9e9ab2625fe9f0c9824e0f2149daf4f6d077cbf53980f180d9fd3a8e520ba002

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 08:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Size

712KB
MD5

f053f13ca57e573b1466d56e3c8eeb8f
SHA1

558c07a0a20fcf7aaa6274029d06b8827934445a
SHA256

9e9ab2625fe9f0c9824e0f2149daf4f6d077cbf53980f180d9fd3a8e520ba002
SHA512

a6358df58475451a23fef7e10462738ad40e28634e6da072c0a0b8ae24adce6b808e6f6d2af988170a88c53a8925e3e1f461febe147c0bf76c3f3e19ca22e865
SSDEEP

12288:utOw6BanXI7vgbrWVQhTCYHvRktx/aICF9flefuKaO0VQ/:g6Bj743TvRk6NwG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4064	alg.exe
744	DiagnosticsHub.StandardCollector.Service.exe
4088	fxssvc.exe
936	elevation_service.exe
1840	elevation_service.exe
5080	maintenanceservice.exe
3104	msdtc.exe
2764	OSE.EXE
2700	PerceptionSimulationService.exe
3540	perfhost.exe
840	locator.exe
3136	SensorDataService.exe
1984	snmptrap.exe
4504	spectrum.exe
2716	ssh-agent.exe
2752	TieringEngineService.exe
1896	AgentService.exe
4208	vds.exe
452	vssvc.exe
3052	wbengine.exe
2284	WmiApSrv.exe
1384	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de274b64e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006758227a3b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005269f326a3b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000154ff26a3b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d3a0026a3b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3488c24a3b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000538e5425a3b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000227ed25a3b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe
744	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeAuditPrivilege	4088	fxssvc.exe
Token: SeRestorePrivilege	2752	TieringEngineService.exe
Token: SeManageVolumePrivilege	2752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1896	AgentService.exe
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe
Token: SeBackupPrivilege	3052	wbengine.exe
Token: SeRestorePrivilege	3052	wbengine.exe
Token: SeSecurityPrivilege	3052	wbengine.exe
Token: 33	1384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1384	SearchIndexer.exe
Token: SeDebugPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeDebugPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeDebugPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeDebugPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeDebugPrivilege	3428	2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
Token: SeDebugPrivilege	744	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2784	1384	SearchIndexer.exe	111
PID 1384 wrote to memory of 2784	1384	SearchIndexer.exe	111
PID 1384 wrote to memory of 4840	1384	SearchIndexer.exe	112
PID 1384 wrote to memory of 4840	1384	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_f053f13ca57e573b1466d56e3c8eeb8f_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:840

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3156

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
046528951812ffd0af5e45e0fb260850

SHA1
79f6df879a049f3faa53380816bc54443c2ea3d0

SHA256
c71536154664ed71b6db3567bd67ad1909114fdb38500c8db15fc07fe18b88b8

SHA512
d3df94e258f05dc78edf839b6b1ef45dea4a632adad0b5a8fca8fe35155c34454d533ba860aabaad63c3b6d1864c6e9985533fcd661391955c745c79a90876f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f48237834df14bb6234efc24edcb24d1

SHA1
9f10b2ca6ba90ff77a88979830c5b7b24bc6bc68

SHA256
ad4637cb6d75b6566f3c917ccdb70ab98b13e2216ec7ce1288a9c2b88d3c80b3

SHA512
07f7afaa10c3227aaf3521bc0a21b10fcf09e8da9f0eb8d009f9e2923ba0363c6120d30f59ed3029ea20becac6e5c600d63042b4809cf3b2de7fc8ecff1ed022

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
75c95717ae81437504558f8a7d27319b

SHA1
a50c1a8f6c0269f8ba344b3da37008ccaa4d20df

SHA256
cb10876bf206bc14b770506a23e5f884fe130807cb5f8f2816136e70ff914bd9

SHA512
178b02610daad712ee46d00f89a1d852ca8dc64739d39671e6e5560aa01284ce21eec5ca796a78ce2638d467cb1b0d754e816f7dfa7fcc008e047d6dc60b993a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
db4ed381f4583a7313a380d1d115a1bc

