97e90a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6675ad8cae4f82c12cdf512e47b9783c

SHA1
f48d8b4b0893ed1ca50641f60b88417055ec0b04

SHA256
51138f467cc9048661ee8dcdb445e1913255fcc724d103872b5af057cd0fa412

SHA512
48ff196aec4432de964f875b259f3867f0427fbf367584b1855dd5625b5023c11d1c36da72e32a6762f94b7c4e8e928cd06130514cd46f914c906eeff8836796

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6ecc892fd875d6adba1443d8cff11b15

SHA1
c088ad6e7fcc1c62bf23af5f83d4d9eda7d3676a

SHA256
deef01c18df949c0641d81c76c819d0774decb687bad45e03de5bb4f215f7349

SHA512
6588357f86d52fba04178d8ed75e90d999527153c6859d804990c070001ce857945c5dc8f27fad0a107133cfb79925cc205f85a2321d4a7efdc44c77243f20a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6ad7ae9993d395fe53a2bbc08726a56e

SHA1
f32d88c5e6fbf49f5f14419c4f6d2cf374f10460

SHA256
2e11c9dd8a00b5b96913df0f28ac9923dcdd43b05a407dce0ec7f916d01b7303

SHA512
5f07bc19a2b0daba2dfde9694dc7ea502196225d3f027f7b8da9b353c99b8b0259d093620b4f93c8d5b69334a9f8898a06819e331ce8c6aec832a9873d5862ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e3a1fd6bc32c49731d3de349137daa38

SHA1
19dcf500eae3e8e99b6d814a74c100003abcfd8a

SHA256
f207341c92027b54f73a63cfbc5deba37a22b5c514806f6085bd9a0c6ad33e00

SHA512
65d95ecc544e3b1a2be66645324e4b4654fca9a5f3a2231b332599dc727645b9e20d910830a6aaa91e1e89b9428bd331d91b7d7dc17571cbf23eea60f1be4021

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a94c569b18caf7e00381de4fdc1d7d0b

SHA1
82b93e103649e3fc3aed2c6023845907596f747e

SHA256
273a9ad318abaacd5d3f7fbd6f06e214190742a947d29adc5d78f24724dad4d6

SHA512
453689230bd06e438a78f9e6d2d6dee5cf9eeb926a8bceb329a9ab824ac57f8dac0d382765443443e83dbe2278579cce696462d06c03aa2f6a66d226f51f4f56

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
dca7a35acfb3ce489be2ba3174b42d88

SHA1
8b0d52288eb6eb7b7106551d08460751451cb4a9

SHA256
a6e56c75a0231d0694bd09db99ed377d3644c68b5f333065332caf30166e59f3

SHA512
9196e2f5aa77f90baceee56fc3e8dfdbd588814d79515f344b03af713458c4a55c184facab33fd72e4d95cb9a8f26504354e639dd825fe6c3422c80a62f544ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7a8a17944fdb53f1b17a2c1eaf045f07

SHA1
97527114517aa401cc3cdb3f47640c57c64a5283

SHA256
65fc9e0946ea7a7be2a205d91d0947d2b4d7c300301893f9820664823d106892

SHA512
2886880ca2c98a596688a5541a0f8073f9ff238565729f97caf667352e62c4704dfbe2427e5fd0e9eadf6409cf18253a5236e7326f69c65a4af841d5d8c41b92

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
38a2373d16e3b4c28f4990d954706d96

SHA1
3450d5c90d809fde24b6e012d92ce1caadbbf7e4

SHA256
e6ed0013379e34b86a5601d5f72bfb894be3f258f5ed1549e3a8d6cad0a292e8

SHA512
93beabe6e57aaf89a300d11769de53632b41e335839bfb1bdb0708117ee7cbe0445f4a7752c843590cbb8067e57b5ce6f02dcff25b68b7ce1a21e644d8a3d0b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6037b4c382eb0cc178e44fa28ef0ff92

SHA1
86c8929c1c0bc6053304af839032026ee3814b8e

SHA256
5f0fae0e1df0178d6963ffb6fe3e7465f9affbcb411646b9157144edb69fe247

SHA512
4d5eca59e35490720f47458dbae2ce2142fddc17128b533f61cc41a00bae7dcd455e0ddb72b87b13dcff2c3fbd51f8b1346ffdd0b97bb17595439ca3379a105a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
87c022f0ea3c8d4f665fe258a7e849ff

