e9be9f73b8a887efad7ac1c0878b658c2f1c4f3e6b36b9d05965a3f6bfb50056

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Size

712KB
MD5

1efa52c086691b0464a0b289b352bb5c
SHA1

85296ebd43a1e4b66fd724ca3d5aaea4ddc7a58f
SHA256

e9be9f73b8a887efad7ac1c0878b658c2f1c4f3e6b36b9d05965a3f6bfb50056
SHA512

6de7f45f619cfd51f7aa9f925aea126dd23ba67698bb9aa8abebdcd2e724d02e48fcdd42765732941980514d7604e347d8a563ef953963c52ab419d558141180
SSDEEP

12288:MtOw6BaiTduSZpUdxB30GHrVxGnXQSaWt+DNISOgv3isiyWcg:i6BlTduSZpUR0GHrVQ1aW4mSOgv3isi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
860	alg.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
4056	fxssvc.exe
1064	elevation_service.exe
1248	elevation_service.exe
3352	maintenanceservice.exe
1908	msdtc.exe
876	OSE.EXE
4968	PerceptionSimulationService.exe
4280	perfhost.exe
2464	locator.exe
4432	SensorDataService.exe
2960	snmptrap.exe
1496	spectrum.exe
2340	ssh-agent.exe
2236	TieringEngineService.exe
4660	AgentService.exe
2984	vds.exe
1672	vssvc.exe
936	wbengine.exe
1164	WmiApSrv.exe
4748	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7609b748c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{14DF0EF0-439C-4CF1-9E8A-D1E954BF645B}\chrome_installer.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a6aace2c3b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009506c9e2c3b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005be364e2c3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3a4c6e2c3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c62ae3c3b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008e1a2e2c3b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe
3104	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeAuditPrivilege	4056	fxssvc.exe
Token: SeRestorePrivilege	2236	TieringEngineService.exe
Token: SeManageVolumePrivilege	2236	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4660	AgentService.exe
Token: SeBackupPrivilege	1672	vssvc.exe
Token: SeRestorePrivilege	1672	vssvc.exe
Token: SeAuditPrivilege	1672	vssvc.exe
Token: SeBackupPrivilege	936	wbengine.exe
Token: SeRestorePrivilege	936	wbengine.exe
Token: SeSecurityPrivilege	936	wbengine.exe
Token: 33	4748	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4748	SearchIndexer.exe
Token: SeDebugPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	1384	2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
Token: SeDebugPrivilege	3104	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3280	4748	SearchIndexer.exe	107
PID 4748 wrote to memory of 3280	4748	SearchIndexer.exe	107
PID 4748 wrote to memory of 668	4748	SearchIndexer.exe	108
PID 4748 wrote to memory of 668	4748	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_1efa52c086691b0464a0b289b352bb5c_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4832

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1908

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4432

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1496

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2340

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4260

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3280
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2c09200aee7a57cd2c52a92587b9f37d

SHA1
590283f81526a9adad8a0f998103db33d53916b6

SHA256
34db382756bf8c9ae3f90345ffcb534b81f54ad0ba44b0251551f5e5daa28f33

SHA512
e468e9e977715081afa2c2a76b747b546b556a9c2b8a4967cf756ef96a27d6e6bb18b4080d4fad380be8a6c0dc1b9a315ec9fd7e72e6d81a2aa13c95868cec31

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
ffc4f7b70699fe3cbbce997ed03aa452

SHA1
f4c5a4e40571963924a0573802cca9bdf3a05f35

SHA256
2708875577561c1c2e289091c1b5a6469649ce7f7e340fad3d5933f87f074f57

SHA512
c7d4d9a9472bdc5c9555066bcbc664fc56393b317b8b9eccc38d6279e7270a2d0ff0fcd9ab04971eae69ac442129d58823ce577d8ae48f9af2244d7e46c35c7a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
34926c4f72275b9a18b5a893717608a5

