775824821f28cf1fbaa8cfcba24721d02c08ef692ee42dd24f9d8ba2f85017de

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Size

712KB
MD5

11a0a4d6326ab128d123d962062f82a9
SHA1

2141f544323495382d8a3a7938f3b02aa41504d1
SHA256

775824821f28cf1fbaa8cfcba24721d02c08ef692ee42dd24f9d8ba2f85017de
SHA512

329dd1260990b2460995e40b034c532829b8fffd1a5dab025149986a16feb70f5830d02cb85e2cd7cda07b86c57857440fa71a1fc68290b08891f329bc3dbf5c
SSDEEP

12288:2tOw6BacVqKNdQ8yRK6rkObwsToHOOWGgqvoEWH/lInNg4JYU5a0Cuxy:I6BpVqIi2lObXobHAEW9INFJY0au

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3224	alg.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4228	fxssvc.exe
3796	elevation_service.exe
4992	elevation_service.exe
2576	maintenanceservice.exe
2824	msdtc.exe
4588	OSE.EXE
3644	PerceptionSimulationService.exe
4192	perfhost.exe
808	locator.exe
1284	SensorDataService.exe
2252	snmptrap.exe
4332	spectrum.exe
776	ssh-agent.exe
4856	TieringEngineService.exe
3280	AgentService.exe
1292	vds.exe
4712	vssvc.exe
3416	wbengine.exe
5112	WmiApSrv.exe
2492	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b6b63bcf293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f506ebc2c4bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4ccefc2c4bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074a4e8c2c4bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044494bc2c4bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002cf115c3c4bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a84810c4c4bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003df920c4c4bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dad516c2c4bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe
4244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeAuditPrivilege	4228	fxssvc.exe
Token: SeRestorePrivilege	4856	TieringEngineService.exe
Token: SeManageVolumePrivilege	4856	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3280	AgentService.exe
Token: SeBackupPrivilege	4712	vssvc.exe
Token: SeRestorePrivilege	4712	vssvc.exe
Token: SeAuditPrivilege	4712	vssvc.exe
Token: SeBackupPrivilege	3416	wbengine.exe
Token: SeRestorePrivilege	3416	wbengine.exe
Token: SeSecurityPrivilege	3416	wbengine.exe
Token: 33	2492	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2492	SearchIndexer.exe
Token: SeDebugPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeDebugPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeDebugPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeDebugPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeDebugPrivilege	4004	2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
Token: SeDebugPrivilege	4244	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3960	2492	SearchIndexer.exe	110
PID 2492 wrote to memory of 3960	2492	SearchIndexer.exe	110
PID 2492 wrote to memory of 1388	2492	SearchIndexer.exe	111
PID 2492 wrote to memory of 1388	2492	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_11a0a4d6326ab128d123d962062f82a9_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4332

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3049540d0cf67a21b4a549580db8b91b

SHA1
7fc0ee06bf63b1eed39eb27a1344334875c9f750

SHA256
2060a29212b852b13463e2b4e7b301b2cf386bd28f43bc9525d222818a099a1b

SHA512
45ef02d0837598d26f7b3a9bd8b9b8cfed3ec90f26729cc39d890718091767cd7e4d999944a00fcea26c15467130262b2552582fb19bb7b3833a1939a54b6a6f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f72da71fb2a0d6d5162af40652065695

SHA1
82e6588ae9a4233d44117d1e820cb3d2a1ba30d3

SHA256
fe2949cb1f33ff906e6e30d323af16a6f3dec287bf5d79e0b8948f25c0be8591

SHA512
194bc966ec7715e1eda96c003bbe7d5c93603eb48569a8e3bd595e29a9fb88164e580a692f124934d261b8a564ce0139d7967b371967726abcf501b14d29a4bf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0c54e247392300063445a256d9da2ce3

