993824a325d55f77818a4c9860d0cfe7ff0e2217354b32397b17d1e1212fc474

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Size

1017KB
MD5

314ac4d61eb813f434d822955831ca5a
SHA1

807db3a3fc1cdfb8f46d4e3dc9f4f5f4e026e4b7
SHA256

993824a325d55f77818a4c9860d0cfe7ff0e2217354b32397b17d1e1212fc474
SHA512

80ddbcb8165a0c441f4c0a15bffb0fb645e0f2e7531e90cd0e341ad13b852b46b92ceeae46e7249d98d1aad64dc9a8c78d22789df47a8506f5e171abea667650
SSDEEP

12288:m2lWRP5hA9PRWg9oZI3XPWvOYRcDRJZ4w8qIV8mQR8XZi/mWcSjpI0Tkdure6:m2lm54R8W+vxWJq0Q7QqtWLjXTqM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5276	alg.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
3288	fxssvc.exe
5556	elevation_service.exe
5340	elevation_service.exe
1656	maintenanceservice.exe
4640	msdtc.exe
5932	OSE.EXE
1584	PerceptionSimulationService.exe
5532	perfhost.exe
1380	locator.exe
948	SensorDataService.exe
5804	snmptrap.exe
412	spectrum.exe
4888	ssh-agent.exe
4160	TieringEngineService.exe
4296	AgentService.exe
3936	vds.exe
5088	vssvc.exe
3748	wbengine.exe
2912	WmiApSrv.exe
4412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\597f4e7ab3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e05ad3d996b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ca07cda96b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a03534db96b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8c189de96b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022859cd996b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aa022dc96b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf07cdf96b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000529639dd96b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4b95fdd96b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeAuditPrivilege	3288	fxssvc.exe
Token: SeRestorePrivilege	4160	TieringEngineService.exe
Token: SeManageVolumePrivilege	4160	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4296	AgentService.exe
Token: SeBackupPrivilege	5088	vssvc.exe
Token: SeRestorePrivilege	5088	vssvc.exe
Token: SeAuditPrivilege	5088	vssvc.exe
Token: SeBackupPrivilege	3748	wbengine.exe
Token: SeRestorePrivilege	3748	wbengine.exe
Token: SeSecurityPrivilege	3748	wbengine.exe
Token: 33	4412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4412	SearchIndexer.exe
Token: SeDebugPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeDebugPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeDebugPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeDebugPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeDebugPrivilege	904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
Token: SeDebugPrivilege	2676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
904	2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1404	4412	SearchIndexer.exe	115
PID 4412 wrote to memory of 1404	4412	SearchIndexer.exe	115
PID 4412 wrote to memory of 3540	4412	SearchIndexer.exe	116
PID 4412 wrote to memory of 3540	4412	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_314ac4d61eb813f434d822955831ca5a_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:5276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1656

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4640

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5532

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5804

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:412

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:6024

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
9786b460a8fb27e42365d744c687fb60

SHA1
a751574e8ebd960e67044db3a81736a9383b95ce

SHA256
d7f42c3651b4c757724ce66a22af6b5c79a22e7499da9fbc8626d5cf28011321

SHA512
097210da679122556786bd9496b2548de83ef4a7987e7ed767dc2394f33a5183405e2813b2c918feafc15700d7ce78fd5a9237565356a3d61ae55f13ddb86838

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f571558543e9af7e3e06cd5193687dde

SHA1
7fde5e614dce4010a2c51c894aa1f983fe9cfafb

SHA256
6092c18ca8006279f5eb9ee85dbd3839ec4629f47078d237ade3fa1700157c57

SHA512
e38aaba7de38f4dfbb35591b8eec21ddeeaff839a0cd4e0a54c84ba1b88da3aaa382bca61a514cb59e02f438e63a0b17538808e9b4c40affa287b43bc8d08dc1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0048b1f3d696ef87cad7a6f7bc393ffc