SHA1
d64390b7a2431b4631a27f774709da264ccc6e9f

SHA256
4924dd065740ff1dc1ab834c53e1d6f9cef7604c0e0a11cfc30b19e93bad6c5b

SHA512
4d3fd4c41414e8dbdce36400fad0dbe4ec4a8a9ca1fe534838071940fde67d74bcc564b1cedd246da82df8752f17d5b3ec9f52685c2c864e75ddd1b37da5260e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
69e7a928dd81631c40216618e53e4cb9

SHA1
3c629cb1caf3f2570bcd3e3f7517544ceb05a084

SHA256
b4177938748188d097e5d0d51e1c4af7e4d2b32648cd02eb8eb6aad87431d2b3

SHA512
888b768b4eb20d86af4a3723e809e743d56cf7bbcf63cccc4498df5c4104d437df1a738e46b4c7c0da26b3d6c02b5085c606403c3f45be83f455eca8c7908f5e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
18fdbb190df80adad7a021a452699efe

SHA1
5878c24f78d3b2f4a99cbd1b640af4bfb62be471

SHA256
c608fdc2e9cdfafaa501c86b3b7b7ff1baf00a3f414c54c3492ee1869e13a3b4

SHA512
6fb9f835cc3537a6adc52fd99847d0a6eb4e306bef95575dd1170c0ce44b6a02002183449da81a430f6213c8dfc87f21f201baa0abefeb569024236cb8f16249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
d31d019358c58124821447aa08ab9549

SHA1
9a96ccd6a36976f9841baa4e7a31b1cf59a6407a

SHA256
fd765840f8cf914aeed2bf2724529db9d0abb011c7d539c6fe0b2b66028a6ded

SHA512
e33855336c84b514af955db7ba0e9883cade63508156804fe66f4119d060771e1d80997c5f235ec9b6eead0ba83641a5f707d04e97e34f9f6558a43ee75c2891

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
9cb67d21f510976ea416f735a9c4c635

SHA1
800011791ce5cdee1c760fe13537f285c303fba0

SHA256
7916d3973b69bf6b79f3368f31d08f594178262bf40954aed828276626b941ce

SHA512
d60c7dde5ee1748b3f29fff292a15232c324e7afd59a0458e6e3fb0b4cb3f60583b0da5ec593f30137fe6c7f0a7eb13e07985b65fd5c30109d5750cc37068e19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
860b14166bcb2da99652891efa91cf87

SHA1
d48bb5fae7c97d89a79ade41a9faa0438492b229

SHA256
2a39f9be39ad5919bdbfa3973603b13d6ea79f4f00cf29a24c3cce5f972a2905

SHA512
2f7816f4f44fa4459efe43bf172ece56fc14a50a43cfd24603e3dcb4587503d57eba24c55988ca211e38ee28474041c84a51ebe6d2cee6e512b62e85392e39fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
94f7a15d24035ef48542b4055e98b6b9

SHA1
d1c38ef92e6e8b9b3c96eb5348fc035b243a5bca

SHA256
c7c721f244bdd36c285e6f008fb2f050d7743d09f1a5af5adc8d2203d285eb05

SHA512
f970842b9b7270cb3bfb243f8270ead907e9dff7220707b16a681991acbfd18cbe409841895f9937e617c78345f0192c4ff683e164347760efdf5dd81d7aa3d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
7b8540a4dd1b38889e3966cb3648fd29

SHA1
4e202d3ab8740923061b5d8e067f082da46fe152

SHA256
e9fb89e9858ab9c80f35a2fe46f0614b06fbf99f7db5ef99bc22110c5557d5ba

SHA512
3660b9ad6ec02eb31dd9f7f24ce3506a24dbd78b6b76d01eee295c427e9ca5616e39465ea7e05b1a325d5c24d918424b58ba6edf2fe4fbf7a07d740f805d6b5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
85906299938e032ca38f8cb75391c49c

SHA1
071a70124c19ec31cf363aa5d2a411d6913b0f00

SHA256
eeeaad72e6cae5586ca07dd5acb334bbf2e8ed2e48fd845818afe5858f76671f

SHA512
c2c9f487882390072715c0c7c2f33af41c279190e7c6d8e628e4980a5f4f89d7b00e556ebd3d61638612ec2e1ab30e2806b156221906bd336e9d6634cd7cabee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
f7b6bbe62767900c036ced7a2e69276e

