ed030474063ef352c95a6fefdd2de0a26e4c307ee3ef7e24604db39cf437a018

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Size

1.3MB
MD5

388396a901de8b6138f7f57db70b0b3a
SHA1

f0e50aeec76fe82db95ddf73eeec8944dc7ac67d
SHA256

ed030474063ef352c95a6fefdd2de0a26e4c307ee3ef7e24604db39cf437a018
SHA512

391c467fa4cd5edb682a1a23d367bd3c2c5e9ad3586a04b4c1a30eb898761e03003f0e1bb334e249d38eeeb1159f219b35c754f09ec1261e26f09f3f99e4a495
SSDEEP

12288:CtOw6BaLASUDvpg6iuLmt42bL7ZYjk2Daa8EHCL26mcrniAxPPetUJEkdp/a:86BaLUDvpg6AtlbniXHhHwp7Dp/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3312	alg.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
3936	fxssvc.exe
3680	elevation_service.exe
5116	elevation_service.exe
4232	maintenanceservice.exe
1916	msdtc.exe
1096	OSE.EXE
1164	PerceptionSimulationService.exe
3500	perfhost.exe
1820	locator.exe
2172	SensorDataService.exe
1600	snmptrap.exe
4580	spectrum.exe
4040	ssh-agent.exe
2100	TieringEngineService.exe
912	AgentService.exe
3216	vds.exe
2204	vssvc.exe
4508	wbengine.exe
3076	WmiApSrv.exe
3052	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\605776edc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085f6da1497aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f54dd51597aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009d3761497aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d39da51597aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030b1121497aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c292161597aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f02e31397aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009201891597aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce4f971597aeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe
1328	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeAuditPrivilege	3936	fxssvc.exe
Token: SeRestorePrivilege	2100	TieringEngineService.exe
Token: SeManageVolumePrivilege	2100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	912	AgentService.exe
Token: SeBackupPrivilege	2204	vssvc.exe
Token: SeRestorePrivilege	2204	vssvc.exe
Token: SeAuditPrivilege	2204	vssvc.exe
Token: SeBackupPrivilege	4508	wbengine.exe
Token: SeRestorePrivilege	4508	wbengine.exe
Token: SeSecurityPrivilege	4508	wbengine.exe
Token: 33	3052	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3052	SearchIndexer.exe
Token: SeDebugPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeDebugPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeDebugPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeDebugPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeDebugPrivilege	3160	2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
Token: SeDebugPrivilege	1328	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4404	3052	SearchIndexer.exe	110
PID 3052 wrote to memory of 4404	3052	SearchIndexer.exe	110
PID 3052 wrote to memory of 3136	3052	SearchIndexer.exe	111
PID 3052 wrote to memory of 3136	3052	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_388396a901de8b6138f7f57db70b0b3a_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4580

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dcd6dc625f09f2ff837e43dbe5adba62

SHA1
511289ca2ac3cc73de2a91d91644660869c53b9e

SHA256
cb1fbe5778583a14bcd83d2ba6bd84b52b13da28032673def1a21503d068f9cb

SHA512
77bd0306153731bc1323a50e3862d36a4ca23091217d232cd081a00f9b5e949ee0ed0330575217463f93ef20d7ecaed8f95aef19719a8b05240bb89238f682e2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8b4ea7098fc0a1a25b8afa53570e75d8

SHA1
ead8108e9ec84721f5c0ce6dd7ddaf42d7fc9b3f

SHA256
3312b3e35fe372944d795c68bf60d49d6917df98188e5fd3a678665ba4f37fb3

SHA512
1471bcd83788bbde9e29e523d836acb31cf0d4990756d8d11c888ea23141eb8bdba43fd8ce1b0f6edc220d1368eb4faf599758301142f6637346c6b5d411c1ea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e90e551aaba5bb128c5bab642c2ae0c5

