7874fb92c0c3992b67e0040fde7fad929b702739b9ec1eeb0d62e79109638ab7

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Size

1.8MB
MD5

ece7229c5358c1d400235ede8f10d2e5
SHA1

62e1d056de72758e8761d8ca18270a5023ac344d
SHA256

7874fb92c0c3992b67e0040fde7fad929b702739b9ec1eeb0d62e79109638ab7
SHA512

00322bf33dbfe2d653f7d893f11815047042640f89f1bf635b6fba56ba3e7c0c6d5bc5e7dfe25ca56d5fca199315216f113332083538d05f0ff780262be32870
SSDEEP

49152:LE19+ApwXk1QE1RzsEQPaxHN2N/j2U4FH:s93wXmoKmj2jF

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3028	alg.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
1904	fxssvc.exe
4676	elevation_service.exe
2808	elevation_service.exe
3100	maintenanceservice.exe
2408	msdtc.exe
1740	OSE.EXE
3356	PerceptionSimulationService.exe
5092	perfhost.exe
3932	locator.exe
1140	SensorDataService.exe
1876	snmptrap.exe
4364	spectrum.exe
880	ssh-agent.exe
4040	TieringEngineService.exe
2068	AgentService.exe
3712	vds.exe
4912	vssvc.exe
3828	wbengine.exe
1336	WmiApSrv.exe
3228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b15aa4299ad3704.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ec39288d3cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c6b5d89d3cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004be17289d3cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c645dd8ad3cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004de5618cd3cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cffdac88d3cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeAuditPrivilege	1904	fxssvc.exe
Token: SeRestorePrivilege	4040	TieringEngineService.exe
Token: SeManageVolumePrivilege	4040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2068	AgentService.exe
Token: SeBackupPrivilege	4912	vssvc.exe
Token: SeRestorePrivilege	4912	vssvc.exe
Token: SeAuditPrivilege	4912	vssvc.exe
Token: SeBackupPrivilege	3828	wbengine.exe
Token: SeRestorePrivilege	3828	wbengine.exe
Token: SeSecurityPrivilege	3828	wbengine.exe
Token: 33	3228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3228	SearchIndexer.exe
Token: SeDebugPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeDebugPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeDebugPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeDebugPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeDebugPrivilege	4468	2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
Token: SeDebugPrivilege	3724	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4332	3228	SearchIndexer.exe	111
PID 3228 wrote to memory of 4332	3228	SearchIndexer.exe	111
PID 3228 wrote to memory of 1820	3228	SearchIndexer.exe	112
PID 3228 wrote to memory of 1820	3228	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-06_ece7229c5358c1d400235ede8f10d2e5_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1444

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2808

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2408

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:32

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ea971654e2ca9e689191a2cc3c39f4a2

SHA1
0098ca6676f1b951d0ec9d2fe3aecd90048bedd8

SHA256
47aae01815fd729f358b61bad83350c88d8d61a3cc013f1bd1cc262bd789f879

SHA512
b717b568c52e0a29b3736f7515c4e7596223a3bad74f98e5aae1e17635e524ea599ac0fd9768f86d0ac9f3ad9000b2cef8dce0d3e7fb31d54957c06a0a652370

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c84d4af276bba5aa04828a619918c811

SHA1
fc25ec64e91e00902ecc49735e81fd24e661243d

SHA256
1f06d1ed9513bd883ac84a91ee1ff0f16c0d21dbd63637e4008d74ad64d36bf8

SHA512
11fa65ec9c86999ba073d6d0e6817c6a335294684bc52df1e850a2336d481ee8d128bc16beeddd76dbd72055f860f0c3746dded089304f6f4e4b49b17267a278

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
611a9c992d36ab9c965dac8e24028068

SHA1
292e42bf1254525b0f6762929e0eff32420dc836

SHA256
9bba0ee06c039af7ad94bcf6a9361d68e4b8abb3af0d0f7395557a0a1cc0a608

SHA512
4896cb63533dcb3a7b888090603c3e6f4663d03a48299e9b64593c024d14721b573f064c0ff73c8e4fd91f8d774e818c6bdb41b62d779ba49961a0c8bc61996d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6f3e36e43645256af37ec072a4a6f8df