SHA1
706f1a12539b2f25fca55ac15628e7ae5675036e

SHA256
b66b3965a5a5b1c92aa407b60965806227a6a06008c2eb0f8e8014d3b08cd68b

SHA512
145ce10a342499daff2fbe6d2b5045b023027c2b59f924bf1792dd1af8b5b50633ca351bd5d7ef51eb68a860e69e6def254bf3c0b0f5f66c90a76a4953699d2f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dcf5b7b713d2eca68908bbf68772d503

SHA1
342dc51e805390e0e6756facef716994794aef20

SHA256
5cb1795d4961a899c5b2ed4946febab5a3b609ae746f975e6e906c6d110e38c6

SHA512
7a28aeabd52e4e034808929cb18843182c102fe5cbe017f676210fe279d0e884f14398b6fd8539d5bbe45719c32944a7c2a3c08a8b53f7acaa4dcbf48543f5bc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f5f12e391c4cabda52adf4a7a7e0eb06

SHA1
d2318fda0c1162212a34943dfd95b9d893dead4a

SHA256
3b793602c63e979c4b554fbf76d87b8abf8132238575ae2c72aab97f3191a3f7

SHA512
7a7c6c7e9709320481faf94383153d307ac1fd5d85f0b986cd8f26526ebd7cd88246314df1f352fd6402f7a98ae89b9b05861ffa35c7d0a98edfc8a5c1fd4129

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
67568cd2160b91c761a5884bf8ab96c2

SHA1
b5e8bb78a1df2c9a5a7cf1a04aa2863b5af5e532

SHA256
3a3858245505d06a108c1b2e3c47000e50a6738c9611599997edebac0012c285

SHA512
e72abe8e1692c061b6da55fcae81478a086d9b04a43ebc0a526f42ef2a3cbc405d65bffe83992fff2d31a768d9345e047d18b78f9a14ef1666b8b242ac9ef318

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
313644cee13981d9f548c6c63a5f40d8

SHA1
db155fc07d87010b0ae2249c91d016b676bdbd52

SHA256
722a7898464acc4fc6d191680f2c4738371e868189589133c93ba2594aa8694e

SHA512
3478c477833d0493b07f83fa2bb6add1c2f063d447a1c62775dec3b782e8e362419a5d34559f91a907547d80491d50dfd67198b39e5a928f78b2cccce0796363

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dda0c433f49f1079a04916ee63d3cec8

SHA1
5f2217ad1748ccf312f8f69d0515a8c075a0218b

SHA256
d835e28db923c51f9fca40ebcc87f50a46957ed9b0562107875ca62bd6774214

SHA512
599035ed108ec5b0186abd86784824992f5fc8f5ed6d39ef2318a8dfb576cb588ce1146d413137e84276ac0a7aba25bf5067e7969ca0b5e731db7b39e1a30065

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
fda19484eaf1f5f9652eb599b630443e

SHA1
53413e31f7a4cdb6066c14dc62668a205482aeec

SHA256
f45db743786bf9bf7fc88eaee3b98496a108c416eef11128504c99be17895232

SHA512
592314a6431d4961f807a4b47ae6a6bd3fff9b5ac641aee7bc1794ef0553e875db2b6103d0676a5a9c5ce03512cd4dbaba2543e7181f87a3cb78d7c4544e606f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
286ac2131cd93b33f462d5cd6fdff97e

SHA1
5d2e0267c5accd9361cfcd4a52239eaa2f9af8c6

SHA256
d8c42f63663fb88e86fccd23550e3d8f174b2684154c4c8cdf448e1985a9b79f

SHA512
f70723876bd7983ed277fbef745e02a7f29b1fbecc8d12727ff79e6ae0bcffafc59c4cafbd38eb4028e49b23b4aefd2eef7d0b64fb6f46ebd751eb12718cc561

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5709bb25beb23491e38e28924cc779ad

SHA1
36b4e78d0d7b6b99c0526443ba3ffa3fc12555f1

SHA256
6a4d476c2cc45ae8d240868e8b4f1cbae2739ec1568c232473a971044eb09c74

SHA512
5a1c97623fed74d10ad485c3c79a88d9f546a6d8419385ec593854c443006a671beaf52095e3861b79a1178ae88e6ddc6c82fec120078c6f056b5c691f99a929