SHA1
0fe5177ef5577c419efa7be9ea0b14311456e655

SHA256
2d236e1913d8604a93ea1fc7d8dc11201dda05f7c54ed3574f72061cbf476ed1

SHA512
50a0ae1364f70f5e79be316db973c9903426326059291a7d1902e46d8e66a832408edc17ed07a84f4d290810e1c33990fb69aa868af31f17c0ed3ddc7dd093ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
5ef22365bf90299be19c152208a79da1

SHA1
d3450db3b09c45e5e53737d6971fdf277b6c8049

SHA256
b5ed56740a2140d3bc13b20bc503588e4c84d620e8afadf6ee791507d5b1e269

SHA512
9e96c4cf042ead3fa43d8592a77773f931121b8c4f2a5e4dbe5454c5e4fb3bca64b23a8f781b6282794f1bce192993daa475566aee65129feb9b127c43dba702

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
704e3092e062c914d13fd1a9dacca54e

SHA1
25e4c71467d6cadc5ac469ab807d80b7c50465b4

SHA256
1025a8a69134c3ecf4d68f30763f7e34ab2ee5da40f5665a6ca84038ffbf0154

SHA512
34835fcb5e844ef74126eabefed460c170bbe020102f789e0cd2aa18191887f7a414f137cb1a6351d386e421cd45708b694a547e58be78ce0040f8b25e2003a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
bde68405fef37662be1b00042f9eeeb3

SHA1
9bd6e58e0a5c73e469ec9d2319828f0bd35cc51c

SHA256
d5f522022c8ff509f499c7f71340e50fdc0c50931ce7ff31e1cd34daa079a2c6

SHA512
e1cabcc6ae22120832a872920cb7d05455cafb5423496407f43587752994de67ac0b1ab608361dcafcadffda01ddbd9d75c960f751abff44d437d61606e36695

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
a11b8a50ce1f399afd6867dc544e36b5

SHA1
d7fd16949bc1a4c74cbdea8c631b3a894a87dd23

SHA256
8f1cd239b3703ecbf85b9148400e3cfbd911a86396be3b46a7ce30822a97fc43

SHA512
12619ba602f375e475334590e1bf9c9669858d5182edcf273a7f35c8e63a58e823c760e4465b9b0754339d9183e29922fa1647914616cf2f3cb59b7a9b5e18e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
0824beb0e34a417527ecbdbca2fdbe24

SHA1
6701bd3fafb7d1a5a65813874e8919d7a1ec782f

SHA256
4ddf52e15d92e629b633d3c93844b7bb5feaf15d5b438956032f3135b2d9f1b3

SHA512
a58316c33b3762f509aad0eeb62b441ad66338681193dfd51163695bf65452301d8eae52ee10fb8185e90d951524c8fefae404d56c43662e70f388c47c6ca100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
9ca0df1a8d77d5bc24e895f78cffd2e1

SHA1
a4b3466440b94ad29483a3235f536bda73e36a01

SHA256
7e4acfc6959124145e7bb1ff6d9a3b3d4909d14eccd3d58525de0a7e8be92ba6

SHA512
47b26942d37fe114b886c7fa7b8ed3a41d9802ce09cc28f04d010f351306f78b9842462f12004fbb4ca78b479ddea422f12e41f861e148f00e8bd385ec89135b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
5ebb8322b0509257327eb05b242d432c

SHA1
b65791891a5f5d469e39499e8f5e063d7469f893

SHA256
6b77c84f9f34d9a786d04577da31bfb1143d07862fe3c1c316bf113d4b61e44c

SHA512
0ac020250f6146984a4e163df83d301f0c8c04c80d2863b55cddab3685cffa416f801f5211525dc00d311bd38fb2801853a7a13881d07914178859a80b240895

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
d818a8a16d53e2093ee32b5bea1e5213