SHA1
a477de3e82cac1a7fb571f90e07c3fc231064567

SHA256
15a7219e70522182ac50b2593abc4486727479c555ea27e4c46d577f6738c02a

SHA512
2b358fa0127985c894be1a7268a97c12095da32144548bc3823ae7588cd8a7ec124a6412d5c5d2df2163a2b3ce56587a5067b30b8f1639ec04aae5fbfc9dee7e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
302f30fa7e1453c1aa0f90b63386d56f

SHA1
f842f57b03add832efa227f76b0604e95b58441c

SHA256
e23c92c2e63a1ba5ea8bc8baaa1d3383eb25b48b5b4012c9069c7225b8af07da

SHA512
c1eaeacec2a37d079debc1e404e7c357029c6d26ff8feb1bd53b58f94c4f70bb78bc88b05c58c7b706ba6e2398da76c9aa70626eccca9d95063768949a2192ba

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7bfea03ecdd810bb61d80ce634126342

SHA1
a61575b152ec5bde16ccddf209468e0e01f89830

SHA256
f27ef8fd2047c303d20ef7047fabfdb893a56b4d09c7d8808f9018781896290a

SHA512
c7d9263a8b2ceee83352b0486e7bbf663e470c42b3432cc9d4b0bf0f56ddd86b38fedd7128c59a0781c74ddc83de6cdeafeee48b00a35ffba5a08a5ee4a823f9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5e68239eaacd226529d0a5245622a12c

SHA1
b5ecccd180e592640e8c267aa9284e0564d6d9c6

SHA256
039714b889e825f27f5d52138847228ec4eca565b4f67728409fdd3a3c6e738e

SHA512
879d62a25e16359ef3532ebd99ff9056346ece452845f72a7b0cab1b80fb2637e73e6dbccdf114cbd8d0c5c6902bf6902007cf2f6fc119688643dff1335e020e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c302eb819ea2cdbe92692e8990468a26

SHA1
5477f510e6b2398131d2caf0ea6a775127a05a2b

SHA256
6e80ec06dc2811f1512e38e38bf7607808be9db2a9f8bd05f9efe6b71f8f8cec

SHA512
1b9f2749e1bf5f570782ff0efba5484a9f6d3bee7b553f7c45010bfc905a12ad1b9c9efb437003eec55eed806f62af9a7324ac5d0472d27e37b21e8edcde056e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
aacb7096b5be7fe145386d00d50267f3

SHA1
b0c6bf59e8109a64f95cb3390c59f9a23cd46439

SHA256
d627894eaca3db5e74c2fbd3e566e249c515dcc355e059213721f6d827f96bba

SHA512
cea4519ea6baaa1d18e4a6ae0bc2e7ce365cdeadabe501a832a1963d1d07ae1a20241f0af4aa6a2dc71f5ce64cb54f736fffa3cd7388d91ddfb97c4eb1c750f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3c64377d20f58ff79f1ea6f2c66aa7be

SHA1
6720199fd07d7f7c2f8637c454653630f6e56326

SHA256
46c66eb36d105c1fc184ceb8604d90b42c9478f1803171c3d8a3b2d8417a963e

SHA512
b7774ccbcf81fab6765bed9fadf4db1cb324e534b90e73f8003802ef3d012e7bc8f94f75fab89e580a38bb6eeeb396e5f6c7a87f77ed843972aeaba0cfbad91c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4d768e82456f14eb3aecbf5e9602c1de

SHA1
933235a644ae138bf9b8f224b277c1462a876da5

SHA256
a65a4814a6d9326421bea167749601a0aeafe65f8f2fa61b82cff919711c986d

SHA512
5058c200ccd6b118aa49b83772eef2a547ef72d889eef4f80174ff3aee92fabe9d3a4c89fefa5b4ecbb0d7ddb462a85dedc14947fa6aca4888be965f4a665f94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b53cfd5d4b86c610b149c2cfb42cc214

SHA1
9f33a2b5534fab10aabbf7a6e468e0f94c2ce8fb

SHA256
985e05cb816bfa4afa06be2ed4d2e6bd44e9eef3ef320aee34abd7e9e99f651a

SHA512
4e82be1ec0267eccb3d8e3d50d0a1404cafa02bb4ec751600ad1e414e7163a08456731d61c307e7a80d0bb38bd29254f0f602eb6ab4dce8340ad16c63c3b01d4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4852aea3905f684a72760e1751f4f6ae