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
716f4d45b4d9f1d23ebdf3c33dd80cf4

SHA1
4e423ae0cad94a72abb4ddd68c496b73fa9e7419

SHA256
41041c0ad076bad54167315d906df491e65213679d0d6c15616bf3c5dcfc3048

SHA512
def7ea9a90c84ea45c9a6d8dac692b5429f095b468829b7b962e60d6afae986d2a2a4f962b78b273a5d9a500eaa107377e574905ef8f24242b1985400fbb6335

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
23b62dcfe9996d84ba9b7642cd508727

SHA1
d214915e1dbb18c36271365ddacbce10a78e1908

SHA256
518c134481ed40f0b654640a74c87bf3b06f4a45285117bf86648239bfb64ce5

SHA512
35ad21f8ce29ffd6fc03f452f894e5cf086e21d432881d4f8a8cab145a345dd932c355bb1750b40fb907a5459a5e9eafa568bf9bb1627e213834c31dbb525e42

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
aebf33eff6190b5e8614a3252e81aa15

SHA1
5b1e90ee3e85159813fedecefb8a1d283ac2d049

SHA256
1909cb658be4527cfba8d502fc4987addf3c744936a71a9ed55e93d7d9236f03

SHA512
71dca6953dfd4adfff52af7bc261b74393252d332416922d163f25d2bd6a38e5a4a3c262a11c09adcc46d33f9898a0cf790241eec776e03eaeabd2a1daa1666a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b20914367f2ea3d00c71ffc6218f068f

SHA1
7d4ca26b8c122e3ebc15655b87c52328aa083b81

SHA256
b04cdc7fe0506e4cad63e39839df3e4440b1eb7085fd7b4efefae951348e2a4e

SHA512
f0d39a8032ffb40dca386d2d68601062c332bf201ecd633a76ac106fbc7a859716d082a249ecdd749f0ba5f9a1e36084fef8ff6e4e6856a94f8348e416739d3c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d941a27d54c3d12779ac23e5a4ec8690

SHA1
d5cdfc05f5346b067b436f01f205c492cf096ed2

SHA256
9916a73887d907d48494a0ec93e014b8cc24e6f15a27102b230d85dda3349737

SHA512
d9966ebf1884dc28f9aec8e5e23c77ee85eb09b873d4205b315f0dfc76b10ae1009e311faef284d51194c1f2aba34d90411125538a50dd878d52ca3bc9798f8e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8b0a9f5f93b1422b0121b1f715c16f4c

SHA1
cff40712fab7e0f565d55ebf156807369d1d0ec8

SHA256
e5555ee05f39f4b757232271a5fec7a70634434c8ec1f234adb6f95ef808ba6b

SHA512
8a36e4b01a567b268aa6d6dd80e0fe1e2af06dfdf34192cd5429270dd5dfc83127506e3d08c3bde32e1913957f239e2fb7edff32ff0e1479ea25653e87996da1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1fe25bbaa23aafb3e2b97344d99f99dc

SHA1
9e236a08cf32883dd5eb3f2ae13221d785f74add

SHA256
14c3ba7ffd3aac87bc8e654b7ba2ac36b10d901bdc9159ce146e5b8739373e33

SHA512
15936be17c797b141fb6535f06604a4a5f9f5d3d9252b23474d3cb39a6d45628dd7d7a245c41c8cf8f165a0f1ff6fc4a9cb6e367d19823599fbc697a4317c7b2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
75c34c75c89295c696ca531aa25109e8

SHA1
a046d9209b603f0e34b525a313a04f9706301ea0

SHA256
2b4a0abe4fbf5ec450ff863d4489d6f9a4a6725e0a3447878df614aae6dbbd47

SHA512
48f85f2d0476aae46b35eff22aff32589397fc1dc1cc3d34f73dd91e4107c5652a9765ff4ee2637b5797fec38a6ca56e8dbc70443c4a5cb19171b7854770befd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
94bcfce176c5a5b095c2f873e7555b19