SHA1
89ede398be87e65a4b124e6011d1a3fe00750cf3

SHA256
60293fa8b29d43661ec90e3e871381bb3af82dd8cfc0498616220575fda164f1

SHA512
6b31520f39e7169c0769bca4bf017878c75e9a3e935aa92b53f3e601c40cbff36e2e10d1e4a556e0b737ec8071404feea16dd924e1c4cc6f104337663c60b69d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5d6f598911fff76abb13201108845cb7

SHA1
40b78b59b12e79d2f2d7adf531c9545f1e97c7e9

SHA256
43b04faf79638b4640ccf715c84075049103516fbceecfd0c0f362138a0131da

SHA512
c4dad3c7665cf0a743ef23744639dcf9a2bc791d82b3da0a1988ff5e61257259798e91a416ba3061081b1a0b439222777c363143f482eb9f7b482cc5e14d0fa1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b1376f9abee1475b17019a712daba7ae

SHA1
8e39c6bffb61e16e8ab285ee45d27c8ded0dc548

SHA256
8a75e985b1c6fbfe844ff74be04875bfa2821cbf33ca7136a6ac0df1612b7507

SHA512
b8612579a26652300206465a91677983c7006ebbe0042e2c4ccb03dfd1120d6cc9152784c88d54b03dfdb40ff443e727791a601b4b89328377a57900df4e62f8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
438022520f4918e89f5ec2accf069d39

SHA1
373c9f6596b1b7b2a1afa097875bcb89c9843aed

SHA256
203fb1d9ceca526c17a865b33ebb0e90570c0b26c653b9a8d382308605b0f36a

SHA512
5047e2363095aab63435b00b4d95a084a82554a8ac6ab45553b30716b883083e39bd21f7e54bb3fb4378c3c1d916e351e545bbd02ea6ccea50d42f469526f8aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5157a40b13e156f7f21c50a68fb56d76

SHA1
017777c465bbc58ac8e6c4d3f4c639d5f1f1108d

SHA256
4ca90473dab7f8121686f83ebda81607e1050820836c9270994bbe3e21b44d38

SHA512
83850c8710f74370d4e1b2853c1c10e721c0f6a4e705fd2a7a6980c6f3c5407465bf546edd824ce87edb196c642c37ee8dda3b8340ac717ec54c11bd7e2a6a05

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c077d41aa2739adf8706b23537e9ace9

SHA1
d5d1a56db9336f2c4bd00cf12d724255967b5f8b

SHA256
33e76748ecefa4dc5241e60ee1ea84828c87dff0a33b1f7fefbfd33d817a5f3b

SHA512
90efc958f75b5ce50a4ce96c31f55e7b73516dd454c68666038dac6b9af07ad5b81e136199b7f8b898c048d583f2526db55ae6d31d0686c3e0ca62659cf63075

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4465e6377a378eac886ec276c01473eb

SHA1
9b2cb769b281e0fa0d3a005a7ac7d518e874689f

SHA256
c2de6917d94291bcd3c757c3564a5390edebd3bafbc7e60dfcc64ffef028ff6c

SHA512
accd4e14c43b520b5cd50e5af17971e1eccec51ea0e0a28be1523322380fcbc070a2185caebce913d080617c0250eeca429c340503651f3688d411562f5a5d22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
312411b9280df6a41cf1b2ca63a0aa62

SHA1
cad5b9389105d18cdb03aa153f9c45e4dd0b6d51

SHA256
1e50c62f138df39583adb4de71bac3b6c6ef9d7a88f7be4f9e18420f97a25b26

SHA512
dcb1dd3bab827a9ad4cdb263c10a254a4523d05ac09188c4c8ae94ea8df27b657ed0af44df513ac42d33e7edd7607df68d255fdfc264f0767ad8901a3ffe4418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
03006bcdfa5027e4de110507a1f8881b

SHA1
af06e6b2181e38fd0ce4fd9973415f2d4d4adf1f

SHA256
8643b1ca44f52cc93725819e78d383ffd13ab87f4558c26e4046ec5e69d004fa

SHA512
32d0e8a72144b833e1914632005181c288b7d7e15743807c0500658e0d0e394a3aebe2e2c3397295ed4babc8d03e9f787d0ad19ea60978358f936065e55f519e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fde6162690412ed3f8cb35a1304c1bbc