SHA1
1df5a56ad2c0ba7e7b81d7e8498d523e9d77a1a6

SHA256
4955f665a009e85ff017b38f44a36a2720cadeffca69dcc711775941e3645a58

SHA512
be2d5b4c7f748682ebdc35e69cf2b525ba15b5222fefda550d7089bfdbaf18e8179e2d1efb1204c0b6bb057cec1ccbc9e6ffc55427c096cc840f69c60d37ea5c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
9ec5e48203a0cfd2afa0c3030b682070

SHA1
020b3a87be863aeb253a5ce53122becd05268742

SHA256
823244c175a78829c9ec65a5ef71c17c6851b014cfa1c6096662060e3b75a6f3

SHA512
8bc69251ceb27be1752065d6b07143b1c62dc357dbb340f3a2da0ee21f49a9c01e42013294ef788d0dd1f2426613993c60618f484319a1fae5e2b57c6f33a2a9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a38ec81e08d0c23f26ca25bb03c25b12

SHA1
961402c358c89405de1e14db3f758f44af381837

SHA256
360f4b41f7785546016ef23074a1821ffd8ddccdc7df06c309fa216e0ef8587b

SHA512
5cc6ca042100cdc0595103546dffa8702653cd20514730215ca1150837d4a5aeb51add302cff42968aaf23ee6d46a55342b5f52f99f1ab08ef3932fc2136c44b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b8851c901587334270a0c115735f38f1

SHA1
dae36c086320a6fc137e90fcb86a19c161cf149b

SHA256
72e8deea0b7b86165bcf5a957e7c6305f7c2cdf42dcd6317167de4473f9db282

SHA512
726ab7eee13c0fe98275b59e097fb1dd9d756ee1c91e77fc541b01489f3dffac9a6daf3f4714a446bd3a8f6008946f048d3edf6a0f865a86fd521b143daf9549

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9cb68998c376ad1b7a1ed2e52a07c831

SHA1
5496b6a1fe9e2ca43b6f3d3165ed8ee7fb58f20a

SHA256
6a5db5bfe2b0afeda5d7b4a55aa86fdb7feac0a292364ba031970b8aee6e5943

SHA512
508ba082d0066b3b17ad5254c54562fddcbb423fdc3c7f1697c391a56b9b7af45a14ff9e40ef80deef10b1241c4d5e20b6535d1988ad891de1cbe900bbe6655b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
796b6d8b5eed29424bf5bc7963d9073c

SHA1
d32a24e5631fa0841fea2ad093d0d74c4ac898e5

SHA256
5db3776d888017874e274c7a4deece5e22c2f6b71b23f616859e30f27474b89e

SHA512
de602c96d89d24ae48912012bc41c2287f76e423966ae5289ecbb1876dbb934991a459bdab2e75bf0b5f4854b279e1bb63f8dfa17076f61bea2bac9cfe2c0e3f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
74d063748139e230bfa684972d1608bb

SHA1
0ff10f562295c5b3a09ac28bdf6dea11cfe90883

SHA256
43f0758142beff8b62e31ea87106d160cd86a8017482deae6207f64e8b2d1517

SHA512
70946a383d31e4df2f49d1864ebb624e2758ce45227c2f3f12caa488dfb29e482abeaa40ee781c4addb969db6884198a4cd5bdb897add6cca519ca93a267dfc0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
41882ec9ae7990e85a1210d2962ddfaa

SHA1
2bdb9c1fc679e6c8aa3caa8e0bb4b4dff73e1dd8

SHA256
dc88df23e5b82b2a1a0104710914fda3d72d4c7239a29f1c51ca29c11037a1b1

SHA512
a63b9773d6b8f72c5dc8a54eb5dce76d78b5b6cec4a9abb9bf98aec69cb10dec7033b45e3d3b0022e8c40c01de5a726e645e64a9aa15405b2bcc4d11f104f3f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d87558abd5d455a7e1906a3406028b8c