SHA1
46d4da0dc6b56491b36be43dfa73ee51b5fb73f3

SHA256
f122ef6e7b56a3e75bd173f200b233a1fb5db259bc9094fc93f92419d73e9a06

SHA512
fe77deb05851a630029eae5dac3112cb5a6b3c5e9b8cf15355740dac5bfb7a278065771b4cef5d0f30b8e222da67bc39e99667babc3b8289d90cabfc14beec19

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a6728d5aeba7f19aeb421a27b0c77d8e

SHA1
9b1a5f3139fdf8bb3400d328be3d071e569aabe7

SHA256
a3d5997229815f52b46c5334c48da9f5f084c8c17a0f4440826dab7d0ffb77c0

SHA512
165fff6c0e07979166f63898df6f2cc800e613ae28a6598e3c198f3507b984da380cb6d0f599271341aef4c260430f4a8758f19d3575d25d27be92e1d964f11a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a4319b0b8a81d7040e97baf386b9e92e

SHA1
b759cf1d02b5f98d4711cdfac5d3ed9cd1fe3b15

SHA256
245a9d875391f2e66a6d17bec1295878199e7f2ade2a0d4dcdaf2f0ab5c990c0

SHA512
3fa81104c9e9209dc6eb1046f377d801d0a64864044b73cf57817f622334ca69cbe38883d8fdc9154012f88122d46aa77393ca4054b0c86b8dbd4fd1faa8722b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a1f2abe34fb988b55f7399e9cb7ee2d1

SHA1
63330ec1f5e474c69739847373e704e8ead489aa

SHA256
9090847524fbd67172cb3262be9e96a60b699d8198b7689f0fb85b04ca372fb4

SHA512
6e314a4797a06512a563bd5b3e56f18ad27e6b035da754b45000088a51cb2f45898d7c7dc2db8c97cbe062cf59fd0287cb6f7e21c8753e14469874a3926633dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e84c50b725dc13048e0bd04525884973

SHA1
e3ff2a9e897be8a60a85e0898c56842417e4b4bf

SHA256
0aeb45e46a63925e703848c316040f472e260b1d08df4656396745768916cecb

SHA512
a31de806fe057432436081906d4493fcc826daf4209129d74a69870b74408f299851da88d290d7948ff921ae1176ba5aed3eff65f29d3ef8e6520d6ce44c8376

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
10e997fbe7976bdc5928d9b7a943ea86

SHA1
8ceb9deb2bfba03429a05adbe095e20726e6a765

SHA256
1c9c6be554d371db5c19f775e6bf8223d03bc109fc56903edfe33ea69d495e32

SHA512
86b768d5305333151dac0ec00f2198dcffec7242d78bba5ceee9d57f303d147e34232cd3df68605b0c05c9cad8d9f998b6891531d30de65cfd253d37766fa86d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ceebe9e9c6c5c886fe43a0aa004bd8a2

SHA1
8616bf72708155de660e7b3edc1db659952af2e4

SHA256
68e960ae260e4cc841f2e443356669f3164deabd2bc859039f75124714fbf1d6

SHA512
b12dee3973293f5de863d5b22d1a96a7d7105e8a783d30d25d15b292ab56f64dd7bfb27419f95ff14b650e6db56d39b50206e316811be9ff350ae98e40c27cb0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
652bcd194ea69d45f55868a841fa8083

SHA1
2336351218410aecc646f1b25532dab16792a043

SHA256
b5e280e616a348c7aba54390a9a80ccbd2dbe9caef23721eb64f04d7aa9ce6fa

SHA512
19f2ebc45d662c52a2d493f55395c38337001b8c334cdaa228a53c3adbdc64710221f3324057117b491fa654e263eb5374a00a0ccfaf1f499c86faa680011aaf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6ebe520800f69035a2991951432b12f0