SHA1
6c1cb2673f9b09561e3c0f456307d23529d797c3

SHA256
0b24d62978e1948a3cd3f3604794df8e847001686de4e8c58522b5909888fd9b

SHA512
4fe18f7f7ba99601e4db98cbfdce9ca3ab7a694f4ee2925123bf96ed795747de349f8980856c7d61997cba82ceb82a1c89accfb1abb9db8b0cabf41849d0ade2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bc27f0edd735a5ba213e2a911acf27fc

SHA1
b1e34eee425bd112655d9c733962a7f7c490c354

SHA256
4e9009c7fc14c5a2ad97adf680f0ceec6bc0ee0509d2016b7a839933daf40599

SHA512
f3004ad39afce0d1baa2a04e19a3de899021eaaa298db9ca74996c40ae812bff5d4f0a1e23d9db003d9ae91367fc21b38829d03c8c868185e07e8d7646b5c954

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7473416f4a36746cddce96c67a18157e

SHA1
79b727c4cd5f2149cc5372fd6469c78bfd7e876f

SHA256
00c18af27956d62e5b1fddccf8d6818860536d934abf94be375f769b39310d4a

SHA512
9759a59274ebe98e24c4553940cfb776effeb4c7d1cb305e0e4970e9bba0d29d09f6d62931e68d1a8e8f54576eee2ced179c1b924976d8d80ad2a9bc961b3011

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8109fce15af9764429bbbe3a4d15082b

SHA1
660df72f546ef313af4caa16b11ac3104a742a53

SHA256
44f62100baf11c873d37fbc05ccaaed46732011f275bf726f89e789da1f12988

SHA512
6dcb4d2ee80cdf3ece7b3af93bcd76131137489913091e0791f203d866ed892f88ec9c458937e677a46846f06136d20e641926ae04eeb31980982b34954bc8c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
542583f42704cc39a8860388fe15837c

SHA1
e4d74da2884d58270fed212748ca1aa1dad1b839

SHA256
00780d819891a11dd1688bfd2030d55f7fbde648c92fe4e5d97738152f7c4862

SHA512
2f4f882f3372ca35a52672fe45a9057a142e708403e1cd24e61164273f4acd76cc9b2227215f564ab0173feaa4ac22f6f21387ad03ec0bce8fd637299ed418be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8ec578b04f7fabb24e2469cd1ade5228

SHA1
330cd95cc9fa0362449ffbfb4d684a61e194f188

SHA256
a356ebfdd969fad59634129544b1c937b4b665a1410bc77abb5cdcea148158ed

SHA512
02d2001ec1c54b232c562628520de4cccdb7509586300151d3e65ce28246b80e141594793f2e70f167c670d2a7606237b9784d216353f83d30c495c14aa05418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8cca7599e53dcb7a487cd41b9bec1b63

SHA1
6e29cbcc56ffb0d7f1048c415bb0a0b72f074811

SHA256
976aa8b838a472c55a8478614f11b4e17ae2c588f938d53c4593e514f4a3c202

SHA512
993ce529b3e91da7a14d995fbff181b74f04098eee0a4c1bcf35e1719092cafd2d9f537d4e93a03bb9e047bc7e765df28a92c82bcb1ed6f142b31bc08a535b56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1336b94aed44eca9a342b87f79d77837

SHA1
87f822b0875ac50cf6588eaa45b8c14a122eed93

SHA256
2741665138ac843c5eaf125293b93988367b7f2ed40b8f639c3732e8b58788cd

SHA512
160d024371bee7087df03ce8116a01171dffb8257517da39abae5f05f12d62f478da89a37a2d173739c3b7a034fba95f165aae117887ecde504faf1c3e931685

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0ee446fab008f079f991f885d5703b20