SHA1
94143f6925703eb69810b5bd379dd987ca0cbfc5

SHA256
d5ecc6527a9ec6d3772b9e9d0688df4bd199fd4192a310c84095f0f9e55f9462

SHA512
cc2968cfed02d17906aad44f5816c4b149b0a3f0a589d47edb364b97cdcaa714822dbe91b784887602d5aa6670a75cfa631e9093070d7db91ed1162f7d664e38

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
995fdb8b6fc0910c0e4cbc2c2a2d34c6

SHA1
7f9cbbeca1f931c820d480bd7d122a75afa96130

SHA256
1ec2b4f20298fbc9a0121580cdbe672e912631b7146ddde340b75142bdcbd634

SHA512
4ba36f00dee6c516efb6a6797b9ee633c8e7327af033753c7c95f926c2e7b801e785ae242b0e6c20eb43b3c00038514cf9752cdb8007801e396a4c6da2ab17b9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8371ba48d612bad6f305d0a9f63ec3c8

SHA1
073f3ffbbff28c391b0dfec4d3463963a1e318cf

SHA256
1ef72e3e6246d4294a20202d5653826a214d9d2e5dabb294e7e4e65cb28c9956

SHA512
01be6e9eb0246d66ac940ebd0ad14de7f9994e7ee25c375d6c734695036bb186addb137129691125dcaa8674919e6d569bfd303a56bfe1205d3f2235da924e5c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
559aba833768fe838c008ca86daeabcc

SHA1
98b7b5ae8e2bae47bae2ec48f66053ca13802cdc

SHA256
d4acb5861fc2cc2e721618713ed364408212548cafcd02cf0cc09695b1989462

SHA512
6a51b14d866dbbdb55617e69832fcff2da00a47d85b84911d0b2a4644cf06282facd64a0e938231d1a3872f92d0df319347d65331ce1b13092cb3496484a4c9c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
732bbc9dfc8ae30320468b83a7690c60

SHA1
19ee4181a0191e3a8dffd27177b6cc2f7731847f

SHA256
8a19cc72fbb28820448009fb814cc03f84aae0027045883dc3e4b81417238437

SHA512
158e557af930e6e1823a72d961842ba30347344c2a6ee9f83a3823cf979bed382eaf8a382b0fb5566addd9f85f8e50d67fed587af141a560c7905628f129dab5

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
63bce9f21a42f33bf73f64cbc59795f6

SHA1
6c545ed84ba8f4661a14074cf7e7d4469cc31196

SHA256
a0b37fbf701fabd05898cf0d6cb67d9a142e9d9a511c5c170962d9d9ee1c203f

SHA512
879f0567803547ab249ff35cf21789d685de19009e6feaefd6f1f356a38b8045a2a3dcd189b1a06c851679ee5a782066474b9dd1cb7c5b3c385d726cf877b6ad

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
012625ddc72ab9a14ac6cf6d57540910

SHA1
438981f73176793f7427232b4ac1057b2ad4b175

SHA256
330d8bd2b6edc0e54e9889f044d6e9500190848488cd434080608a594b592de1

SHA512
ee25353d630cf7c567026b350bc824928fefb318febd0f7ee64aba042093621bddeccf8a07b3913b88174105474a029dcaa989736e7a274a9d9bd254dc23ff9f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
e09865a5527ebfb1f3c565ac7bccec1b

SHA1
cd1f6ae88ffa08fca351217b212e89cff209b4ab

SHA256
6910cd2e5ba94912a4c450732b70e97a5e4074cfec0d8d0e50af1bb06bfd4722

SHA512
2543ff21c62deba48735d7991065682a1bb77fc14f7b9668f17977f4d6274fa01e5fdec9e2f434780d321a695730785162fdee3eb65dd9c28fedcd953048d70c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3966c37f9f8af3a99011be0e747503fc