SHA1
fda1b37b6d9790b4ab0739115704625452e9088c

SHA256
dbc9c571e4a9b524fb434a0f8eb817a992cf67eaae3583f7379bcc578a790ecc

SHA512
f49af3d76e82f17452533bb795590a592bee0303dbdcc4df41867374411bf8c232118a2a83834ed51b206ed498e3ff866db3487caa9533700fc721090ec20092

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
77af42e814a1e5062daecc86b91c25ec

SHA1
b8423c327cde3f90211789d260a03ff3cd7ab05a

SHA256
214dd5bdc111f8f4f2b14faf61509cc7b23413d9746c45b38dbcc8f31c53d3a1

SHA512
eaba732b707b09a863cb65790a130791ec52a30ef495aafab4215dfbe76f366a8ac97b9d086db0d3918dbedb0da6a5868ce5ccc89cd06c9a490205e32ec3bbd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a9395a48dafb7c6d5da6886584c34266

SHA1
f93f9703cff88e2b944c68b1bb09f4cd406ebb48

SHA256
85ca14c05c784d4f43b59d4db067286356e5c8c84365fd9a42667457d425d77c

SHA512
8684ee85f612ed360a82be85984040bc1ddd119a33ff137888222f9a5702bc0b0baa40f2b3faed96d7d387f25c4e135b995427cc770801929489aee8bc217801

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f460988c29fbca0de50a0b5dd1fbb967

SHA1
a9ff2691bb94e93410e17314277aa54367fc03da

SHA256
c7daffa862d7a11a1385d8b0db1579a3e3b7f9bd3f1a4b3a1245b0c7e3a44a1d

SHA512
9cf36b34ea7fbfba360b98b5b27bf7b6606a6494c7c5aaba11f7ef2048eb68ced43fa51f105db1f92dca2c86cb9553c8a83436bf6523f72c458079b493195f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
a9ace7d58e96c72c3ab837340ec20c6c

SHA1
5171fd2aae7e537240a90c3fb88e17e7a3261d29

SHA256
3d9a59378fd9e97e3177158de84cdd7053c8e9fabadc85d09e892d2d94fc75eb

SHA512
a5906e01b2b4e93e874581b51d69cfcb7a902c5bb86fdbdcd07a09d5aa7729f03e760eae5f8fed1224ecf8fda5546b3f6ecc5ae86c2da5ec4ebc864d8ef821cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e965cc1a409369edc55b18d1de0c49a3

SHA1
80805eebba71d0e64521574ced514574f626cac9

SHA256
cc53506cd0c087b8b5b580845888d9f3c20ba1c4d2311b3e7a85c9749659ccac

SHA512
9f140d2be25d040e4080bd5d53950587ad3e69d0997a0d5950bf9430f406194987cba9bf8c23f0cbc348e99b10e302bdedcb136921c31d888508cd1c80a6ee40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
091c025711beac491f879b382b7b3d10

SHA1
a9f9fe2ed3e1018029efad405543bd71ac6126e8

SHA256
b5d7c39746a7d63336e5734853f4ffabf986719d0cdfc17151903d6f4c4c41aa

SHA512
6935d5c7acc8d17bbda1e14b54a164803111b9d0c54ae8f4f610106e8b49a1b33347819789da570eba8570c16e1757d1ccad39998edb9c25b045b0515e59a840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
797311af3de6db41e2699e587b4626b0

SHA1
92d6dd55af956f25d75f17c7657dbee9bedf4523

SHA256
3ea97becc2c1908044c5d3cd3a94ef820238119697ba3f2a5c4dc10821b5f7c6

SHA512
1824be9c3b75d47da2f8bec23f13872dfd6a8223049934eb7affae40f838a06c17fb062781f0d9b325f61650cc8464a5e75a3f46c866eac7819336d187bc2995

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
8db6a79247c2535be1699eb3239fc712