SHA1
d6528a60b22eba733aa7d59167049260dc0cfc7a

SHA256
c35b87f07971993e87a8168d9533387326290cf1bd4cfa83376df87cfd39a5bd

SHA512
22b401c249d033a56ac90bf9f7ccc7c352717535275229bdd9e2877c6e6976de5fb06ab390356137c5902340f8a01a4cbcc39299826bef8925ac26e8177946ab

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0c93dabdae2084ce562be9aba7120443

SHA1
e1d2cdb2a45d6e9d6d539ae97376a807c17a0c13

SHA256
a406f2bd496ec3d5b8a8c0bd1ca24b0dce65ebc6cadc3fdea439f406f58bb1e0

SHA512
398064161661a80861bbd5e853f74e3435535207334d0720b56c199b4d911b73db25af763ccb907002698361ac8f21bb787f96885140c896dce16d6a11edba04

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
21daf56b0c89139bcc3acebbaa61a147

SHA1
e5a174c899b789bdc011d539304bee2dffac5b61

SHA256
a19f41290beff659a13bbfffc65b7ebabdfb15aece6ec4eebdeb3ee1fd37aa25

SHA512
8d4cc13ed73e1c2afb0d0ee171e1a18997cb8a409dadda462b6ef5bf7a6d35d43d11798ad26bbe65abb52ebd1941ffc7c70b77bcdec41062c21e47972d311dc5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
edf3f94d5ff3fdc19947b30aaf42f8fb

SHA1
88bf71517e5aaabe4e35d3a2b5821cbe82ca6733

SHA256
34e74dc1657aabbb5b7d5206f212df5e938b5ddda3c2378078ec102c2f0278c3

SHA512
1ea12f98fa5660061e55749419428dbfa1e66df45954cd3820da2fa5cdd70b13786c006a7fef01daf5f44b4accc7e9502405fdd8150a03875e5a36958e5b1c94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
450b81fac810aa675297d03931ce79fa

SHA1
1b9f40b70314b0f3e9ef1903096fb8eb594e289a

SHA256
c78f12b90b03033f76b07ee3f3e93d40a905031f6e8c53b0e0bd2b91cd346222

SHA512
bafecd144f85d2372a5acf17074980889f9482960fe687e17112844fd25ef125d9317ec936cd8aaf2ae21b8e89eeda6d891ce4344144d1d68ea54570b75227ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0c1d2e0a75c51d5a72edec1cde7d83f0

SHA1
6ae8ae99eb1426cca8aeed326ce2219d7ad93cee

SHA256
ecd14176b74632cbbdf4204870993c6452cfaadf83b19a9d204384e6f9719af1

SHA512
47a4c009b7db9a8bfb1200b626c0196e10eed6d69062b227154d0e75c23585df1f752d004ad2def0f74ef770613b0dbfe263b152bb260d58528f7504122dba12

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
18108d4efa35b6a159e715739f829dd4

SHA1
8fc8df53b71ba153f9f1ee24630c047366998750

SHA256
8770e3d873e5b7dd2785343187f83ad18d2dd499ba2e3dddef9f3ff7275f828e

SHA512
29444cf71fc28f8674c6edba0c202a9cd1077b6baac3a2b8eef889e50dbb345aea9af80688955d9ba09498d8c0da5ded0628a3af81ad72e5c47681694c5666d1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2a0a2126f634f02f068d85d939ad7fd0

SHA1
0304392aeaa348863351ebe7a72541a5dd226e2b

SHA256
0d81f76cf977c1cbf47ead8ac40f19e77625dd3aa4aa942742d5aa633ac0ccf8

SHA512
2717fcd8f3e4c59b3d3d2299092c491081695b5736ece08a58ee0da190b349b71116bbbee8db2494a2d1a81e516d5f910b3c4c51b79cff1687c63e654b1705cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a1f9410a5da65cd1941644012eda66ff

SHA1
e3db5b213afd51abcd387c33625f8c3e9e54a0f9

SHA256
660550c99f9a68617921615da345aca62e27d7b70a4e4d912e813ae1b3b8946a

SHA512
4ec9e7a1a30e4300a46de6f82461b4305f74f1ee0638a06db893089229fb8b52e3eb8d589daff739533472e6d3e498759948b8508a34bb9620231c6be251cf9d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1a47d34a9e31af0ee147db9acb2cd91e