SHA1
c6ca0d78f409f0b04b51b3d9e9e1d80fbfc8e4af

SHA256
7dd42b4f66fae67a2b3c308fcf821fbdeea610356e0dfe2f8667ef8f9a8b8b64

SHA512
39bbcb8eb13a466ef85f42dafec1b952d68f55228c73784d0d913dcdb1b89099296a6213316f8c3a88a4bda8b3149875caa32d114857ada188e70307043a9296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f2a90dfac329cf9c80d86764eb12f6e4

SHA1
d82b5cd506e7194566fb1a3d6897e6a4e87deec4

SHA256
48f95dcf2dedbd9073c8b520069eea1583eddda4cf2579b4c8a1ce9024731e42

SHA512
afa95f42c7d9b6c72aa651e82efb3dd5558e836f6d6482646ecf4d363a9bf148c4e0d40ccd1e8514e62c7508686997f8d00058db8e0cf1f6d0600bd108fcfd9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
21bb8687b50962bde8fc8cb593172340

SHA1
c9d31feb196b981b3fe0c29dd34dcf60f1b49e7b

SHA256
649ca052d98191d1ea97c53ae3b1e9a9577bd1d5af69298557bcc92cfc69c8b6

SHA512
ed8a69ba921e71de50eaf5b8f6bbba3fcda5cd1564026aaed733353d4e06acfd06014001b03dfe0f176f1cc6cf43d7a0dbde829869c4808b2ed4f67644d0f57c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
25627985d643e8a8a67dc0e3d66f0ce7

SHA1
23384ec76c164a203688676173128c0f31ce8aae

SHA256
749de690b85f2a4717cbe8c5079f9fe4d076fb8ae3eb177d803ac2fed0ddda0f

SHA512
46e875df2459f24a9d3e4c563a2a18acace27b010edf627a62e5ff4866806b9799b237f2dac30798e234705724a6e438755f2fe6e8789cbb39199127f3ce4eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
89da59abff3fb51846c66d4f06cc9737

SHA1
ec638c016ed58c01530416d31b4cf848e0305fb0

SHA256
2d9e7f48c866464d59b3c7ef37e41aec72ef78ba6da5eb9eb7354ff94e6a3ccf

SHA512
b083ce28ee66cb19472cdeea566dcae00316a902fc6417425aa86cf02cba91aa177570f93d7b20863a4e05c7c0dc1ad1b5f825f6676ece3be157c5fc25624394

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6ea088122f636432ca79993f4ba400d5

SHA1
709dc13c1fcf2ee93198c818abb18c2dbb2f9d3b

SHA256
c4918e0247dfdf885aad919c9741243d58c853cf44b8d3239675ea7f285ffba6

SHA512
632f74bd70c84f15c7afdd1da5be92789d472fe95040e278ca54c69a3e5ebca8e95a09bb37e440f1877fc645397d1b61077df8154bde8273e78e051e977b35e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d5208558a507e189d44d7eb612c04bf5

SHA1
9f45d996db59da2102f531859ded226f714401b5

SHA256
082147dfab306793bcc223bbf37eb6df97caaf994d6ce1937b0334b45009eebf

SHA512
9f6889d197985ef6c79b77d92211a4ce3d41b4046b02ee3f22172f26a445ab86d4b357dde29a7f6cb33794c300e66fd9b20ec29c6a40e0eaa4820e1567096dfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7e3716799a0d5d31eda5c9a9330288c6

SHA1
a17f82e2cae68bb1a8c870817d890e7b369f4b19

SHA256
f452a54679410062675c1bfbd91fe0a817370472dd3e2df5a781fb8ca8719321

SHA512
3412bc16ae62c869f82ee6675dd2bfb468c895bb11e36cccca008fed5377498eca044d7f35814c8a58f0601ef88fda9e114ac7e9200f6a8759c6694898f8b8c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7aa45e960056b804133e36c9a9043085