SHA1
e3d8a92f2e6136fbae100d9664d2416bbf241cb2

SHA256
e6da369bf131ecf36dd882d5703944633061f4f62ee99d430b05958d2d33a9b2

SHA512
35a5a6170ecdcbd506e7c72a6ecde9c471b6f6cf62ba4c07467c1baf9ed5d0629474de5b3a39535b3d6ce31f7f79f1ff19d0e48e08fe9c31d0dd49a20ec6cd17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c2da09c4be9876ee94a105314e930fc2

SHA1
d1aac361abe96c891e4be4f8a0af011c5eee1ce4

SHA256
b2c2ab9974ea9515ad8dddeb7512ed0e1e39929c5bd79ded8196b3f5758bf5c2

SHA512
1ae47f03b2cc753fb4dbebfe5d4ab95871247c5945bfe7dcd0f55a2f4d1211b4d5c23c4610ab32be66e9db7bb8b5d1405cb69167bd60300eb68f994edf4ec85f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
81f2fc49d17a480956e57450ebdbde2f

SHA1
496289c89bf7792d11f7bc231a13651df1d70147

SHA256
c0a4d9a063dd3d945bb2153207d34c18eb0b2b8310f64bc45560b6fc65592243

SHA512
cf903aad3a4ca44388eb5b29941ee7518aba0cbf599154f229b46fe5995ad09cc0a60c6e6ad578571b31462e686d078e5b735b513e41b111e13006169fbd280c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c0d23ea14462176331ea60758002a698

SHA1
9d60dabc3bae368ffcb9b5ded3dd879c515b831b

SHA256
ef1b1166da73e82438c3c03eeaf8f231b457428fbbb144ac30a63c09b561b096

SHA512
aa6e1735961745e2cb21cdb2e3d4683bca4f9d6208ba061df9fdf5734191fe5b1de7db5681057298143ab69eecf156ae2342795d75b7f5fd3f6c3340ddda40dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7123f7a7854948595a857f92bc7c362f

SHA1
6d146e1f4793acfa89b157279b602a336749956a

SHA256
ce98c147bf23d28a009e12b3fd7abb495f06c6132ba805df6e4f83fc1c2cd7f0

SHA512
b24fbb8ee7a052544d0f0736ee70606f86441cdbc8aa4da6cfcbba407b942dbf2b011b78d09f842296190c306efe652500879af5d7cc4ece899a721d743f970c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0bdb1ecd446f1dab767a797903e2fcf1

SHA1
43fddec0fa1a9cdcd7e919684dbfaebafc43f491

SHA256
67d0a055ea2b28216c794b73db547db2e91073081c5509ca351eb1b110f7522c

SHA512
88b03ba45b39bc771def3f597837d38b679beb24b9b17b724af0ca3dade01edb02a1fe950410c612b71a2f2d4f3e5d2048c2dea05e548122def24a2e086460fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
63a8266d06acb8699b5226332a1047ee

SHA1
7eae632d4889a2c68f101bc0362cd6a1213c50a3

SHA256
a270d974e8471c1a63e877af038b9ec161f8c8bc325e5e3ddab39c11942f5b09

SHA512
f43277fa8be8ae07c9c2faf0d23c5cbce4117f5f24bf931d03483d0f070703432bf5b39f36bfa455a3fe8ef26e9eb8e377a455acf137d4fc75b19f0e47b1dda5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9628d75aaa607809a1471bc2d92c4040

SHA1
4bf72bc39a68312e31ad6da9c9f4665add6ff0e4

SHA256
e44ba89a0ef10886e93bfe9163e6ea42fe36931e6d72b9fac9c4fe5caa389593

SHA512
8f95af29f5733ecb95c9df31134dfaeb0980e41ff0a2a4a6e8462bab4882241aa3c579d2f2e58deaa904b9957816664457ca4247f6e6bf3566c3281d365d5951

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
306ddc9d504e300af78faf74e7dba93a