SHA1
7e9ae42871c20777076b765849410d6c592c7465

SHA256
23c7f15871533a6484312dca8c2b44e4747091de2b13e2dd2095057169f4f630

SHA512
5db5d2ba8cf3f1d7d03b4a2ab3c3eef76d629a28dae92e40e79552921e242df60bb115cca3ad95e5c48aee8d8ddbf8beae4463f52ac97b04d6cd03d8ee18c5df

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f1c749978dfb6c7c5488325f265abfd3

SHA1
af4867489eda205bf222854372930733c4479426

SHA256
f926c94117f70066d7bfb5d6c6ac0aeeb12abe78c3d8eb7b2c26a39a2f6a65b9

SHA512
62832af346935d8ea9b095634687b61022416050f40bfd7ffd9776e61e07de68569be3926eda9bdf350e00c8a9df97392a7188d8406164a5a612251338330505

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
95202a014b0ddd9bb1bb5ec154d473ae

SHA1
d9298f91e5676f28ff628ad2d6e92045900f2e61

SHA256
c483f2edc827f9c26ac13df42d0a1dfb0cb620af29a8f4c188ccabf9a87e1a43

SHA512
5712edb5e1b143a199edbcc20ae885d5e9bc4e6f068a804ea1c05a2bd497e7cfc7ec9da5d549b067f26479470f2f5ec3fbadb9c7bda6b61f2cb0762edd323c67

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8c042884e2a1602bd7bdc226b5d8bd2e

SHA1
31fd09b9c33ec0efb174836343d686e4c7d432ac

SHA256
18e0d55a94945e6f49b50442477ee32720da52b627fa16721c223ceedae76b4b

SHA512
e3a53ecc0a9b008eef6a2dbd92b8f27b72a0c63c6d8d6d49debfce9843a49b5218e27d8b8f5d3f08af217adea51c7cd7ed4baffb534fc6479ef4981eb877c9dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
10fcde3caba5d4639004d6b15485233a

SHA1
4d6ab8cb521a0f5b5576865e9c036f35dd5ce0f4

SHA256
54ca5860f5f81e1c71562828c19fd1947060d348cb46dcaa4b0e92b112535e57

SHA512
ecb525f9147bcc3a0081d9cff9d3899e5d7192c9e7346a59f7bacc7d3abe92e42a86703c95b010a0afe498c95379c93cb4c940b1bdfa8ddf90cd8e1dd77e0ba6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f8874f8b449295e5712d613caad8abc3

SHA1
70143b672b247455898a0347f3f478e7af1a0918

SHA256
04a28bb8ae9f6b5f83327e8f4f10a4119ff47a55828d626154fa97e3e5e8ee94

SHA512
4c164c5479407b909a25b1fd567b4f792d2e196c6cad5470e7d78308ea6d4eb1d277915294d8e8cdac69b348111af55a7656eea00e6eb76fe6d06ce787968adc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
463ce885bbaf2fbb44b9ec28c2d8d516

SHA1
cc7be780ea9010a9f7f1de4d1d5829bc9fcc04ea

SHA256
469b601b029ad1fbcda91a8073c830441b93d71b18467c0ff91db4bcdd59ee8b

SHA512
3515bc4eda77f379e2712af452034e697f76ccd97345f9670800e12e0f0cc9a22a619e1a4410e31741db2c0e0d96f4ce02ee74530ea9d5c4fb30e773ebcaa6b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
492bd2368fc36cb20df67ce13ac31bad

SHA1
32a26fd96b43bc96af85060acdf461e1dd1f5bd1

SHA256
682ca33af77666026f42c72f37bf8e03c0f60aef1074190c5ea3fa57d4643648

SHA512
dc449ced40fef3c605fde2920d98a3d66d8ab190f97ac0761820abda13ab39c33282bb99c54103928539c08ae415d0016136d05d6c17f9f6f5bafbd1138bb4f0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
75c03d5d39c5f90030ec87eefe22e1b1