SHA1
014beb5a381d57481e737b0abdbbc3e592c2a8e1

SHA256
745297bc450a71d44f5e8ca35d17020d56e9782bf4e04f3b544bea278cbab610

SHA512
587263be574c0387b89759ff3294b93ae4bb1f3720f6d21acefae56a42dc983f9086ac0a3fb7a2a245e2ee8c21fabcea537a561967ab34546cd3f9bbc68f059f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2c000e6f12206382956f3761f2072a83

SHA1
58f290f10a9597718e922c028190e20859e8e45e

SHA256
5f43021f9d6921364b0e56e20918be58ca97f22aeda5733f1bea59c37b257b0b

SHA512
53ae1fcc27957f93f358fe1b693e2b7bb57910f5afc513ea3cef82ada766b4e6c2836e39a4ebf8e77c6cf27eabc57b8ac329fd9c0ed59afe9c320350341768dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8661f869773b731a0a59a78237cc2ffa

SHA1
052acd0d2e04c045e016e65805e6af226f8c1497

SHA256
b98d2fdd4a069686608512c0f33d3eace1136342727543ab7804ad478b936437

SHA512
3e221d9c61d422ea2cdcb65c73deb3f811908a9ff93173efaea68f6994b70d453c72dc088f35e9bd81555828215525cf3c00a8a826ccbed15b48c1f6fd17f422

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8fe1dd7c98a8f11a9fba5d987607bb5e

SHA1
72aaa04d81a4210707a7143e4185d9b9cb88bb34

SHA256
3c35d470673bf07e86dcdc7697d7e053ecdb1f27604bb1b2bd9e4193e9109f19

SHA512
f0aa6d45b7bb3eaea7a7187c247408c512dd929b01ff9511104f617680a91d19ac17a5c9950753f40bf547b53e3c2b8da7276a04709e87e216049b6225560060

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
be8018b0bc5717b8841d9287973408bf

SHA1
cd4dd5921a641786073a06a98c43fe7e9641c01f

SHA256
bf609db0137a7dd4545a389a364d08dcd5fe0f10d04fcf8a427fdda9e5f0c6c5

SHA512
f22755a3bae755150966084dfeeaef62874d2cb6d359f61932eb52c1ca6d36647f1a525c29302b0be16e75cacffef9fb9e730baf049a4976157a60ec6eced63a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dd5a98fa4bdcf8a3b7eb5b05f188dd22

SHA1
cb7da36523dfe43c651dce0f8898b5b5dc23386c

SHA256
9ea52a602fd566a6e9b4bf226132202d72d293accc59c882c493b6d759ed5b66

SHA512
d988037e1f69570b4627c2999995af89bd0d5636450605f0f5d7ff92f0153683b03128f7457a12bd71fd0d429dddb488e5f2bff0e9048855367e98f4c481a62e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
723428abe315e0f97732fb56adb488c2

SHA1
90834642f4825bac583402da9141696f3456f69e

SHA256
fff3537b2003cee1a53b040de239d7a5ac7eeba1cbb7f2b4a209f1524de6c1b3

SHA512
6a22866e571bdc48f7f54eb17355ec0405b95be6192a1930b6fd608405125868f4fe055162cf174350bbc49d553e6c9d62bb887d27fe2b48b51ebdcd27b9520a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
18c491cc15722deb9a2e919628876041

SHA1
7e405ebf443249ce86578cfb86a0a80d2fd533a1

SHA256
940f23b1d29ae5849ebe90781247caf6b8b07fbd69c2e6771cf8e82490300d18

SHA512
e652a4019eb58becac7f522077cd3c0793bdb5d620044ca247f8991ab1382bc3b6539259d7bc064f8b2163075a3b17895964071d020163a179e24a32bd6b2a67

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a493a1186f97a605ca54454dcca0ca48

SHA1
9c3a22fe4de1d4ce2657b2fce958ab7309a64638

SHA256
e8119edf175e1793adef5eb2de9b1e6013d9ad1dcdc16b8b3a0c913238a108ad

SHA512
1c07614091e4fb3d354dd77281065a31f8bd05c2423c1da6a2b1b90dc9d555f403c219df9268fad8696e0686e06e8be73ea643146044d2e5efa1944dd8f51956