SHA1
d28fd8b27b1ed55100647d16f31f0a57b3833012

SHA256
6d505fca2de956a6db635c4c693e726655cb65d0c7b1ed99b566b55e18808ebe

SHA512
ea5c9da1b1c7e0ccee36cc30853f2840e555aeab6271e18d619d25836919e1d9cd467708564032616634e41e3e761871ae5c8457adde999615d4d350e16e9751

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e10fe432c3a042287765b59fc8f3e59a

SHA1
4c676b0a0f0fd1031680a77dbc28422dedbc3ec9

SHA256
1e552ce721c0eb33a191aa9ad02bde417733757fa3056e52ab25320ed305c10e

SHA512
0c4b10bd4d2dd71d998bdf19095a97664b3aedd79860ca49c085059d175c8fe91a75b51cf631ff78870671721f5a02bc2c5337ee3da686395e5f3b9a2c73bf30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ec2d682d654986f10970f9ea256f0bfd

SHA1
94b187dd4d36583b0d2b8bc003596081aafdb740

SHA256
b9d654dd41fe239854ff8a62557d47d96d3c05c9903633060068ab1cfc3a9929

SHA512
4e08146e57e587ab084354223bc2aeede23786105645f6f70364c5b2052b7d328d2bfebeac14ffe48d2e604b78653dc38a2099047128da24b959fe235cd22e92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
73a9ee90dfe12b6ee74cd79112370530

SHA1
bd834aba3c3ea2e0212577c676a4f82eca45b0a5

SHA256
c0f8ccd3842eece48cdf18402bd08048b8d8688a08dccd022f642b4c96ff9cc2

SHA512
1f34c493b7641ea7cda835e3d617a4206cea766ef4fb44d6b4b9c15f77bce3a610fd825bbc3267d4884395b18284974ab2e803263d60ee80466132dfee1d7a03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
dcc577bbf74f7834e6eda41990f2d62d

SHA1
a7f700ad706e9ffd4518d218f67f7de021d91668

SHA256
b7a23cd77c658699522477fcc78f4ce57abf6a42c9a5717bd45cd3d44482b5fe

SHA512
90bb9f84941ef32065d559ff296bea61486033d53405c2ebed6f68fc8a2e9ef11925a8cb6bc641a42a8a728968538abaaf8cf735640b0bb3001824808a72e3e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
80707627428296c70eaf72cb91e40295

SHA1
98e2e737dd56eb9d0e7f9fb71878ef9315d92223

SHA256
6774930d503069069f005129b009b37a4fb031ea5d8b9a258933db2f8333b50a

SHA512
9fb0b0c3b311d286d50598af457bfa831794e53109ea12f6ba10d3f6e499fcba047dbf996bb670ac25cb906dc5a794cebd70381561fc2ff5d22511ca9af97fd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
770b3bcd512d154281417ec9094d3525

SHA1
a8ab4153f8d469d29a409256d039f71160d6327c

SHA256
17b953917056c6ed970833b26f4ec8ee85972fbc687c24ffe3907f44cadb8625

SHA512
21dbef2664621f255b638a36297a0be067e3b3280c4eb241771822567aee7c21898b5d7beb0b1710019084a474af6b29ee4437c9542385ab6a92947175a5b5be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
79b7c50dc73fb0245ba87d680a05b013

SHA1
3db8774589fa3bd010c79626e696e508d868c275

SHA256
03fa6792fef03b50581f831a487d8ea8bba94564d9349a3fc5397291a3617083

SHA512
a8d5b35bf25bad299da322ab3b4583ae180cb9b897d3243fe8165b1be49e85082f8b2c5bed8d5b22b5e22d69aa61808c7aab49f65953210a79a323415651b268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e31786accdba7e82146b5748147b5338