SHA1
35c36fde894fd1c1e0abc359d3b0c2dcc230f434

SHA256
bdf846f5ad1c5c80d510be1855bd4aeaa0d418c543192b92b36e87931102022e

SHA512
5e5f38701e4c75791841be2626c5c0abaecaa5b44e01ecac58b2ae96b865813928e8e506dde43b5d233fa5e38401de72c3b688e03b887ec971e41fb3c9389ac8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7ffa29df522753058f4cf33e330d559c

SHA1
de6241ce70788b7a99bb59f052584149a2f5bdf7

SHA256
1dafdcffffd904f869d73ecbaf11620dd953598bfb16f829bcb72de47781d056

SHA512
240bf55e8ff460bbb5119aa6e88038e473aa9224dd097b33131d9f5cbd5d567cfa9b1aa83d2466644f58b438fd9d25531f2411ec242908c10c5eceb961551ae1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
64f79400f7a61621c83e909a4230b156

SHA1
d0d704f4f02adfbd07130efdfe6efa8ae33c59d4

SHA256
f98d842f9497bb3c7f64eee4ed981e754d383844e516b9fbf81f9c069887f167

SHA512
49e4fe5908de445662a8ddc718d9db8bcaa752ffd3f270c946c43656be43e9572c5ce5da12166cbad876cce51613bb07979576236b76f14e7625f2ba3b739abc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7f9b06d98e944e6792d3fd5e4eb04eb6

SHA1
1203f46a932700feffe5dfdeb8cdef4f862e03cd

SHA256
6eec44844bf960ecd751af16bab38ab12a9ad6a53425967e5ca5da86cf49adcc

SHA512
4d7bde2a6bb337b39fc808861d7602085249b6cfac88a0d1cda048f3721a66cdb8b69db830192f2d357567a3af623e4fddfa358c59d530e94c86ff7c8ed0d181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
cfd796d05619fef7edd2d86bc714123e

SHA1
12b157f9449959606c985119bfe205f3724e23a5

SHA256
0951e20cad01dbdfd9f6acaca245a1a64e31eeb52efc6ffb7a34695e221e036f

SHA512
9aaae7a51b3077f659734f8f6d679c90c70a4611f9f11682b0a5c6e5169328b6a9b58f50626a7aca311916b68434afd1e5248a94ec2e4c91d82590d3105400d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
38b4c19e50a5ce7b08906615c6aef74d

SHA1
2db6a551200f5e796e79dc4b4b1835d0ec4484bd

SHA256
4ae7d5d65e3a7ba86756701fc47ddd914a44ef61d5f40dd8ef7e2c5aa7628b1e

SHA512
9cacefa19427b7ab9b67487071d0fa765100f0a92e62837d652ee2e6968de98fe4e6879f66a780887f38d971f5eef6b940e482b2599453d0830ad67dc95172b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c76ffafe2b227cb6292d29aae9d7561a

SHA1
a115bda47afa57a3b2b0ecf7bc83abad3a6d3dcb

SHA256
29cd944b8c808dfdf3888b46459d17e626153c1878cfbeec7e3e2f6e92ad19f3

SHA512
40bde9b42ae3f1102bea4835363aaa94eee4cf559f3048911a879786e7e7ee4815f1b7058a3a2d817e979f693605c1efc2738ece24a284c03c46a630c8ee8d25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ac03b89b7374ea707189256c99a3d436

SHA1
8cfb2eb238f986a8a68a1873deb429a6f1c74129

SHA256
8375908d0fb222ad51460b2df09a9457e65d5662d78022678403fd081f84516b

SHA512
130979d958ed71aa4267f16c11d2d331f97949e9a26427d557eb6421d84999f0a3a0ba49335cdb7b7fd57fb3227744dc9486fbd35c8718955247e0e8b0fe4855

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2da1feb86c12841c1982fc5c46ba471e