SHA1
1bceaf8bb7732d391cb0dc7270cc8635dd48efda

SHA256
107af48ce2b05e1af709dc5c2be7b091ecf5210219c94e299388ebae933d68a8

SHA512
4780356eb2184657f5e883256afcbac7813d7d374c71bc140f4e7adb798fa66224acfb06dabfd60bca148d1a52f22f0938faa19fcad14c7a2016362b91b09e2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
209ed021015873f53f1b934d878f2bb6

SHA1
f4f668cffd598bb66f4cadf3b3fec2145165adb3

SHA256
cd91a494e34322fbe8fc2ee11e79885034392c38987df812f6be8c9e9a821148

SHA512
8b3821c31d6332c9a54edb3e1aef643c9292d6aaa937a3d36edde5e8497a3ab5bcf1e2b9dd667319f91df08375504e68d4d284d65a531e4b151678b9b0d273a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
22b3cb366662371d4ab8c9c9c501f00d

SHA1
1cfe237f06859f21ea20b4794f8e5f3454499868

SHA256
53963e18defb9a9d4cbc8c2b4b431e12b33c073975e334265e80fb4b86ef24a1

SHA512
0f817c919267db333e769adf9ce51acea3ef6b15b1d26021d9285d2fa2f45568e95cb27809bea8ccce89d86110f29f3c973e4cab370bb431c2d3281e17f220f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cc0ac1f3b19f926ae9bc5fce6548b3ff

SHA1
ce97c25fdf69a46adeb084f19102006f3cd1e07f

SHA256
14b8d7f26d64bb6dd13e816871f7ace6d76b99d97d6f5df028b0ed1cca30925f

SHA512
a696cd9d123e3bd6319eb00221e4e09f99197532864e96257b90796089b96e19a075fbe7222903921255b04352b272b5a071b36fb23acdd0f14cdb66506efa22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
bb246ba4e5ee29b4b0a912932085c51d

SHA1
9fc6cd2e4cd7ce920b33530ef317d7a2a365141c

SHA256
40819bfca39b9ec5e4e3a98e788de8ead91d426cff98b9d8c51494f5816e231c

SHA512
890450c65f8ce932d4f9eae0394cbcf870c9dc4c6a792d9d0d0c4db46e807f8d0b09c8ecee20e74ace8d925bb0f2858b1dde62b5c2e7eec7aab803fd68b8e139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
034b545e678978224a03ce88b4069f20

SHA1
eab34daf702f8daa4999aac5d652116774d0ef7c

SHA256
20aed340159ee39e4e6544c7fac5fb0af0b745e85d6ee8b19eebf9eb719cb4ae

SHA512
71de2feda7304b426d523b13c72a3ff5f64885df8b57b927b3f8eee78691dfb762df94a1a4fce1ad8350a5494d0151055d6e61d020145f19e1d19c9a9fb4b369

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6a950b3247815481d796690ff42ae844

SHA1
9dba94587f28df267597b9a69d1a9870cc08b058

SHA256
0efb9c8214a0e823d89d41bb9bcc7403b07815196757043f05d9497b6e49bc33

SHA512
b313f491c3c100d3e5f6c232d00f1cb49d636832af64b6ed5171b9ddd599bf8b92d4ecd5f2f859844732ae1a0eb1e5358a06cd980b1f44e63077e3d4bf4aaf30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fdd9375eb4180b34380932f349401e7f

SHA1
e2b979b3d9a047cc98e5a7da617a8deb587dd7fc

SHA256
dbf41adeafe695c9d3639bcab14852b43d5e533dbd610c0c2e8385212939a167

SHA512
3fa7c78b6523efd8e7b0abf7c33dca65a417dd0f63a4b573baac1e8ba49a8d52595e53d68db8d2b3b57951b6c87a64f26b40f4a63ead08bd1e7ceab39b3ed56c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e7e7ebc571039ebc0a2dede80c80af7e