SHA1
4dca2a69ff192b5acd0828031ef28620186ad0f0

SHA256
c99fe6fd40e5361b46b2a1984dc83b35134721a4e11e8ab7c8fe944a909b5e1d

SHA512
e313c673b61eee41462bc76c4a18988ffc95cfa338c647563327826c3d942b5b8befb6d71df35117de6ff4a5be0da8bf0760825ee4fe71aab2bac0d02af60ed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d9630f63fe8b6cfffb6df1338fc3390f

SHA1
ead9cda1b5737eaee516dc1c292649bdcc3c67fb

SHA256
17b03773f4b7206ac4ea597e4749034fded9440683b3b3e6d938167798c5b7ca

SHA512
d1c312c72a402ebf4ba0c6706a64abeabfc7c23e4e893ce737017bee95ef905f3d6ccc63aa94b54eb81763f70191ce55ae479f4ddc20306911d943f38b23d1cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a6c2b1c094b6787274e42fd7882e716

SHA1
af9917b3b7e527043fee77fa322e4f65af291441

SHA256
bb06748a3416317ca25283c1145b865345f8e964c2685a0f96e0b25eea16f288

SHA512
cdeee394cb50ed9f5294017481ead6130b8156a30d56f3660fef19c1db21424718881fec0e5aa065522a635498ca81ab9660873eb94522d033060f88a78ecdf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4714d00a11a41912ca73ed7faf3b1d64

SHA1
b8ad5f697fd7ce77969a9610d1b1c2e516088a34

SHA256
44598dcf4b93199efe9b9d8ddb9779e94a1e862b4762b5acf379bc8c1277c498

SHA512
4e13e7cb932ab4d36c218b9604a4b7f92d0c1e6282c2518d3d96d4abbd5f5dfc4ac420a77811191873ff48af5f2bca7e03233d4b651669018ba6e18b0ff44509

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d749e655e4565a4124ca1157363f48c4

SHA1
41db068147430d0286d530c35ee4b4529f0c231d

SHA256
11b773872b18ffc20aee9ee609b68d3c6e6ada69557f6c620b1e57d1798f2157

SHA512
ca0338622f2289fb0afcb3a02b6da952b9743af464e879a2b9d0bf3e6b33b04a1f4ef5b229ee8d69f8e23ec46c2d31b0cdf6a5c5bd105f4f464f74165f922cef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c92d15f30aefeb315d96c079737a5713

SHA1
a601c3f6d414769688884151dfd3e6b92fc8533f

SHA256
6a6c14dd53c8b8f17eae25c8a87cde1fe047acbd01f036a79c20f18efb8d3add

SHA512
5335faf326c1c6f1370f03389a2781b3a3fb6b2fd0a4efb92ebfecede4669d84786f0a5cbb328c482f04841aa8d2f86ee47839f3254d8aa6ac684d00ee162eae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
82fea0d0fa706d078d1f662de179f2b0

SHA1
008814dfebecdce46d779c47f1995d8bd3231c49

SHA256
1046a664ca0bb688493cad3c22b156c7d97a99e3304f7b89f5d2a1eaef2ade89

SHA512
ca250209b1cd267c1a7cc7fc572abe4d359ed06d723dc4b724a1d5b7c82da69c678b8f325c7099c9b671d9e63210e5594e51a44473cad6df4c78071055d5b49b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f80399a50289b0d7a3addff8ac2dd0ff

SHA1
68222b7c20d0f7a42faef86a81828358383703b1

SHA256
1d71862c2dcc3647fe23a7a749d0210db62be3c84f5aa560e7cf64b57b16bacb

SHA512
b69c5c4698b6e83a8119055de8e19d50761009a8fd5ac43842cf9e5654ff018d707d15648319f8d2ec6885db96beb8da9a5a670e8e3da4ac7b783dd65519f914

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
407128c6a6a23fae1f5eed14d6af08cd

SHA1
d80ed3b4ccaa5d7f69956fd66986bf901837df8a

SHA256
c8c90b28b88f14b161c964abe2a4e7a335e8a11abecd830924796d70b3e41279

SHA512
0c037195c992344f8b0562f5aee954db5ad2161a983b23ede25ce48fad2c13969ad936a495496fab383483bac48121fe562f80de1ee896e65c0f6dea2a2714a4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a917c06c27f2284ce303e41bc0d8141a