SHA1
ac8fef2b37fc7358a29cae5cab5b0245c669fe17

SHA256
b5a4e1d0c7dc541453011ce87755587e3059d85c9ba1f9a32f39b1496267d1cd

SHA512
a808dd993f85fc6d8a20b0e39f09d7bb88d9f2c8787b59cd0c28affe9f7e5b6ba5aeec7b026589f74c0ab6e464987d8081e7adb71e49611b897182b2ebd502d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
822f1f39d824937f803b91cfc20fbc66

SHA1
71033f5ca4f6be812c44441f4ee96ab202b168b7

SHA256
0c0657f07268afae15ff082e28d5324c9aae00a555daf5d00ce4b9f9c772ad1c

SHA512
000c0bce15889b305a1f51b93d5a0f9080284f9b241dd213d657ed788de00b4cf278f63f57f2669464171f88626c655c8a67a099be9ffb21cac69a007deacc61

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
aa35cfe251f8eb23810b66b288053a45

SHA1
0c4fff2f28d59ecb1f5ed8e7ae6e45fbb4ccdfdf

SHA256
80bb17bc506a906fcb47901a9221aad04071fe188c11bf7c2aa5f73941975efc

SHA512
4f29decc990d1b20e24c85b02e524a1af027751cfc05036b3264eb6786f167f6eb38909a38b16a353fb5c17da6b4fb245f73739ae00f0afef4e01e29e54e3e97

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
b87fadb59a974afcf22db1beb64141a1

SHA1
32bc15edd0edaf32a22f2b29a8217dd645fa55d4

SHA256
7043f46b56026a0e844362a5b87b9d34a71b3aebaa587cdf364e4b0625536ccf

SHA512
f76562bf3777dbd5ea7905dfd01536e05ad138e4bf58e70e4d93cf9412bb62f145944edcb8f72bda53098f0c40eff48975c53f3be72f423c575fd0fde51c4658

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
e10b99de7a313e6278138552aaa9b293

SHA1
10a5dbdcd37988c6619b059f8dbc20e561532a1b

SHA256
4691bb23aab9d6840bdd0f170df492ddfcf84d37a4ce8bb110703f5a96399a3f

SHA512
a6c14bd71e3a67d15966a86ddc32b101ca3543230b18a7c717d31b22720eaa415fab26a33d0cff12bb86b926a2cb67de9367b7d2db00c0a3a4a1de07e4874fcd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca1f454dc87fdb28db1b5b084cabe99b

SHA1
5cebdccb4675382acbcd587f8ef3b8409e90a433

SHA256
79dff27a757bf1cb16cc0a5765637f0376dec37862ceb9d1fb177efa4daab5a2

SHA512
e5c52be769ba856def3d1b76e9177185c1301cf008d9ab9908fecbd47dd6e4c9afcf86493080200c7de1e0839bffedeba22e03da52d8a2396717874b186b121b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
dc3d1999e9181f60f06710901350ffab

SHA1
7ce9c9d761dfee2c933094ed4b5402999c8b4db9

SHA256
f52298c57712005b2f8f14a2056430b9a7c25c8344b794e30760b617f54f1e4b

SHA512
e473bdf206288922549c611e47a1301b181ac81b230d9bbe827eb884e5eb56e7acafcf45c169528d369b76db89eb0c4ed1d9bc81dcb8023cdd6d34ae299eda7f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b473d4ae8a7622221b12fb584bfda215

SHA1
f49e5357d9a366f2fe8550c74216dc11b92ef8b2

SHA256
f33b87131c519c33a530c30662d9dba9daad2e1506ee95501bb792ef6affe2e2

SHA512
6fb8a9a0d2425ef28f0a4ca17426e5758c8d2fc9545771eba125f99f5f85b20254d3e26a70f79d558486df2b1bda8ff32b26a11413b15ad5fe92ab288b02a5a8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
e467ca3c3ae564737c6cebc27e9bdbbb

SHA1
630a04338bd50ab65ca7e2ddaca94745edccbef6

SHA256
7143ab7dff925f90079a407998fa94c5b2868dbd25ac829c37885491f0c96a99

SHA512
4a9a449f7bc124424207806daefba3466fc87b3005a11e1303b9b2a513fab7b948f1d46c173c1ebefbce2a03cd5b1bef5b13ff15e170563de3c54ed9cf658fe1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
d17290c8e089c313578df28c5a1fc137