SHA1
75778d3aaf829366fd97344a62cc6785820d98d4

SHA256
c1274c4b94a926a24f9bf77a428f8e4120727843cf1b71537eb7f77fff70d3b1

SHA512
eb37456066ca14eb2dc4a6ebbb21d106158c975c7d3e00f655f8fa79c8623cc5e116903506880b6f383ddd3bf5d27fae5cc3196f0f2c2333d93b4827417410b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ff3f0c192c254895a720b4a5b83dd6ca

SHA1
7d1e1f3f560901f622b0d7f4588c7ae2d881143c

SHA256
b05aace56507a9dc3af9419a9302faef4ad9170d63d93307437142067fcabcc5

SHA512
7de54aa36a562f7f513f9cb9b4639ece4aafe205557d6b8f21e26c69a10b42dcbbe7677a1997bb42cf3c9caf7b73f7d735d44c8105e4ab67e1a9be2eb891ffcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
3a64db88293918f567bc2837bd544522

SHA1
28f11a201740eaa1b668da5a90419f6b6dd72db1

SHA256
3a5314ab2c9c5cf9fcbc263b56ac4f9d6b884c8d19d6145e0920462d45337a2a

SHA512
74b4de341977f90075d1f65a8f7aebac3fe492f0b9f642efea1afe1513f01311bdde326f18fb857179d305016ba4b7e58f80c3f717e7a879df67a006592479fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b06a2729805dda86d307cf5aebf4d4d4

SHA1
2d9b12e2344ad5118f704f490f24cc6abcd2730a

SHA256
efc45c1e939f6332f42ac5519c9e63e42218dd11fc094cbfdd1385d4aec8d369

SHA512
ab2b1708f93c74c0f814a344d05c138dc387247a6235a3869e4d0685a961181bf6002c6de0285f212dbc526d66ad16a4529b7d213125b31284cd7cf98f327576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b8eec69c94bc3458cf29ae970f25f386

SHA1
e78b6b80c01ea6ec85be0d617e1da37b7c48928c

SHA256
b545421e3ceaa245a597457df64bb87b3a246c5bba08ea1d10812e888c40f265

SHA512
14ed07edaa8cc59fcf6decc9ea80cdd3b0847d315276fb829774bc031924ca36ea299962c62b005b9c9ee32d4adf99574620a87f092b7461cc54bd04fb6fbc2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
71019982348f03e14fa2b23c61110be8

SHA1
66c0883345695b5146a42827f3fcdabfe6b5ba64

SHA256
8fdbd04efacda96c37319bf41072eacdcaf40ff2a4c40d5970e4daa7d7eb373d

SHA512
d2f78cc6753dfb606217c18a11799be63deac0e9f5e93b70996c977a67b6a14d178c0bfcdf55761270b265f5f4e4c6f67c98bbd3e19d92b3780e3f60fc2a7db5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
144d7aa78f5311db7adf6af21fc37ece

SHA1
dd1dff89f7da49e17e434e6340ce2a1695738a26

SHA256
8488195cb5a5c29cdde870c078832803ed64f3aff5f50765303de3ad0b4687a9

SHA512
acbc1c850a6c48f4a65ed76b186cf319cdc6a1b3172c06acd3250b3da6f26018f2028f86e976824b442b9cdd72de57eff421453088b26430bd2cd57e2f42680c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7985bdd89aa6c11a1e5cc000c30fbda2

SHA1
b34fe6fe88c584b300d8c7c2ca1525092c189309

SHA256
3484daea07eb089b085391f336e11d1981f537bf9952c6f9fd3c1f07fbe6aa35

SHA512
8249af19a247a92fb0f4e10d407c81a252f7b97ed878e8c0234edfc75bc3bb49a3c25421485407bc838364ecc244a7634e8eefd77653fee605748155f6087044

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
3a9a92d40f6574bae76d1bdfb1589a72