SHA1
5caa68477b3cb6451116977269383fc603e7af3e

SHA256
8848d324e718977a3a9ca6c2cfc84fe483f37e34b3631a8b826e3eee77bbfd56

SHA512
16f74233e7aee06703e9b68ff537e17b2799708c5a80ac4b4ae3b677b0ebe8f7ec201f414f1f89c51451b31b17c4d8d918543ae34773db9840ca4c1f2c3ab80c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
8042fb5b057df24072f300f8e6f3724f

SHA1
3382ad013b9386e98a7ecce5c34d84f660132010

SHA256
e1e8983e863f67c2546922fe2629d6ebc65220b6a1d65186268b2e1d9ce0a9bd

SHA512
e28bce9079e4f29dc3c7f60c23eba6ec862cba2ce0904b7f7fab3ec848f10263e5a96cc3c5f39e9a63df60e2bf72848b91369ebce0a44d6ed9589435d212e6d1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
715f629f3bb68cbbc9ca9409611f9e6c

SHA1
1f8ad4007dfb0360380ab044cae53cd3e9b0c239

SHA256
00e593ea663e9416cd27f21674187eae941ecaebe17112623de99b9c07a8c168

SHA512
c858c7881873a48b1975e4e374d59f80ba568c59b800f08604a0b9164a5c96d16462d978fe4c7c4575a2c0b6ea4e17402201bb4a3bf183ae14fa1e835b2b6aa1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a488426fd664d0b986a66aa42c39fea7

SHA1
47807e5543683e3062802ae50dc0ffed2b0aeb67

SHA256
5dcb45e4b46916c2fbf3c2ed6f1892c9c8a88d76eb88fb3c520259b22fce2b42

SHA512
b28a7c714e05298a4675e174ddbe46c664844548f9b7ffcf974a8529a4ed42ace4685e15ed71f0bda7dca12d8fd977b49da6632042c61fec9c75da2315f69c98

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
53f63c4461a77ca9434e9587d45c4e81

SHA1
aab52d21618d0f653b229f68ab7e01ae066bddb5

SHA256
1b0d250edb5857484a77341c35f412b5d87a2010ebee6e030cc17695154b9b24

SHA512
a7afe057300e9053bea8a79e4c1febdd5c59246f6c7292857180e71842a119c5fdbb17898a81c67e534c3883545c83d2e491b65e701d077b9d4bb0ccca49e68f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c769c7ad546287c51316fc4788470228

SHA1
08d31e294dcff68c6265b0c669f6f3ec3bce5ad3

SHA256
ea4bd06695d23ada1e36b341d8905a70293c7073544696a64fe1e365daf1df50

SHA512
31253885c466cba7c3e32ea643ca24b1fde1e32f07aedb9f7bc378e286038fc909b3b93b0946e30777254f225f6e47ec3199f8585390d2687bb521739211c88a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fafee1059347af429173f9d97ec4f5f8

SHA1
8f1efcaa01d4b98186e6d01c80f4913e2cff7361

SHA256
a98817791435fee80a4f4ce68b65c05b781a46b24f44e77e68e17460802251be

SHA512
49d73416e78c2b2aeee680e4aa3513a36a646f7b432dd35b91936a5009ae0f90aeb0270c0dffd4ece3311156cffb01b344356de196f7802a41f2d7ad4afbc12f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
38ed13548408ee73c69b8f1c3dd8340f

SHA1
8528849cd8846aecee109422ef2ac36d2ea8a753

SHA256
9570e4e9d34a2012d0cba0e1f122c7ec767d7a8cfea4032afe3ae1dc6ead6ea8

SHA512
1ad421de29eafef2975574135e60bdb7ba5babe35398d37cd2be502d69c7884fe167391fe52949aa467b6155d758864631b2fa03bee7b1aff2dc7fdaea1dfbd6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
45af91814025f74aee2b5a57d6097c65

SHA1
229f5e7bb43c42641e087adaf1d4bea0b69171f9

SHA256
3ce83135941fdd884948ab737d66aa1a38823bc31f231c895465bfff2af947b9

SHA512
e38713bba97fdd3d32fff0a147fcb7d69c4be4687eded557c38f9627975b0bba72d5af88039ee911bb8d6440cc6c55b6067ec4f4c89fd565a8de496d0b767069