SHA1
a4ecd2ed3a0a385e3dd4f902d67121f723bc1fee

SHA256
5249129b42d18ff5bcdfd331af6902a3d574825cc1a203c21abb556f52726396

SHA512
2dc3bea1262b22bb336fad834ec40a387c4f9df910f3e8200564a45dbb044b45671955504d730dd5c2cf79739508e41220986bb63f1029b16aed08fe9beaaa5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4bf52b72a44c9eab09d08f857725206f

SHA1
527107bdaf67e20f49a01c66b92b9245e1487680

SHA256
79c0a14a08ebdeafda7653daf90cd365242acced93915ed72126df5cc2b2ff99

SHA512
e2706141a1fb83edb9b733f90e2b364d2fbaf9ae788ebaa89ae804b3ce3edb235cbab5b01ff0665333f69b272111f720325b19fbca99d7d3c07cb3e520fa6673

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4aa10b3182a1aec84c5dd2af51bcb2f3

SHA1
20d7ea85b6fbad35ed2ef2b646103597911036a7

SHA256
745203c3f0330da479fe50d34c0e72e255f69b04948b0a9cf4188291d7172d24

SHA512
9ad7a0de8cf4ec8c0253304fe28f773b6203fc558a14742daac2011465cdc35175b9d9a36c42109334ad01f2bf9ee208878b3a3621f4fbee147724a941a9c8c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
77be98579072871a81b8e401b693f02a

SHA1
c8ae8b1a3853e470e2f31b62860c749d3ae9869a

SHA256
890a1362bc0341bba07f238d34037619f30a8a2d0d218b0f416ae5e7a113c589

SHA512
01c6ce34888c624c6e84bbf5410a84635975735375ef33e75c00d71453c63d01e4686f36a96469a8c0b6aeb1b7f40c292b6056d65a674f9bc279ec6f0a003b86

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eb1b82baf032c1281044f73a5c12f3c6

SHA1
5c097eb64ba83ef37c6e09d4678139cc084a2544

SHA256
1e0e6d3e6abf80b48cd14492b9b0f58e58e8e1c58b607846e8e660b5d523e50f

SHA512
7a6b28d87d7ec9f8cb8d341f225ab5d97120a650dc3154326e64a7996b03de31beaca0b3c5edc660842d9153336fda92c529dd86c4f47ca7eb9f6760eef887a2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
3bebefb05545dfc84b5c258ad3e17583

SHA1
9c46499b62a87a227f65d32adef2c3e14f9abfba

SHA256
7d06fc621d633509e587f8084b9abb560606edbd5876db9608d328eeac48511a

SHA512
91590f9df6a881d0000f247bb0ced5de20beee0d6ee2b8451257bede71de1ad91f76607e08e4ecda23e59c490921f86afeecaca3ee5ea3aec4ba43e585db3640

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2427b4941a38bb2e2a75bf6719099007

SHA1
0ef36eda9ae14e2a6cd6aa825a93ea04a6d3b007

SHA256
a929e3d317a68e9e943309259d6d07979671957a11cca55ab2cab78ea2d69de7

SHA512
4755ca949a71f4e64a4a19bc5b66668a3885f4301694fc9d3b480379374d25088901520e07b54a283987680c32ae645f4719264b760fae5f6b69df7730b2bfa0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
609242a2c3269486b0c767c4dac6a124

SHA1
2c102a6bbb38dacd1e3b95e4a54032e7b36e873f

SHA256
4e66e57c7219e670afb7fa7c5310bf24497dcc4a12fcf22a9e43abe2f2973390

SHA512
bd825a427b3a0d6a939b8325ab9b57a5a4f24accafd49aa93192fcecabc7951d4c2f1b14082163da8a90408f1f2048d623389f5b334a0edce3ff4dd52bcdd726

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
e66d42a5d7e806364d17867186b1ba6c

SHA1
8205c8b107f0ed92129f3058c40cf9c8a8d42ec8

SHA256
fe86b738567bf8e830794118eb4f319e86261035be7a101a983f46eaedd0562d

SHA512
f342de8761b9cc778fad593ed78cc43a66545adb2adb67f340b640fbc95b5d8fb26e1ea9a7dd6464e7ec7bdd35f5259970325a0d01e49fa4c96290b7ef2a8471

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
81aedb3231eec3570010b664b9b72e91