SHA1
f5ee6103db9cd9cccc21d50b23ab85260d7fae14

SHA256
433dcbfb32f03565abcea067cbbc2f34118362f4b644a932cd248cd53bc0b485

SHA512
a1e11fc685653f163f58ee26661ac915a16ca6a3147a378052a50eb6e94764b4ba59fbf01094b070f9eef92b8d3f2d54c8170cc19dc965f7253a3442ee47d2ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c4adeae1c31e122a4f00d08a119e4d29

SHA1
7dee154f79c1eab1f84a0658e606bac160a4ac22

SHA256
c753e87fef1a60ce0949fffc2f94e0cdafe7d920874282ce8a86ff372a8c79ef

SHA512
d879ad9e02cc0e2481dabe570c451979ffda04379b0473552744e2dc25876176efd54b7266e9255e5cf4ddeae96c46c0470db9da90c65de52e5d14cb1fac958b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ba67b5000a05645a1c32b6e3701019d4

SHA1
0d8803b8e69a5f1de6c16dd5467fd71087f3a2df

SHA256
a4c7587d3c1d79fa7b52e1acfcea1e43436d23e940eed291bf1b861014aff408

SHA512
ca3ae2daf0a6797fa74575f001d340721b531b3144c1a450429f02c92964f30736a522c230fd3db05dc5ad52926e1850c3267c376ddd098f599ffd4c6f46c450

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a0c6a2b4e91b5d4d659ba5cdf0000493

SHA1
06fecdedef2533536237e12ed6b15bd551f44c33

SHA256
47ffb1c003d2d6fcb00a1d92a372848aeb1990674c5cb85bda45216e68feff82

SHA512
2a6ac6073efe00d014784afbd9cbfc0740f5aa8e10418b4907648e6c6d429508bb4a92bbff75db83aa3c777f2baef59e3c54a78d90dbbd68d08bae269ae5f7ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
12297170a786e5cca30ab8e09706b886

SHA1
40e7ae56134d2e3366d5f6f92200db7ebcfc07d9

SHA256
453f406a51f22a8220fa12d757e37c47e5c604a5b4e4140199b5dc43673e1cb5

SHA512
d88730bb1926eb9a8f565b590f1274673b1d14a4932a085f8f88ced3a631f2598a790f94cbf61e2acc137226b803042cb3dc589108ab14b8ec01919f8c73b35a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ecf5d2a71fe2242852c610d302281c7e

SHA1
ad402504217c8d75f66627b27cf3bedb081daef8

SHA256
a972958fbcd172aff4140555762c2bf5de4f45e044e0997d1eb834542971af2d

SHA512
d2b3ac77cd9d1ce7ad6536480a461df1f9ed1ff5a9b288e3266a87c030e994281f2cf53fc13f730f45dba108649d90a1b8f7a62daabf61c6a4cd1b5b32536db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b1f6dd6fee71d1eb8aa66588d6ea2982

SHA1
6cf17a323a09d59ecd38fd8301fb4e6300b3602e

SHA256
e304969b3c28744bf7a055e3538ab569d8c68747fa4c3217d8bf88b5d1af1213

SHA512
f54dd433cde1c07f45280d46b3728e67dcf190e887fcef4000c762c02fc4d01dbb943adf65e7a5939466c99b03ed2a3fa9c6b1a3e1455d5394fde56fac8b3e12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
10147d84d0bc2d7ba32247e665aafb5c

SHA1
0e5daad2a8ccfb5c2978d515baac672f33bc1cda

SHA256
ca861e427091a09ef28001a07a03456e0c919c16c8b553d78ea75bdb92c16673

SHA512
198f9306f77b170717590a7f5f61cb4a60615dfb547314190c8bb4f2ae36ffc0c86c86dbd91357b224ed02511db338f9904732cac52b74afee57fdee6d053421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
98bd88e5418a2b4fb1b9f816aae68f41

SHA1
7b672c828320448b309dc559c943d08f225ce898

SHA256
ca8da08ac187933e5df8abfbd7e7149789765e2f22ae7feb4dcb96a8995a60a5

SHA512
025083e3ac1b5dd3c0adb279d5ce675dc15966f59a197c3cf72bc3de72b2522e7d3d3bf68da7bf875d6392ccf2dc129e54f5f5c2f82cef9d4f13ac6b1238a126