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1d6ae3a99efab4bedb1d9bf65222e119

SHA1
985ac173ff57419408cd19e2c3aaaeff16c76d93

SHA256
2dc353d3aa3e47599323c3f7b28d5c7304bd4e960551a5ff335da09b3edaa6c1

SHA512
7c0c32f84ef5790a810a330d718ad234edff22d32024b0384df84013ec7def32f5405eb611ea23b83050788786da783da90dfc7165a37d775b914c0e8759530b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
58ef5b525d1dc62f89423eb4bb484e90

SHA1
df1103f50fbfbd885cb118017e47d73946bfe8cc

SHA256
e198a701727767ed5c3e8d943fd63ff55693f053ce00333e5fee93057fe08467

SHA512
0de8bf777ff33438c8f9f04cee331055cb146449df5baa8b9a9ff4cd9c8cdd01bfbc09e032f203af1cade1236687ee7973047f86dac5360d1f5fa269e36b0915

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d7f1651b791d864d85572baa8b856420

SHA1
c106c5bddb853a924a6812a36abd40df02fb08df

SHA256
28cf29144f52a246dd38d3527fa72cc4a0b58804ab88f7341070689424bc96d7

SHA512
407b5d6f94e75cfcc56d9cf00d7f32dda552a5fb917878aa6fb7c55f6a949f3ef56a6bc4a666c29f7141258aebd74771d86ff5a008ab414f72ef4bf54981a3b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
f633ad2fdc5eff4717fad4af2975c20d

SHA1
60b20b9f5b5e9ae61a18a41962715b4a6c2d58b2

SHA256
8d37bd1b4650ccb792ec758ec821447bda2c8cec63f9621c95d00c78e6df0dee

SHA512
af7407341b229b42a29af85b9d67d3a1e5a3b461ae7f6829903629e329e894faf698723cc01ddb2fac3b6c8c3e058bec761d5c0187a2c0d55d6b35ca8d02e2e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9ad0b3afa6f38c4ac675267a345b3934

SHA1
c9924c36db60b3fa6000fdef781417790ce07b4a

SHA256
efeb50386fcff51b3993cbcc13729b13f110ec55b36b01ec66c1e21edb32cbed

SHA512
ce1166b4133be0795d0afe6cac6ef6cc3685270e496095491845097f5b010241166aa1e266a27974933a2cceadacb7b2a93fe9f2782e93609f1ea4b5b3f3f9d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7b50e4ce04ec6b8ea6c3ae4998195854

SHA1
3ba1e5fbf1e340566e56c970ad75582a8bb5fee2

SHA256
80a215db0ffe77526aac8ec2fdce7eef96e469f3a850e81a9c4b01737fe3723e

SHA512
3f8aba09055782c365d91060cf22bb108af32b98700491f8af1fbbdeb46e77b0e5c1310b2a38ffee58e4c2e77ad0acfc877a3744c6913ded40145c8a25c77a64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d159b7449762077eceac856de6dace8b

SHA1
096561e197909679a3533bfdfcaf4378b068eaf5

SHA256
4efa9306dcaf0561abc44194b028cd3464ca95460e87d53f154ef6bca231960c

SHA512
1bc064e1bd66ff8316d86e96588f6ca45aa74a3f69b1818ce3ee4e4c6853232b14cd7d8887a0536a34748272934f8913daaeac2e5101aec4b278ce7e801c9a5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d5375613f156bba35bc963b57a2eeb94

SHA1
834efefca2fe0cf59964da3a987adf8cdfdda37a

SHA256
2ede550d711f1cf6e86a5c90d86813795c9b5e471083f1345f63e00f1e2061bf

SHA512
7415ac6bdfc421b05e35783705fee07e9c04528384618b7ef2cfe4871b01ff4e0698d5ee9666b9f0e6fed36a448c6654f7a806b70f37359d7f9a031860120109

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
678d61d7b85a59e178352e7615739189