SHA1
a9d0caee87e4bf74e5fac3e14d8339695aa8fbfc

SHA256
d1e06b71eb5be33a1ac2789427aa0ec5a7fd3522bddb95e5a4f9aba8dc8d0772

SHA512
3661babe1eb7d31e58ec5e043e8b35ddfb979e9d209b3a714361343816967834e40e1456c9f4c970c63e635358856455fca5af2c01e16659fcbeba6da6e2a775

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6e06b43ae282917f4ca5934d76d43f04

SHA1
25f69385841eacbd71f61563fd86cdd2e7636ba8

SHA256
377dbc8568fa13822d35a9716cd5c1cc1da6e9521f3c50d9ef50f34249e39b48

SHA512
00989af226ccc0f2457e6404556d3521762e0de65fa04b73e4a3fcc7e96c5a068100dcf243ae8cbcfd4b2b2f0e098cfc1967284d5b522e3450bf5ef2c62f45eb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ecdc7ad1508a209948cac450b5da3750

SHA1
bf583e967db1a85019e8c13c301d5e1d873e4038

SHA256
228fa67d5f3681d5a591d8310a6f333a67a7894e577b7c47f597a26454d3e72b

SHA512
522a77202e0598bd515d94e5c7124a5d23e95b288e4e581283605f6181bfa614823b3f06b7942eaf1f03c93ad9ecea6e82d03b233295b01f78d705e6bcb67151

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d721204bd944e987ab40facb5b75e7da

SHA1
d80653f57adca27225e473b43784a866e9a741de

SHA256
923b5e3d19f4246b2e821311d4afbcf6e7d7febd3790412fa2862060cc5c7609

SHA512
73a8d9c244e9a92451e679859fe32f6d01437b3b7eeecd90909ab0bea63798f3807733ea3cf41f3dd5f1d050216cb5ba5b217964fc13075809d80cb93c0494b8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d6d3c9c4dde5072e550dc3dfeaba448b

SHA1
3a6e13ec4520d799f08d416cbeeba10d8430c26a

SHA256
045dff012ec9d37a9a7cfd9478f2422fa7a72a01a5155a2aea979338519d9c76

SHA512
dc4dc19000bcf53b4dba1168e7bda9f9f357ab0f20d98877b139b041929fe9e84a789d6751313c1128bfde508f603d9e215bb7087de9ff1cd78de4b97c340994

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4b264074ce4c51f3f8b0ae8a997a2485

SHA1
bba174acbb374c19ceec77e96a7ed1a6ad497e12

SHA256
50bfa4ce92a8a23495d2256389a3d004c0361d4d2462f0a2bc277206929869f7

SHA512
e4e49e5a4a26ccb20bc79838fdca86a08126482f5a4f74c343e6cfa8d44ce45daca5ec74006e657e003ca0e401b6d4109034cf223dc5085c1b3c4312b229da60

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2d767d25d02852db0dd01deae5103d6f

SHA1
dfd7cc85be8ee34f2ae80ba2af90cb7469e9ccc0

SHA256
6bbf2e50f62305366114c0121af82d030fb71da5b8a92402f28a2a6e2fa6bbdf

SHA512
0785d8483be40f3deaf6822cb9c2f3d79f0d7196eff18486040b6f184528b163b88f3212e159f3ecd74306099fc296fe21c69cfa6e6c054121331844f3672d1b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e4a385f42da848c64d82835edddb0587

SHA1
aaac6a6fb51ac08405062b5e21169e80ef1a089f

SHA256
eaa4eb78aad7186dbc4a3ac70af458416fa3b01b855653980bd539c5ca8ecfa4

SHA512
f2be3b8f2267874002eb8598d31ff1d6ee3ec45fcf0993c178f8f898150f87ffa18746101f680dc9df7c1a53dcc95aa93a67f34f0c4ac61225f411265044f8bb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
44c7c2ff1397ab3a1db753e04329fbc4