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
375f30642ad4da3b9c369b259cfd762e

SHA1
8bc8f8220affc1eca21d2e6e8b2d7f90a7cef3f0

SHA256
daf51f23b322c78815698b3a14e3a815efcf3a28f8ac6cc64af6b635a5154dd9

SHA512
cd12288a5ff3f0416fa31860467feeaa3687d606d3a30d37de93c068c25c991e580ca4415db104c0376c464fc0eb72acdca10c793b5a905de6998cf6138ddb9a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d6df3b1865a4fcc7ca38c1903c561294

SHA1
569f7e8d7238691a1f4bc9765b6a312a568ba265

SHA256
5e6d88ad881bf8aaa463ca77a11831f5e687c16abed1097351eda9e5a7714e50

SHA512
38a26ed0620d44a22dadd1e66c30ce6c19fdc6597a044979c3f681668679c8a10bb24ff3432820968f4bd03dec4bb29d9fee6daa018fe33321d63b6a333e5c52

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d8dd2e3c79425a9c4c1532e2d0bc4899

SHA1
b0376c43cb74010b8b419acb1a2190926e3c5097

SHA256
e08452a501611a1c5445f45e88306d0c822b79368e3ffd08764be1e86693a30b

SHA512
1b8f5fdf52f093fdae5871128207cefaa9f90af58e7a6b3a8966b7a2816ef16c727ecca74a70b38df69f4c5bf7dcf86d1766cd183d869f5c121bc23a90598296

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
54da690296f4e13fe5d395cebc6a1a46

SHA1
958752eec897b4333c6fd0f579bb2b860a8da7a7

SHA256
ac1135a0cd16cfd98c4a79bf1a867a2524a472b66fa6e3f73ee05f705f87122c

SHA512
58070764b4b08058a9ddb81d7b4c844f38d78c731f0b047c808909ae510149c41de4411ede89f88e6fea4c818c138494159db51196a6517449eff4346aa15a97

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4a2a845dc2b7a35885660adfae8d73a4

SHA1
e7f4733edcc6e7abda3d662737845a2b9d15d215

SHA256
ad03f1f75298cff2dc45c2aa5913fbdfa2dec36f0d51b9da4a350076c75041a0

SHA512
f497052db2d1f36093e346921ea7caad097bc3bc3c9d4308fe55404a512cea93d4381882028b14ecfa4f835fa176d6b2e1b42a8f870212815b3cffbe9eea4f76

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0bf1dacb18b4aa59d0d88f2d0e14876a

SHA1
3873467f5565afb20caaccd1ad99a4096f1b2d77

SHA256
3ce7a5ff6f68980d8d5e78c032fdf9b2b1fbfda4e5dab45989ea7c4392589904

SHA512
f8a5d2465b8d532f761d8d84407a9dfeaefc6806b2aafbcb5b66db42aaebd41d2d5986baf13aa85eb9ef58cfdb9d3ab97cfdc1771e958d061719435e3f852e30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1f2daec5acaf7b5cfeed6b12b0cf01a4

SHA1
dcd8499cabc232342d22f11371410204ac2a038f

SHA256
eb82959b72fdae0585df03488bff1743310754ad9c90ae1fb6d12b64fdb7f970

SHA512
65eac47cd27e5b6fa3b1dee1d5b6975ac4aa80bf7ee0955f3ab6ec3cff2e7e09761a0996f6df92aa69f5e1007c4d9ec7865577945a05bf77726b0699f3e1d77d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
fc16e3bac78efe410f7d06391117ae0a

SHA1
3d121a633a74246b60699a6453897a980e05daf7

SHA256
3ae7dd8fd9656df65d7cab14b90a8a4ffb101b3fcea72893c37fd11715540af0

SHA512
4c67074d9f154220e03a5909b6edc4229a9940fcd0932ab2812a81e9689932f79e037c21d1985de3051eba160aaa94c4de6d981c24eef6b360e22d2773bc27e1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5b8d898037e7b4e1d56833a18aa6d8ba