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
78ad147c53197261c57ff7703cc25379

SHA1
b738fb84361566fca76f806fc40e0e267fa5da8a

SHA256
c9bc66b760581a71dcf96ae3b9d8c629fc522fc9d387c5914a20cb3bbe255ec8

SHA512
7ebe4847c77137bc16edf8b8c6eb0388c699b97f34f88e60e02f12c0d03b1bd7bce080bd5b61b15fccf9323c6baaffbbc4c5397b28aecb0b120269364f3c0e4f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
465cefe6eb3ad241aa3ad474fcb95b27

SHA1
6fcac04afddcb07dff23b9b8a624b36cfa7d2446

SHA256
816994751755d3a7a11750bf31b09053ae4f75e2b4e38ab85d3a72a509e72c5b

SHA512
3275c770382895877941d120e5b43d6811615342690b195c23040274531a05eb0b424be73f88ffde3e40753995a483f16d3ff1577a91fd9e8fa105f0f1751721

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0323e76315edbb83b947ab7d576d2ac8

SHA1
014379e5d7a8ddfea1345e1a7aa8c602f0ca9c23

SHA256
4db225d6cc049f816d96a3f67a0574ea768bd734f109dfd510fad9f1d727554a

SHA512
42505896f621443c426b0ed6f0fdf8ed5bf74be90d3446005d2b79928d8e69a101e7a7575a0580bcca0293001df63635119616f87454d5a107e65830cb60d53f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c60f318ab1bff5684f22be5545e06b49

SHA1
db81f46db35acd0bf08ebbe691e67122a447ad29

SHA256
638184735e707da73e3ae78035d536de4c3543d3b68a6c8e25fd1df990e0bffa

SHA512
c2ab7d27fced328eb46771fb963ac3c3e6170a95c82e81142e9da3136a594c836126674ddf98fafcfd12c8695c64cd50ba706e3db1f65cdda91a924ce20757dc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5c03387b1df6b6ada429e84875ea7147

SHA1
610cb7fd21acfcc21e35dd3d9d40e180a8fd9632

SHA256
18ddd421d4829dc321d60824afce2d1841e241f3eae502a4f6fb80a21dcc8f2d

SHA512
52e0feb33d8b123920872941871959c0ddb930727244fb505dc660e0022a5461d7e77a372a5e5e4dbc9640eeb916333d9f95416284e642a65400c7ac6f1c091f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b82c13837773d190e698d18fbffd1d4c

SHA1
9116ce64e18980ed7b911a0d9369f820a5d6187f

SHA256
0cf0ff51949dac2a9538968448fe761708bffefbad447514a50ccd99d8b6b222

SHA512
d65e68098a83a9736711916361a753c0f62aca9e02eae70af47034428c17697baeea281c6b28cf2a1a078686f2724f7c7089f0d422ca69d54c8eb40f63d7cfe4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4d0917e6235bc26551048a40fb6e72be

SHA1
6c89da6eb9f55e75ad2359d3473e040526068a4e

SHA256
258bbed46dc3436bae1fcd1f9bdee0ede9ef48f19217541ef70dafcbc146130e

SHA512
545154eef5fdd5cb6f259c97d77953f43b41e1efbe49a6dc7812cc7824f1e3b85d5183837403de09558b2a2681860aa1ea72e88da37ec18cd7d25c91b70dd805

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3d1b2c1f42a77411b35190472b0606bb

SHA1
ee2d2434054b15265e0a93e5ff6ac752c198d1c1

SHA256
5fc34db15dcfd82be039817cc8d2ff4f6644246e1f3e3f2146edc8dd1c8c3210

SHA512
68c00b61ed666e34e7ba6a2f2fee26c39ab46a54a2ec0e373157bb599c1e21ff2b9fe0727e478b3916e5ad7f4f34b0a899562f9186ca58f85a5fc15673c6854d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
01807fe304235b02a73eefcb2d27b792