SHA1
6b9f743c93a3332c0c303045433091b581be338b

SHA256
3199374c8d4ffc02afec62c526e63198b44090d9eb7e1e078d78a5ba6d1d6708

SHA512
700f8ee046908c43587e0d703235fa02e396e2117816ae7478f62da150c0893fb6c866aff34dcec4e7ee1903da8abf570642794c570ff7cae9bd14d71b4c63ea

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9cec679b76b7794891246cf54110d0d9

SHA1
be22dca18982ac9b9e549317517a72f2a6018a83

SHA256
8615ff46af9c50ad247f8692a48dae07c196e2534ad56ee0f5f4ec19cadea0ec

SHA512
10ff3ef43ff2eb161bc9ffdccc0182805d7d1a9d16225d090a37ce4c4db42da72d77bf81220b62a36cd7a826494c62b5d1f6bf4277692a718ce75dbdc0507a00

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
89c1508369b26c196e18e63e7e4f801f

SHA1
5234e33e78d2654686f7a11a50fca39ea8a115fb

SHA256
535b5638b65d8cdb911e66b494640f57bc98d74cce58bf338c9bbf5ab6ee3db6

SHA512
a1913d4d99f209ff71acd44caeaaf2b77dee4b1246fca034ff226f779d7193158710325bac057eab79b48d6fca152bd398e0d099332213e36440571cda5b3fb4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
be3c0f2c2f34abdad395598a5e3455a0

SHA1
b5554bb92882722cd16a164b2c53f2fc94413d50

SHA256
50426c48c7ad877b07084e66fa7da20b7455a2913845d81e441c733efb518c84

SHA512
4fa0532aeb2d08cf41557b52a858ee035a3a359bfd72a57494148006fd2266a5bc67e438e111c88440826a2234566a436857ffd1543e3c0c753a9cc3649ef6a8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
827cccb11f95ec2aaf69dabdb512ca92

SHA1
d6d72e32489d93022dd340113bfc6477dc17eb0f

SHA256
dadda2fb562769ba6fdaf902e4c332b8a3f269ab2c2d62e8b424eee5ba489bc6

SHA512
deec1c59f612b03640517cb844aa38d18be1fc7162969b6f6e214ed12f7b5b18cc0d35f198eb422bf077996879de28d2e52813023ba9695c6fd3deae5f10ace4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
82e4375a2097afaed2e0c92c3cae65c0

SHA1
28e06e708f7226efb13f3834bea7260e3c778094

SHA256
54c608531469e9a2cc66d7d569608653fa006f1b91dbb78ebb49976b0b256430

SHA512
328e4268f14cc75b446903d6c78fcf8f00cd44e75ee9fff89d870151881b609c3632abba12b366fa2468f43d61bf3fed05725a311adf9f21306b6bdf3b5a29e3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92e3173c8e6cabf0967c33de665f40b3

SHA1
5886668e8e236c62e6554903a381e2cab064964c

SHA256
7eda04a16394525a7181ab95a7eb57c24e3d32a4b75899e9e252ed74439fb680

SHA512
20b3bceeae42da5c7a5cd8979aa86f147ec6a0c044c7726b55633acacb945673bbb79ccf5cc99f82c223de8f91d7bcf79b8cf0ffbd1227d299f6d6c91492e164

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
6293d239e73fe7df21c695cdcab627fd

SHA1
e2a15048fae8f0219e44d3391fe330c73b0542fb

SHA256
e70195b58395152e61cb1ca2c6318b8c8a0abb2705b5ee99c212a23aca3589ae

SHA512
7127de70b7237fcf6f235072f452d3dbe357ae79e8267588eea455ba9e261cbfabec4935a727d62f27fe266c9b7606b39a85db1a2f79a4fcd606f5cd492d9c57

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ece722ef10a65c09cba176b7566f912d

SHA1
ffe2922ca2840711b9a4e1ea9111439bf9b0eef6

SHA256
1aa3f326387dc7a387f4c697d6d1d80e93c01a116bab632c0023712245518f63

SHA512
0833c5689de4bbf37ca0f82c9bbde145020f1a4f084b3e28a9491c067bc9c0506791b4b4fe0146da64802f0eefc991f60ba1e497121b0ec9acfbce2d049e14df