SHA1
dfb6b2afc494a636df71b49bff1522f14a687e00

SHA256
2fb35d3e6d223c75d1c59af2bd61b47920113274bd5213310fdc59e1403ee0c4

SHA512
79ff6123172f164d3b1cc5a1d8c2cc7f0a0926d76678b1b1734ed83cbd4681b5daf5caf86075481186b0003ed90a07e0afdbd8c414ff4e63237bec3b1c5441d5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6a5ca417bc690d62b6d2f1ef399f5d88

SHA1
101445a9cddfd4f5f44a9fa4df21f7a790aa41a4

SHA256
9aab60f4eb9d3031e0240e3297d450dec04824a369f2f62c266c689b90ad91b9

SHA512
8d7584c1ace3dd3a2d897fe106049cc547a79cffca58b8208d4fa9f8470d7354dd0d2f1163bca84f83bc09c9b34317e04d609fd0790e6ab3b6db0e1f82aaf5e4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
637ec10deb44e56c36ae72b77ebd365b

SHA1
6ee9b0da373e29cd630892fd23cd251c425d3593

SHA256
4234fba232892ea73c39e0390ffb3bfba324837d2c373d249d18f87bdbb248cd

SHA512
7cab4dfcf3c9165ed33ae03c1dc790920364755bae603f5a7bed679681d31fd156ff79fec41ae4a676de081fabf3c3d0d802696e3dd85f0222900ebb0b56946f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4d908b94d8736ad18253e98c296d5d89

SHA1
ead0e59de302eb4eebea8eaebfa7aaa1740f10e2

SHA256
1050cad0473c503c73e5f4dea16ffd0c4fb103b1ebc172a057d0594e3a5c4c51

SHA512
87068ce7e47b4020699e560f5592ee7dfe2c0f366c66a9fb54e111a3e0431ecc326aacc801d568c9f3c3f1412fc7ba4d2fbecea3736848cfc669ee327274d7a0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
92cd0436d3d368f7e3f3081512a7c074

SHA1
352d041ea1aeae956ab772f10d64ac77c5e8bef3

SHA256
183ad1fa31a5316c4bd63f947809e148a2356a387b9fc7a3f4bf5d9074e1b890

SHA512
3b7f84a357981667feaf7d848171d5f49215b5e9e85b510e37f7901d450a6ef794ccfdf6d5e6bdf0c08da1add1d65a6c42d7228587ba073d52d965ca91afb05d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3ddcf057f0246f18bcb17db76ca41c40

SHA1
5b9eebae5594a08c4c22b7c590246bbcfa8e8ff5

SHA256
0ea1b84418878728de2a4facb9793328616bf692452ba11a58500955ed3aef3a

SHA512
fb613087cd3a01bb65cb192223e0d47669a538785364d8ae5e12659307b20d4023245ef586da70c05f33369c9935e3f457187de2d861fe2882f66766b29e5770

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
569851ca504b6837b08d5f73c4a1b49b

SHA1
1d3178f4f5eb513bf2c67422beaa05406c2cc894

SHA256
e9f22f0ffe3a4027d2c8a6fb958598cf33af8c19e06009a20637de8ad6ee5131

SHA512
ae5c4b0da7e26c0347febd83a907b73caba2dd4c763a5b740b0e97692a73bb70824ff7c6093eae14763b6ee4fc17fbb46b0eb7d777fbf01f5516bb8a850712fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0ec359b450d217ca5f56b50bb982fc48

SHA1
dee45eccdd3f7b9f980c987f44922f9e7f36c0d8

SHA256
3e1ce1d8af60f718c1fa68fe716c74e454920632d4d5a9f809b6605dba567d62

SHA512
3bac7e57b33e2367ce64c97d89de2c074f29f843198b4a9cc561db26e17ffe453bf165d5c295957131fba105c9aaa07aea5c3c47b2bf92567806017fa28f7dfe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d90510141c28d2fa6c1f368e3223f981