SHA1
49ba455b635f92a6547c953a2e9e25f3c6b1bf40

SHA256
cbdaf6e8261b67bf80e005e643a5ac697341f9712dbe1dcd4519715c4d474cb8

SHA512
c307586766514873f6588ba65628632ea6313b5010d96c69df1da1ce0e112fef239ea744960e18a811194760d1f2f5a0ec9459d76516e3b023a4bcce2750e613

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f58cf6e596ffbec193ac67f5a9feb32a

SHA1
516169ed3f99407cf02cbd651ae949d541c27ba1

SHA256
eee777e3013f6aeba5b6f61355871d0ae1654126efbeb29b83f0f06e900b2466

SHA512
cbc1f0f98952307abb14a65028e00fad925704cb52d95e64b1ed441ec2d7e653450d566ad3b1913c8e8f206c22ea0f8617ea945989e941e8166baa5d10955709

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f69572384e41449841a71cbff0b2eeb3

SHA1
526be629af2bd2d4e3315a14472f42e3f88079fb

SHA256
aff8662ca6c88d8fea51fb0271c786a2b228f0672fae7602df276bb1b61f52c0

SHA512
72988cddaf046c28264ba0a2c493c5bd060c080be33defe9f92e221d9dd3f2007cae9818a22e82cb968d733541deee2678df4b18c7aee4d8b5ab9cfb1c347e35

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7c8f22baf8a0ba29088cf58f277d276e

SHA1
c284e1107e33fec8ea2b6d01b909f813459865a4

SHA256
da482579eb61324023a8c732201b208cdbe003629b78183b8e081fab39d2e613

SHA512
d448d6ed36d49f39c8a574eeb9d576e42a60d9f2b857854c07f8c231dd984fb5f81b84c70a794f48ada7229ae33766b973249abbda9dd600febec6ee89aabc42

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
30171358b791b3adabe516bd49e983f3

SHA1
ab8bc7614cc77d467cd3c2054c9678b65b1b8b0b

SHA256
eb85485ca8cfb43a7774aa0aefe6d3f9a146aa9c2f893c3f1c81ee86e9897cba

SHA512
89f430cf7fa565d69b835bb1dd6b3e2eada4893adc7cde850e5ed274b63b1f949643012f77e8f9b87a3142e2a505659f30c31da42e55fce850c749d8358b7e47

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6cfac7e25c8fe5051a13a34d20bbec13

SHA1
5126e676969e52ef7686db04e0db36f4505a7959

SHA256
9878dc19773dbab5b09291a59f22e4d7a07ceb21bca609ddbaa4506160ec6739

SHA512
a65af56106247d93310c6e152a6c8bba31ff68ce897eeeb142680e65aef602ce7e4d557312514446f471693c9edf97eb641e8540c58799f289acd386de724a28

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f5eee39c135b744b0d71a64d4a9f7c58

SHA1
ae83d403d6be011cc9274f2d3662635b6237b647

SHA256
40f69a5dc19158c92780923cc866157eb83e763a099fe92fee4130f3a5ad74c6

SHA512
8e5f9e83994589cc01bc2cea8cb97ac117a2739a66a9c770afed23c2d980b1a9b18e015cb05b066d07ffa817d7f351714b3fe15b1046df068f0661c4b54f4d38

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4e78de85054866666cb0f02a4e00b638

SHA1
b53a91800c09f13507fc80910f1c3b5cd22fc44c

SHA256
13fa0b1ca15ebb905e395497b44e3816013960e4968bf339b92435ed64b3e03c

SHA512
1b13dc313227ce70b3413bae348759c010a2cef25530a6974b1e2936e82caa99987257d35b00d420de6d26cc3997bb634752579391ad01468646562b80a24a0d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8e5867688a5cb9a57dc492b3ebebd01c

SHA1
35fd3a6d2acfd9e6ca76e067887beab87b943f28

SHA256
dd807f8a6d46808e9a22bedf39c11af30afaab20282ac44221850e4a2288ab79

SHA512
b9590a14a98e3e3e9384284ae800bb08536704bec694ef8792dc6c549f60ce89d29190ec307efeb9f25521d46036d9ba73738ba4b0a8b9ae13a45624bc5ab5ad