SHA1
f5889eca20543f5bcc81d48bb741a4c8c0492f44

SHA256
d9e60f2c903735d1b4b91c4f63d3dc653f5f444cbe74d56592967fdcb59e2e4f

SHA512
5714ba82155b3cc323731051bec7cc4d5fcb12634dff6f53cac331d73fd15325fed1fcdd8e6dd8c5a90a46ddf047bce58e4e08d230ff85c2973a29fccde61e02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6234415e342cab3a8e6b659099d23f8d

SHA1
6d500f04cad6b3f82860b548f4e5a03d67427246

SHA256
1e316aa8a08bdd4f2983fb7846274099ca18c1ecf48a9432b82a9f62391c8f4b

SHA512
5f961443ec205b749535b3f25e3e497aec3b66814496d71f6d853689d2bd677945301f03db1b9af14529c0d4621acadd476bef339be3cde28f4a31182dfe8269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
22461b4ea14bb2bd10f61e340022952c

SHA1
ff7933aeaf1f61606f17fe8b22f75bda6c311190

SHA256
81679c98da3f5a9e5ba4343e2543575729264dbcf7a3f6a60db6921e97af4ba0

SHA512
3d2ba5c51850c9a25018f321b666efd16049927a0a49eb375ffb272961b292398b6336a78b15a0b1b4c057682ea8d6d60495ad194d1b4819063bac933047fcad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
57be2d8ea5eca94fb55926be75148f26

SHA1
cf2843ba2515345c92460ac88de62cdc7bdd0537

SHA256
a3de88bc972daa786b2e0d7464ebbc5eb42d56758d7f977cc995491b543985cb

SHA512
37f3ccf9c05854d7aab81150c7c455115975b811f0a0ccaa55911e85414ae97bf13f2a8a5f727ee6abbcaab8c47e488abf254664ff41f5182f4a1a802ad2ad15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8d809bf4069846b95f76ad840dab2c12

SHA1
2319afc31002096db3ba832e02df59f886f251cd

SHA256
6fff77f7567c4b3a66975b536bf3c71abb1aecfa2e3ad3fd98c5a7d5e6f17f93

SHA512
017dfed5cb77c4d42833b2c1739ab1cbb6a58635119c073f263dc35149d536efaf53e0beafb017eb5e725cae1cc7ee708519dc49987a83d824d545c156e38020

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
745689ff24f99f2b676be223d9f8154c

SHA1
e51aef17e01043548efa9af2f55e43f9d16c8cd4

SHA256
a62954f70f2c2afd969e82ab61273feaa7c4660d7a0ed47a132bf652cfe742ce

SHA512
d7f7dde063cf6e54e92e763e915c249390ba2623ac0d0cc381a66326802f3c60864a6761926e1b0d81a90eb91d52edc0b5357c19bbc5873c14b0a72c6ac60d51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
be48b6b1835b4f3e7493811c1b4daf12

SHA1
ed843151805f63262d4b558a3f0e00d696105b44

SHA256
6de5e1591dfce9b6f462d246529db3d85dbbb77b8a6197047624d7128046980e

SHA512
102c5915ff5c666e214f2eada17c1dbe7f26b5a2dec65214ba53c5cbd27a9a8b15873799364ae9eaea03f6c206fd9f4a4dcdee603b026f2c42da530a78d99526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
afd312c82951ebb2fac3cf02a7578109

SHA1
93c29381efae801702cd60a2da3888fdac45d810

SHA256
e763471ef208f5d96d441851486edea89317333228eaa87694641d73ef809b6b

SHA512
54d2c3f76f9b6c0634a76492b4e35e5a879a1c2a7f279e8587e0646f212dc6123dd6c71434dbd76fe42b9abc2c55c7a58163b98bc30590c9a749f45d449c194c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1b76d1a5945e66532167fe168659e238

SHA1
e1653c541828cfcfe4e5da0d50ff4699042baf41

SHA256
7f6cc6ffb28c745724bd1e888f3ea57c6ed4247e71cd43453801efe8dee3a5ba

SHA512
b1ff304bcf1ae2ac098a601c6a70433f5b12e9ad99558ef9ebc6d4b12afdb4ad5b2a66435d122498a71a4a76167c277a0adea01615ff6d31da51648e57bdfaf3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
058679ee6f6eae66ae6deccfa27e347a