SHA1
61a24a48430af4222e43f427c2ef772ec922f2ff

SHA256
833884e7fe823a40a6d90b0fd5b5e75953383a68e2da1f73957d61f960a1e9ee

SHA512
5a9337503411268fb8ff7039ab636ce30a797977de80c549b51fc83ee0e4a6dec9d88ad4500b3df98acb0733b2edc3c0fbe0843159a2b3bd792b4831a150c1a6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b050ce80dbac96cddc59a31bb963ea5f

SHA1
734651c2d8e2d3fac4c96825a9be80250ac8749c

SHA256
172436bf7837004410d087193893fddcc6207df764f1e98543434dc578fa7c66

SHA512
2ff6bdd577548d38c8cca7f13293a89dbf930d73c76a35c532f55959fe65e3ba50b17db8421c4aa438bdc9486b3e06e93524846d3437ea38c54e1337b398a14d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cd57e68ab8a3d701781f826e08f5716d

SHA1
cfbc98cb81e37191a9506cc1118c079df1463a5a

SHA256
f200abc2f06de751860445a3aa06815c4029ff92b058e04ebd6dd9681edc89ba

SHA512
9e5be0903083543a11c482e48cb1c07eb134fd530011fcd14b2cc83dcf5b1daeb92f06d0cb2a2e1a00e067650a8ece0b3df4dc1cca4f07d7105679442f8cec35

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4af029020ec876e138136c7651643a42

SHA1
3653a8c485a5a3e1185fc8a50f755a90f869f450

SHA256
5bc45841dad298f050ccf712a43c811d805dd5941d1958a13d6b77ce65ead4da

SHA512
1723b6d7de51c9b567255b9582cd684f3b34d0fe5a28a61d52ca9f2d670058b998465dd47526859badfcc9ef6ec09cb81388c0ce2f98b55349ae30da1f8e882a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3eabd859167c3d483f32cb9a37647814

SHA1
c42811aa342cc03a3050bca21d4623363cbf7a26

SHA256
939439c423aa6a11660755f6aa6f53e8532e8007f7ada7d20c24046b883bf266

SHA512
cfc20bcc00ad162decd6b17357e1c32d567545b7cc4f4faab438b69a11a0d24d923215c851783a4397c94374592f9e955465754859e0c5a6929a5e40f019e782

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a62b743cac68082af03ee51270262267

SHA1
810a14da05a6aacd235ae8748b9334be703ac945

SHA256
c13a676d2f190c04c471ca4daca496d56f5357d8b8eca8d9bddefc6d8fc82bc8

SHA512
185615c3fbe32d04e7661f8137adccd9112339b93fc744835319bdf9db5656f164d98a3ca36b23e9d55268292d12d2f332ff880039a0bea03f63edb2f9edee7b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
71e3b04590140b4856a28ad06d3500dc

SHA1
1f9e1fdc35f6c66e3adb9f283ca18d86959a9627

SHA256
040c0240a7fe297f6dc8766bc9e1cd7dc9cc490526ec6c3d98a604dc4696524a

SHA512
eb6b0c42c06b1a0d3abdcfa281beef3b4b751142cc82036a1e63d5b453816e901669db568c28a5088ff75fecb95cff34c2b889857682d3d2d233bb273437885e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7a51253a74d64b5f70f1123cca396c66

SHA1
07a8b75b4c77242cb48e7ed708c8f7db93dd0f36

SHA256
d49a8a27bdc2af1ef8307c19f0e68c624a2acf3569265d5b81740294ca7496cc

SHA512
5a3b9bf8bcaa64002e76eda02c0bc58b20d8490c744e81bae427f3405a5b78df47a57827aea2f7d878401048627f5051466181b06f3ac6bf146342846c019a00

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
271ab3a076716adc80629e13f3c95baf