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
636b51ed7367701bfe75a965ee0bb69f

SHA1
20844f095708d3148cd33d0d95842e64a49855d1

SHA256
65f9219620846b0a6ae9b3d90491460ab3b3ef5bd9d5e9a7deddc979fa397956

SHA512
8093aff21c591f52de31411d7d58dd9f683b3571bf10dcac6227cefdf02c9df1f87f9f42fbf5dda9bcbadffa6998fef992169b55d671b6d247790312b5c0b48f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
53b0c017ee6c82d7f8fe82db37074299

SHA1
19995a0bc96c3b8e94d91c6421a85cdb0b0ca378

SHA256
d30689eadf544ceb1ab9d478a39c9b45f2f7b59ad4c78437dbbced203862d87e

SHA512
21ced97ebf3db5d85082366b427a666871516c9bbf0d9c8c5628f645ebfc0b0a7a637dee46e94336bc1d4f98dafdd87f3a2344bc13552dc9075e00a23fe2422a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c7fe2ec5dd192aabbdd2909c92be4343

SHA1
995abe5cc730e984821fe3a0df9591fc6c29b27e

SHA256
d6bc7819eee6ca015e42ac8d6cb33b62054a65071809f042454da9e01078dcd8

SHA512
ff6138690e72d1f6cfcca67afa44b29afe8872489a77f04991c94cc0bbd16a9fdd681b2a64e21228293e8ed6d5d4347dfb93db93cdd0e56a0108a78bcb97f0cb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5cd56959dfdd0f8ecc3c7c17d5cb6020

SHA1
30f7c481d7af2b3c3f5a2fdfce5d6ddbb7f1129d

SHA256
f16e7ee1bad9940a4b1978df428bc5418314584d675a82415e57cf4869405195

SHA512
230df90829c93c11161521df14026551ae576943c3518fa55ac7c90599704197973b47dd90e65cc31bf267e0807ba1e47c4d7417ee28a69d7c4fc5a813668d4c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1fe60ee8f424184e2ee0ccd5d4edf070

SHA1
7d85b558b5ba4028d7140cfdd05ce5ebc3f66d76

SHA256
0cf0c2469908f98f7cca26ff110a4a234e96859729020062040878fde9a013f7

SHA512
6af99ed6f0fb57593f88450bac30870b762a7ce62719a68e6390fa9ee6887afcf8e0f5ab2b21437362b6bc0ac6f7a2fd1eddd74ff5e98cd916e3f1367c6a395f

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
594dffa72a9dfc8a9c48f3787bd36d18

SHA1
95783be7ee0be20bd144d53340bfc75b21b6ee60

SHA256
fa5c2ce1ca6da99666db8ce710fc7c05ed83b23da15d0e31b7ad3cc32f5b7354

SHA512
8a7e556c32c3bd737d5fe15393d6db02721357b5f4af2efff9ceefa8847479924163772a200f49d408339da845a364b4e50341d567e4d3c2b137d7de52fb069b

Download Submit
memory/412-298-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/412-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/904-74-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/904-1-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/904-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/904-6-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/904-7-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/948-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/948-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/948-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1380-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1584-96-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1584-89-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1584-159-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1584-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1656-68-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1656-65-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1656-66-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1656-63-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/1656-55-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1656-57-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2676-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2676-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2676-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2676-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2912-376-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2912-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3288-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3288-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3748-372-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3748-164-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3936-367-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3936-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4160-347-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4160-147-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4296-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4296-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4412-377-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4412-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4640-150-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4640-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4888-332-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4888-136-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5088-370-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5088-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5276-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5276-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5340-135-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5340-44-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5340-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5340-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5532-107-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5532-101-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5532-163-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5532-102-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5556-41-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5556-33-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5556-130-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5556-39-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/5804-119-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5804-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5932-82-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5932-76-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5932-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5932-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download