SHA1
532c0249b740ba4794406b04178bbd05dbef1301

SHA256
df8bfd99ceffc9946ec4a794dc2e8777e67ac2f7a1ca34d3253392c7799b3f34

SHA512
2e6767c0fa9fc27e16c9de79f1d3ca6c29f017a96a29515e1300c28fabc426b7d262d2a6692813ca5da1f80064b4f1ec3229ddd1b477eb99dae4ec3a5a80f331

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a687716457fd888ca182eb9d8dba887e

SHA1
eca20e77991790b20c17e68df549521d205508a3

SHA256
a6534039bf16f4d305b1f8fa79bd42ab85f3de186437b7186f80b3eabc306f8a

SHA512
721f71489c2645608ec6d126e7be04ae693e7690490991843e33f5182aacc39ef7b97e3d2f6cecd38b7e088546f47ea012dab1f3f0f131fd76d8f68ed3d7b6d9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
876e1e2757deb472a9c16251be026d1b

SHA1
487c11d3074160fa4f2a1c3c89146150c6b6d8c7

SHA256
0c3cc3c5e0b990a600187c54b624a50446be84d88c87696046102fc85dc2c3ae

SHA512
e0a12a3e7066f708fcd7ace0aa08e54bc84c91c2e793b5448205a94014df873c7afbd948dd861ebc6b426fe05e1a5dc297915806d0a048ae0a75b47f44a5d5a2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8a1b57ea8b67d1087a64ea16c4b6752b

SHA1
bc952d8bcc2594b983974f7c192c85e5ba34377f

SHA256
bdffd93650e018c870dbd9d552e9900ee179ca9968fc946f64a025d30fe88f6d

SHA512
30516338a26e13fb4d9a1cee66beb0f6ecceca0a392f06cf9aea282bc1a873af6527f59d074295346a06679106b46e7af39dc92dfcc05516efc379d3662720c1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2212ae19ef895d3b0eadee1c3fdabf40

SHA1
60d15869d7a194ed7ba7abbc1186e4546fda53ed

SHA256
457d06f4f899c3da75224f141e68f4c047cc6198cf41247693b896df0a08a9f2

SHA512
c110b05c545745842da15747f00fd7f98e8c0945110ea845d505a53203a29ad7ea7e21c8cfd172e33fef7fdecfd5f7f5ec8025c1081c3e09ee4aa9613b747784

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b72dbbb6bf7006da7e4305281dfcde0a

SHA1
af0dfc63a65797a53920ff4693ef063153ceb383

SHA256
536fcd7b0313e8453e5a553356dcb63db4754e100eb8ad35667aa7f178f98de8

SHA512
7f4da33c5b1ab970fcdea6abdc3cd1f214c4d93356a381891c4dba51751b0a90918fba1b3e4436152cc1c99c26a598d0df585ae264f6f551d15075a123ac728f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1117c9f61fb460e1f19df3589bdd3d9d

SHA1
bcc1c4252509426f0d8f783ea469939cf3a3fc5e

SHA256
2450e2f73d07788b48bbcfe7e15debe28c94b729848b108a36576d61aee8cbf2

SHA512
e36ee7b2313af636ac0816a3591ea64a2134017bdff73e80e1ef7060edbfcc830667e93273136ab6fd4bd08af1d0bc4aa5e7fece9fa91dcd77ac023d223fccd9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
79c28ec10c06ae0a765a550fba5a8b2a

SHA1
3d13f77250d6c81803992bd5dd7aeec5aea0a351

SHA256
a03c992436302ee7d7b1e17ec7edc008836580cec7ed11611c986e1b89cc6d38

SHA512
4f2067845887b765e0af58792a334db2a26c6bea7c698e43e496d925676681747dd4eb1c4e3a9920f7e0f969bb3859a2cfbe930d7d6689b28b5d1962018617d9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
c63aa3f4206d68d0c31d814cef24c35f