SHA1
915355e25c80413adb103eafd2de7329be6ff5c3

SHA256
bbcf4d52141d2e239066f9895ae09a2ea1b6d12dd86e3a540496a86fe804cd1b

SHA512
b672ce3f89ccb9634fa70ee8aab754f3421642088754b4a36bcf6ae0acef78b867c206e35e99bc08d9b9b5b118c6e38c80b2c0b340cab7e9cd776ffc31b6e748

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0a52c3b56c09f0ac465bcde38b610668

SHA1
430965b0412dd8c12221fba408561eb94852f733

SHA256
bd3d21638127b227b54fce7c1c815cda561ff891cce4e26e85722268fe990f6a

SHA512
7b6911abfea780409c01db65f408ee14e0493409f78b1dbc7aac82939d4ecd0a2a302fa2e665590cdbbcf37c03fa732f2296d1d67f1c9a59bbf2419e6e2ec0c6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5d38d71d0265395b35c1f15db8e31bf6

SHA1
27d99c6ec0538b70545339e19ffaf466d4f6c4b1

SHA256
75a05da3bad86654453541a0766eb011847be4b52ffc9e1b195938792ad82cbe

SHA512
91f86aa85773c037c16ab8acd8299a7747481010bf75b9430a235f88a1dd7f870d09a57a9e03afa84c70637879f41af9c810f83f1d80dc65d67ec1c3b6df328b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cd539c7624032e97d727c03675b7fcf2

SHA1
6b2ef729be883924c6909c12aa9a203bdb7b817d

SHA256
3fe6eec0986d3f1c8748e170789927632df218f9d55c8fc265b48c6f0ec6dc24

SHA512
fed7621742ebc3aea33ee854e4e9b45d072b0f655ccf279ce573c72f08a7995cf53fe695bf73a0558e4b92ccc13cf25dcc5573059ef058d52c6d0a3ad20c99e7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0b813c7711df878bdf3f6f9113a8c52b

SHA1
44ce87ae245b35d649c25eda0771a64312feddbd

SHA256
dea096b8e5bd026e99fb86579e10889aa7c3e2a382eb20932258c08b9ca4322e

SHA512
4416855fa5d547ee13e772f1bd322cafa5cc8e9015cb7de2231a5e685616cc1118f12cf4c60f087c6914a2632f8aa4fa7fd69d1954ae368699dec3efe41b892e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
856301458a356a69874218b5012afe30

SHA1
0dbc7c65ad5cf02ec7d279c026f03e474512155d

SHA256
8bc478893fccc8d77941b8939618d8602baaff9d382fc8c898fbe6017c4c2884

SHA512
d03bdf8d8aa7d1192e0c4faa9dea89c238f206d0764f3b5585b79f669d174c14f3294d26f1ae04c773c0f2f53fd416569592972175ab716ede42acab56ca3941

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1f04591e00336ffbc6af07f0cd15f978

SHA1
0af8bf57218529f3a62cc228375877d446ea1cb9

SHA256
f890dca997669408a30622cfed13183deec2613f151e7fa279580e5f74c813f9

SHA512
61abe0b766b4da7df32b60b1e9c3946d0419e7432cdacb4ca2eeb6ead49f0d8d132b2af1733b97be79b9b165424d51e6393043053e292818a161f4f2ce984bb9

Download Submit
memory/452-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/452-508-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/744-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/744-501-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/744-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/744-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/840-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/936-502-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/936-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/936-30-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/936-36-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1384-510-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1384-165-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1840-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1840-505-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1896-134-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1984-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2284-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2284-509-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2700-81-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2700-87-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2700-150-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2716-158-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2752-159-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2764-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2764-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2764-77-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3052-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3104-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3136-391-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3136-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3428-6-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/3428-327-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3428-1-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/3428-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3540-96-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3540-151-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3540-91-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/4064-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4064-404-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4088-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4088-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4208-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4504-156-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5080-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-52-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5080-58-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5080-63-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download