SHA1
b2d963bbc45eba0ecae0c7746c88bdcb2b873951

SHA256
ba03f54086add89576ea8d96430e95b5c4f27a26abac115f4ce3fed90816627c

SHA512
4be0094d4dc7de5d238a30824bb6c099e037f8f35c4cc03357a489b4ae32f92c6067cadd32c1377a12bf80c86fb5dc6a3ba1099f3729447e45453947150fc830

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e2e1dda2944e28daa04f58e093489fbe

SHA1
34698917a1f700287db58dd161b7a5e26581fe25

SHA256
9d2594c838d48f16f45faa791cec0eac91ee8b8511bf0631d9e14bbaae5a8490

SHA512
29505115f484414c491e37be68585a78c3284be8fcfe5119c7bf2f2210550af7cd420586b1be2f68fee2b03c3b7a25338701096851dd4544f07d845ec7ebd232

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
05a6ac827a2365659684b978d8a963c3

SHA1
60c26eb617cb8eb753dba364b887eb3e07f9652a

SHA256
b4c9569491894619f991fb475c7806c23ee4cbb983b7d07d1e8b412997a1cd22

SHA512
0f59a6f44f065f5538e49485b072801a7a683630981e589641d24ef3491b03687f82c2bd43abd834ab632730e771b7bb8c6e6b56766db89b00d820d041908375

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
28e7581d2ee2ffbbba120edd1c86af49

SHA1
684bda344ace9344850c7d4b36069a1229994677

SHA256
9c74349950a35150d3e7d85626659ae8b15d8b31e69c7415c3fc29c50823bdfb

SHA512
59e23f60af0760f35804ed4982d352983097ab96d0f4405fe3ea977ea7b5fe85e855befe43fe17a1270f7901a6ed4d962bf894ea5f9323339db9791c71fa9af8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
685fc7eb3a9adb60f0af5d82f251f9c2

SHA1
6fd294ce1c1ab140290195dd253ccd8c815e7364

SHA256
4e709c7c3fe2e09e2838cf54ada93501ba5c77dba5d2a2fdea303bfa033b20ef

SHA512
35a7f7e0451b018dba747c8295014c9efe68d7f6504794571b02302e8b51437715fbb21e484ed21679a09e5825d7c9ff48153d1e4b46618cf0f2744bafcb0fab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9c5410d5799027c79a8a1eb6ba693c77

SHA1
6bf49af801f16d7d69b016fc6d0365e5a2a751e6

SHA256
a3ff39f0ccedfb8ded6717a9f4e5398db2bb84be9de94c0959765de894368e9a

SHA512
fd158cf2b5fb1c797d80c327a428089b545e722941867e177e08a0cf6f64ce288da2a6f35a3d840f7e0fa3193992acc890d1b8048b8d18f9685f4697ba5ea1bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7919cbd1378171711a9a055018216ed9

SHA1
ea2ad3481a268dcb2d6f6f4d8be29b7d48a52b03

SHA256
2be765bf3b4ee8370d0af45741aeaa21c1600823380322413f7d7eb9ed927668

SHA512
7f770ab6d91ed3bc3811bb2dc1fb9f5c5f884c32928b72900426db30783fb7967ac50e1caa84f11c804e790af0562aec92e31e9d820c7b1254667aeff9e0350b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
002b6c277dc583c6645626f6efecb673

SHA1
1acfce62ebdb2c647d6b5b27f6fefa72f9e66872

SHA256
9d84e96620791d309c10f5711cf69b2ebd6b53cb276159bb5fdf2ca21ac3ea71

SHA512
78e8c7a9343e1787403d3928d79599b7d2e48818308c71428835b73d1048bb9fb5c858f913298c97bb2ed4e479abc1440ff488a46db905a589efc8f447d3dd43

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b1781e033c0830f7d7559a6d3e5589f5