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
862c185100fab037bd432a50e981947a

SHA1
6d545061669da8efadd96027f07d2a1347853578

SHA256
39e7c3c88364078aa52141bdefc7498f73c6928fa52091f95ec02d7d1b8917f1

SHA512
8e8135d25014ccf1546c6c20e5dafc7014111ed0f79127127af254f0f5f862015ab76ed6e1e8d6ff4df316dbb45a21f9151134873e2e392da3f0b2f1b7038e2f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f0e6a240c2df30dd93d08a306596a03

SHA1
e738a8a99e86a1a9d772b7f468ea9f37cfd603d8

SHA256
73bfcb97dfa1c9534e817607e90ce515c76e833157aff2e29cbccae32df68f42

SHA512
63d5feee36423e1c11aca691688c19f0fd5de78708b008be9071f81e2df30aa6f28e3c4180ea97510c5a156788e25ae1476e2ec2715abc4e8c056948c38c2837

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4fb94bc929018fdfb2c3ce8339c16354

SHA1
f600754d35d2caee51cb65c0cd660a9e1b29d8c1

SHA256
fa850443818d736b69718c80625f2a9ecec378b282b6cc4d25fb2c7d7e3a0a31

SHA512
0b558614a16bd772f56b60b55e9ebf0d5cf950dab51edd833dfee8cbad439b8247834c94f229681b5e0c638c8c480a5aee4c55ba4e2a72f9308891742bbe1a95

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
890c7dade55bb31604b5390ca65b8719

SHA1
f14c761c80b2f8b8782c60c25058baef70c8a314

SHA256
6c3740192b477a7944613fce0bce26a97bd4f7cd262ecb8f6b5cf04795d439bc

SHA512
60a5adbe0b6cfbc042a3bdaf6eed75d8869f5a0a0afd4e32d1b8398d6202f8cee844fa1794ede47f0128a76d4cb38b15b274e3aa1fc9b0e6b6d35b44a87b08a7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
89452fc8499d9a0a16d47367bb6f138a

SHA1
65622fdfb786b08a75236b1902e67aadea8eb3d8

SHA256
fd97728f22b373a60560fd938a2ab702888caa0c9157884b910bf8ee79e5cf34

SHA512
259bdbe653262d8baa830e06e5ab2116c5d8749becca962a6d9455f3eb598d21587ed75d861e5434095ec48c948bb18bf2828b64ea2e3b19959566ab37a222b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a5610e3d344b2c6be74ab3255e5dafb6

SHA1
05928d6f80ef18dc5fca6d828508d401f826a2f3

SHA256
a092a6b2a894d182f56b9bcf9cd550330d8c1fff5787259c99789d58198e4c6e

SHA512
24589f33c6e7f0cba9afa0a5a1040726e90c7762245e114343db6845ef3d9cd98cf713ed472f43b7d9b8aa9463492f62899da819a2fa0ec1aad7e9934982380e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5151447004a8beca0d201e350f45b53f

SHA1
6b57f63c52ad4f7df2f276aee87e9441c9473a99

SHA256
016d397459712c00406f0c4d24586d65b90d246b9dff04bd3f25bee4cdbec49f

SHA512
e28355dc403977fb1c5894a7335ae1e5320d9abc9825c886addb54f3e43029056750a0c42c8633211ce8e4b8277cf0d6d12e8b60535a6835ea17c39caec6878f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4a479683a0eb294ad539dca5ccc26ebe

SHA1
c91a872aca538987b1ec36cbe3f2e5bfbff2bece

SHA256
9b3057b3fe0e588e8823dd40b8971f0c012e6919516aa5c25fd62aa943ec9ec9

SHA512
d54301807c11a81c8026f3377b0d9bd682ea87cbe20454e1e4e7007da4c2d8e42a71881fee9fda70e8accf9aa85643f603b5c2514ab3afa7de847266ae7df7d5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
26284367266ca1f05f9400c497473d34