SHA1
3ddd38c2e5a0e42ff5bdb3e9d134120ba742e4f1

SHA256
7dede0bd6b75bc9e402243529dd76a8288d5a056172464a8e9dfbf2412522c7c

SHA512
51b5a18fb8aad62f23c3eed9a02f3f5f47cadf53bc240675367f4eef9baf8932ed7f8ae4e3bfce0883a12d00b58ed56e106846287fa4ceb9207fcd24f2791936

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
50e0d64ef53878dd1e84980150576a17

SHA1
638936e262a2ad33e04f63a760ba786249dda516

SHA256
f4d54ea380d472833372a08ab9dc67668acc446a5bf30e6801b6b2c7f1da7da6

SHA512
bc52d9a4a66d5eb134785b14a292a947aefb83acb67bbfb285554283bde77066cc1e2ab10f42a5a6e9e6f444ac4b6841ef6d628da80e4e12cad74a5c7ea39d99

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d72a39ef69721c0d78b2385f9a80a371

SHA1
f387e0e9db31c2344cce5f62a57cc1b96f271712

SHA256
9e92d22693c542925cbc869bc33819193463aae41501539b5cb4c4ab447ff2fd

SHA512
deab136127b4f5dda77b835f4e71ce4b372deba08480197bba0a172b1b9fff061fa4f70b4365a76418fb2775c7cda52ad4d44d2db6eaf5c2d3d31e92ef59730d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ea978c15403cd1f977cd710e5bf21c9d

SHA1
a6947103c69a65e25c9a13f48141ff0ac3716950

SHA256
adfb48597defd365e6094a23daaf0c60e6c73670c2ed726eff8674427c6789fd

SHA512
8d49f3a72c933b9d826b8d880f8b1a1c0d25f6092b60674dccbf10c20a38df43f6cbc0b5b8c7a27b11cc964d510566548ed0cb39366b7da4ff90b287401051d2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3b6423c1ab7a646f80c05a1ab6dff0b7

SHA1
bc2609557fcc980b5229c6b120263a7d39ac5bb9

SHA256
bfdf0d4864ea976a99c1561eb029e0ab35bc15dfecd7c85eaa07bf0268d09fa7

SHA512
275e5c9c0966cca1e499061adc2bd74efd69552923b4611ca2efd81bb02f14851b0582b7a1ba7d652803238eedef0279ee350b683956759306ff5a34b30f5021

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
88365950fdff4dfd6629532052b44f92

SHA1
cd42ec924b32acaf3ba6b24dce2fb1bfb163c8db

SHA256
fa6dfa486cd32be6438aadf593f9686788a8e462d461e76bc32e15c5c953dade

SHA512
8055f34fa4adc1426a244dd718c12008022bcb0f7ed8209d5f2179170fef5dd0b402a250a4342166c82ae8c55a8379a8f1d3765534f7fa9259e6e0ab5b0e689a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
631c2a3ef95eebc0ff9225e5d96c06d6

SHA1
13b4bd116e5720200e60a016553a1ce0b295d90e

SHA256
1b08b627a44eae59f6c0e26a024bfba51028d086b3976c6637a130c7a3ba4d67

SHA512
a18266771aa5e94109b3ec30f13a2d5a1657369e45fa9487be8558f6caeebbec8a10e74cc5d2451b82da3b7098230e3c24e178b6f10a4d662fdffbdb6de725f7

Download Submit
memory/224-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/224-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/232-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/232-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/232-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/232-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/436-118-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/436-276-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/836-149-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/836-70-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/1400-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1400-441-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1624-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1624-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1624-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1624-96-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1736-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1736-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1736-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1736-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2440-83-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2440-154-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2440-77-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2440-85-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2532-66-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2532-68-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2532-61-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2532-63-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2532-55-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/2540-111-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2540-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2924-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2924-442-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3688-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3688-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4068-112-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4276-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4276-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4352-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4352-424-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4488-166-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4488-443-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4588-105-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4588-100-0x00000000007D0000-0x0000000000837000-memory.dmp

Filesize
412KB

Download
memory/4588-107-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4588-162-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4776-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4776-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4796-158-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4796-94-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4796-88-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4796-97-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4836-361-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4836-135-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4892-346-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4892-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-147-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/4916-375-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/5020-25-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/5020-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5020-16-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download