SHA1
8b71aabd1ebada36480fb7285780e54c0564ad66

SHA256
d318138d689296926bfa8aafbd444322bcdea6ddfc609fbf40b4778b5d9fe6f2

SHA512
51fa66d1d1a6c6b4ba03e7727ae0c4489a972db661fc9b3d8c7871ad1b4c5d02547edd3c2bcb19c6aea91bab61e00f8c35439bd9159cddfc9c556b5b63b7e026

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
939d07591118f73a8e3655cbeb7521f2

SHA1
68ed2e539a26e2da700e8af6c4b79b7932d510eb

SHA256
c3c0a21791e4c998fa86d4e30c21d71f62ebb6010ebfc01f31b41f678b91c429

SHA512
81aa098fa5b9ee1b11634a62fd36f693278de326d8305d241b46c5686607cc6efa1515ca7754582dd78a644b2723c937d89e0a593ece2d5955c8f3fc92dc28dc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
996051cea8eb74200f6749e2400fe678

SHA1
48e24f41f5c9c2e20c6ca16dc6b6b997ff157759

SHA256
3345db94e9db4c36571193f5d5b77b00991648a7647bba51fe0239ae843c8816

SHA512
7c9c38dd3e7d3497c1be799a4eaba90907294ae0e4ac348767b6440509d8d55272c5b71e7a1cb1377c6089c314c769f624f575cbf12f94c9b349bdb4244ec754

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2fbd26a31f4656bf6a7fd06e74895700

SHA1
ba6936f5e76540db0d42dcd2a526d1c68c521973

SHA256
6f3b1fdcdf2a6568080231b498130fbc855be8253741b665b865568e4841dcb3

SHA512
e73864c4148307fccc9c0cbf7729a3d54710da9ac44d49ea2080b2926a5e49799e93cd52e505aaf0a665df68e34c2d56b184c82ee147e1b9a0fd873af55d6c27

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2e9a111d314b6de18b2b062ec972ae8f

SHA1
a9b8dea141b1e95c0eab220f7666522c12b88f96

SHA256
5f2c4e03d7fd93adf82878333218b0ab47baf22b9318d568d1130d67b731a0d7

SHA512
d8a98f62adb2ae5fc67e9e21a636b61e43e1513facb0fb190375e7c5efe99ff9b93025076d58bc67ed467262b63373276d16328bd084209c443172f070c8f895

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b79be2933e1ab0d871528b315f7942e4

SHA1
54741d7f4088b76941cba0e0d7f3e2035163ad0d

SHA256
b4a7fd2cc93a4efb8b00bde8e6f90e77ebd8e552bef5b7529404a12a87a4c88a

SHA512
ab5b4d945e6d91e89a374cdc4880e57f4c6ae160c487ff589c94b08ca10dc7c764f982575cf190a56640d43bf87fe5f931f2c5e188bd1cce46253bc739b40780

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b67547ded2213d92b2f2bc421591f898

SHA1
3c582b1b555edacab1d74125dbb63802d3077a0b

SHA256
5905b89bedf517097494ea3da2a53bede2778c9502c0713098b3874392d0edde

SHA512
33a6f477341b895bc51e304b6420ca00dfb895db9bca8f73081f657472b5529f7fa9a058d0eb388cacf4ff67cf94377a8e28e690183a82d647a58714ddd2e6f6

Download Submit
memory/776-164-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/808-127-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1284-395-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1284-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1292-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2252-141-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2492-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2492-404-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2576-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2576-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2576-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2824-396-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2824-70-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3224-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3224-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3280-146-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3416-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3644-97-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3644-398-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3644-95-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3644-89-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3796-375-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3796-33-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3796-39-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3796-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4004-76-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4004-8-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/4004-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4004-1-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/4192-100-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4192-105-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4192-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4228-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4228-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4244-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4244-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4244-125-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4244-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4332-401-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4332-163-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4588-397-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4588-77-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4588-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4588-84-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4712-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4712-167-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-172-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4992-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4992-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4992-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4992-392-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5112-170-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5112-403-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download