SHA1
9afbc5b79479d9ccef6578111f4f9997c22fa453

SHA256
8602016c8462ee983dc2a814711d1097975bf3c00c0fbde4396dc99f2e29ace1

SHA512
5746425cb1024ab9744a7e4ddd00189b2dc25916b800da1048c4008b27ecfa77a80b066be435185483a068fb3738db06445e782154ff0fa8ad5ac9bece3e35e2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3cb2cedfdff1863f344854c2529b8d24

SHA1
571be1a1b4867d8f1afaa0256108ddaf9e95c476

SHA256
45f219c411c2c015c45770acef59a21a9363160e42c95813e5277095e8a34b73

SHA512
f50142ab0380199419876f170f2d5caeaf497e7ab172149f4633bfccc692d049840deef37c7e5963f27e287250c0bebb76127af41601e312e001c020c7d3523d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a1f0912b342ed864c91414a1a3e07c91

SHA1
f650910280a49b6f65265c32843f1a45dc54ab73

SHA256
5c253dd7ae6058ac8024756f80405b434d1f2112f267ff2a8cbc5d7117c8a887

SHA512
b0eb39f6885b09be0255edf078a69cf31b3277a020dbd8115e55fee081edc095f2b8cedbddb3e4fadd7949284609c05ec3104ebc27f28e85c912ab0c8bd03518

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
717d4229978e2671fcf7cbc1e182702d

SHA1
4dcf8551baf375adb24a14aff1197e71b54f10ee

SHA256
286612e3c5f64a2a637c7480079adbebb854c5af0d8d94327959cc72f9de0981

SHA512
72bd4850edd046bad0df400dccda1921636b23cbe520190c03e4da1d7b96a75034806ad1e63a6f933555cda6429d322149730d93fe9a07d69a48075cb4cc2e56

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7dec8c7abf22dcf1eec991af98c83532

SHA1
a2c7724dafc0282d5887ef9ce2fa71590933af16

SHA256
8e8484a22ed7283477aa5e043992c6ce69282be12edbd3458624bb1e027bd20d

SHA512
7d440d50657ed5d15b9c8cb4678be2862f8a4336871a064f286e1935844c79bf190cf11eeed39bae917800b71ef692a4b0e3befba9a7c36b82632a52ab7180c4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a4cd297bbd2ed277c294d4a33f43ef4c

SHA1
472e22988a58b4a6ed87caa9c888dbbed1f1a7a7

SHA256
e749e32a3b542bddf1ed6e17d46f087bf43f500f0c2ab7edd1d9a1c619ee665e

SHA512
2bce7cd3c4a00926fe2d5b865e2dc8b16d79ea4e15ed8bb65a09464f028616ce411a70c9784af196768922e893a5a86cf4572a74ca5f98bfaddacf03a045c134

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
95238fbdb58999d236aa49056b3d3512

SHA1
74d379bf082b19c73e19b8f795d3acdd10592d7f

SHA256
ede7834ee71590afa1566686464a2e8659a5a0bd2dc80b780943b96738cc86ef

SHA512
5438362e96564390557ca0bac4468a8e795d265a6b751325cb2ddd7464ff5720d4b72daee7ee6becb23efb46da4a97941d9c9723504ef2df8e347918ffed0d3e

Download Submit
memory/860-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/860-409-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/876-70-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/876-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/876-76-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/936-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1064-31-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1064-412-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1064-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1064-37-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1164-415-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1164-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1248-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1248-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1248-413-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1248-149-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1384-408-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1384-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1384-6-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1384-1-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/1496-158-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1672-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1672-164-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-150-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2236-161-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2340-160-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2464-154-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2960-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2984-163-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3104-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3104-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3104-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3352-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3352-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3352-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3352-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4056-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4056-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4280-95-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/4280-153-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4280-90-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/4432-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4432-365-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4660-133-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4748-416-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4748-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4968-80-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4968-152-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4968-86-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download