SHA1
da1d47617cf68c7ceaeecd519375c64a88463d25

SHA256
591907890353c33dbda8b088cc71dee00e6f566e6ff36b3717869acd4fb2933c

SHA512
7494b0a260db0a8d9ec10eb82633ad144047bfb5dd49c9db1ebfd844c35762060f3caf6ed78334ddca805d7c4b8da058bac51ed9e7a34a14d4c45f2c80d28063

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4f4c2ca5672cf73db906a7095c1244ea

SHA1
dca4dd0d64f6761eeaf52d5b5be68e6ea15ffdd6

SHA256
5f241dcbd3b473eb0edfe443b904ffbbaccc0c2f784487880c285a99a3887961

SHA512
94d483840e9f092015a895ac84189f01f6522575d5315105d879d65ea71943c57c2bbad23097a926cce7830b28ce82169c62c80f352e35286a49f95ac07bb078

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
35aa084a5c4698d14061e8ce8495ad04

SHA1
384ced7c509a263b6c3452e51c393420b59112b9

SHA256
d53f37b496d6e752eba13dfcd6a96ba809aae3416f67802134083877358aa1f2

SHA512
8e9fe6f134d03459f273ca089dc6cdc6bbd66bec251811de40d52ea46d590945c1b05ed447cf154c40a0371ea38af838007a16002bd8da5bd8c7c10ab19c9c8f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee499d81472287514e5619dea0207494

SHA1
1b473be178e7fe5775c9c2bfeadeac4c9f60424e

SHA256
2e4ae5f8b3abc95933ea9545d21476275a15186424897266e03bd2ce41949e45

SHA512
9e6c0d3f116f41529a327a9334d01da689093bcbec62be43513f31ea0fb60e04acc1ab290898a66e02e29dbd182d1e2530882bd45be3695ab1f6dc955c280048

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5571645264608c5c03239b33fcdbc8f1

SHA1
96945e53eda8d00cec69b20b0bfd9532220bf50f

SHA256
ebfc04e85463711f9ca15f6bb2e57b5eed4eac0f72bab9720c730e5af48c6bc4

SHA512
63e30dfeb2f308a5306e41ecdccc6a4baacc8ea6d23f9ff22f95ada2101b693b83d344afc54dd788fc36d04b9873d0a7638292fcb66ecdbc6eff5d6b415d3d80

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dfa5fee74eeae650d0ab0ad4ceae4dfe

SHA1
4dbaed4d0eed3f241da4e501fa1ed0e379a5faf0

SHA256
2a9e84c18f5d941db804a3ad97a0de4a268cacbd747aaaa15053b8ca885281c7

SHA512
854385239faf17556ba7f9e5728da8dc1e71d3271b33a4cf03cafe6e9bfc7525ce75d5b15369d33f86e7cd08ebdaa231379063f8b7fef3ddb9db4943aad9a7c0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1139e53c3cd39a9080fad8bb2ad034a7

SHA1
cc233538a206eb1ce437f32d936945d9fe0464cd

SHA256
4a36fada7a55cb3bd2e7f98d7c5585f5080862ee75a08d52b738c66293278750

SHA512
bb675dc29667aa9485f9f8bf29266bcc33ce5aef9587dc13f788d011d3aca6a08e632b8ae7dc50e105a4e3686ad939190ceff06b745467fe7ed91bfbea029677

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
c19d82f3fc7fe23e18a9b9f967b74ece

SHA1
0d3d00f4106cc8b91efc7abb70c7f8f9b9609602

SHA256
2afbebf60a5d2c4585cfc93bfe0838abcbda26399065377540b535325e27d6e5

SHA512
fa4f096900be35481cccd008a7a363a6387b930b50b4b96f06521b89e111bcb4c375e4c1ed8b9c88abf09bfd6724529e66eca51326827b9f311c2f63d037eea9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d1e1034ec2932cb7da25511dac92f7e1

SHA1
5043d64ff49003a66c07816009e826d6509879da

SHA256
0dba00507b97a29e48632f9cff50489372243faf283f9684ab73588147ad7738

SHA512
f8b3c95bb71b281ed7cddd55c9d07f058285c2f96510f98258fd6cd56db2ca136b14db7785ff7c9e630e6f09525f44c34ac9e0d15a2665ce6c68dd45dfb0771e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4847ab4d6c4fb345c7ab7a7046dd0001

SHA1
ab8b63cce8258b238bf58eac9898fbdb7e8e87c2

SHA256
217f1d69418cda43806bebd2a91fb54f84632e393b5752f35d3c288cba7f1b13

SHA512
d4140241c1c495d86692b9778f939a8a0efa027b3ad29c0a3e33f19605398e047920ae80a3087de8541234fc34d2e1eaa599ecbfe75de8035da01afa4de61774

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
857367fc0e7fc2bbb1352c4832a68346

SHA1
e71b236d6497b84c3f141287a169e22f8fde77e3

SHA256
bbcfbb844d6cd7b18e6307f49683727d85687bf6e936dcf899f5053e077d88e0

SHA512
a850c7f476ebfb99927b9d392df6d1c9a7816f92287e25a0544c4eb8a1bdcb1a6e8dc2eaacc212fc711d64f40baf6b4e40c414bdcb3cb1836836d1ffb5286cd1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dd584bfb63671e6318a3769d1a5dc978

SHA1
d8cb0216e850baf92b5936b3ef693a95312f60ba

SHA256
094c4840e7f357e15fb838f47eabe101996f4d292c3bdc6e1bb09cd9c96349e0

SHA512
785a85adfad55640b25622d3eff61ca115d2012c233dfa74d2edf3f74276f3625c56c0cd70547ebe943916ae75809c1c4326b7864d4249a3687ed336111662cf

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
16888229f41223b8a11a5c3ab3952693

SHA1
376da844cd5e3f1a2f16b3a6588c5a4cffb53768

SHA256
e67a7b15428901eb9a3a4452ed1e1a45b5087dad33810e381c4b071c8d58497a

SHA512
9805216409c1a517ab7f703d5abc0af40ad1d1bd9c4f24fb022f5e6bcb4059c114af7417142d6d28017df9685648c3792e49038a8c975144826a919728e78e92

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
eea5ac3c7e0a3f4b4c624f46e6cd0bc7

SHA1
99a55ba763e998702fc5a2e09ee644190d943bd0

SHA256
11bf4a57b8bd18281a6b7db0d78ce7c97608a97015e760bdf7f9a299428836e0

SHA512
b5a0956d499432156464f4604de6b5acca6bfe05a85cd14b02962f56ec5b954064eb0a05a61b8ca3fb94f80832655a95afaeb97f10df121cd7370ff51659b7e7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
dbb35bd3b97ecac5de3642be55e8421b

SHA1
fac72bac7fc7996dbd14b085f6912730a5549019

SHA256
3999ce409444108495e3331bbb14b62e73a6f27a865c1cf05e3459d77cbcde66

SHA512
f1a32951680e7e1423f7d1bc48673e18ec8f480b301e3ed6e2c5473358f4a6e0d2515f384df09c91f5149d18d326909480097a0547f3d56fffd42ea82386ebe5

Download Submit
memory/912-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1096-78-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1096-72-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1096-154-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1164-90-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1164-84-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1164-155-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1328-16-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1328-409-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1328-17-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1328-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1600-160-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1820-158-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1916-153-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2100-163-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2172-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2204-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3052-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3052-168-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3076-415-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3076-167-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3160-8-0x0000000000C40000-0x0000000000CA7000-memory.dmp

Filesize
412KB

Download
memory/3160-5-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/3160-0-0x0000000000C40000-0x0000000000CA7000-memory.dmp

Filesize
412KB

Download
memory/3160-299-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/3216-164-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3312-407-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3312-14-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3500-100-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/3500-157-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3500-95-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/3680-410-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3680-36-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3680-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3680-30-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3936-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3936-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4040-162-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4232-66-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4232-64-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4232-62-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4232-59-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4232-53-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4508-166-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-161-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5116-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5116-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5116-413-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download