SHA1
fd9d16518c9411f63472974e14f4c8bee1fc25bc

SHA256
37e1124d4882a572d4d6a086a3bd08a1a1a3e5924dc607fd1e3c3836aab3c36f

SHA512
7ef3dc4c56b0d53e12ed59bec55ea56823131c4b273602ea43fc52405cb3f71854a480d712cbfdcc93b46605dfc49aa5c16c5f813628616d00708f3514270ae9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9b276c36d48dbdfb3880b8dffdfca20d

SHA1
8a35dcbc29a47aa38ca98b45298b55ca47ddf832

SHA256
fc21bf8c9764c9be512347e158b21d8a00fe9da788c652a9572e332be3cf78b2

SHA512
30b74e57f535b8d84edbfcf6ebe1fdcb1bc300928a03b8cdab14c8aab49a8e07ec55e6d0625c704bb46596333344cf65a1d596887ce2e1722e0121a20aefb389

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
12431697b53ad91e56827f97b4530eb0

SHA1
5ffd4760099ea7bed127610fe4feef62f58e890b

SHA256
ca2777a8055a27b91f7d15cac2242b34525ee1e88a1715a8863fa9104cc07534

SHA512
18a36c7576cdaeb056c3bac0cecf9318da92d189ecd32634e959dc2371f53a0657000bc406f397cd81468e165d3d3ce7358754ac8469ff738c28fa95066f2714

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
716252cfcdd05f56115e320b389d4e3f

SHA1
da002454473585f34c78c9d12fd5180c32feff33

SHA256
9902825f0e9f5a977cc1f5ccee46a85d7c0c9302dcfaa81e46baa5c95862be40

SHA512
21ae0b5e5fb49bb2fe0f331fd7b523f4d7b5bfce720f2f1df1596ed6c314635017c097b37688b908d77e74bc06fa23f58184379ae8e866e7d8ec80285fac9ac4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2422703907398dcfbc783940e7f468d0

SHA1
03a4296a755e1d2de0a31dce0c0c7a8345f9de01

SHA256
e972ea36cdef6ffd4a32b488a1628d6dc847c754575b4aeada33a930550dfd0e

SHA512
5b5074e77f0e87437fbd659811d144c7a433f5ebf6c4cfe4f4848741838b0aa17696dfbf403ace303fcc2acfcb85a371813aa6daaca185735e7ceb6696303c77

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
531d91875fc516849b7f6f56fe6b6c19

SHA1
427a7aee86bd189ce753a2cba189384b9f4ead0b

SHA256
3ad789049077ee40b96e7ffff428a820787d1a68cc6fb5d0c3507f28cf26df01

SHA512
eb83054d39aa08661dbed8927b1dc970197f6f510c86309d15cb17b57b0ba22c0551d0fb458a727e63e2580021f6b9ab8779cf2bfb3a1ab9a4e1e15aae901dd4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
45225a40540235354aa79e5150603499

SHA1
f70a020d964d06f9181de2795a5f976441ee7cd8

SHA256
271fb543270ee9a468a08864e61270fd9fe3c5e73fd56804a3556d3e844522c7

SHA512
4a1ad68abd6e3a5675fe517341933b0febaaca9d40979dfc24dc4b2d32f2d85017ec932d56c74cc41d38bb4b7af366c9fcd5f585c045dbb76455f104f0a39f16

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b927eb89ea2007955a0250b677f98207

SHA1
f7ee5c5f15da5f6011abbf83af9e8387173e71b4

SHA256
4edb2994a0a9b243408e0bd16627c1d5ef1d840c154516f882a6c17cdd367c74

SHA512
8c6367a183c21c6f2253d8ce438a1e2f1185e9ec75e40feccb52b4c49ca88d79c9bbbdc4371ab2edbefbfaab3560af5fd988efce03fc89fabc7d431c219009fe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ededb6a4e0ba9f37256a6b27b2aabf35

SHA1
4b70aa758a623fdf5a1fde7531005bf90e480106

SHA256
e547a9d886696e15db4ad22773a1f75b2cf8a6c8af8be9526954021254fc8602

SHA512
e683f83241b68a72ce897aabb053c1288b40f3b314d740dc431c060f8d09baf12af645772622e30c3c9e590146e382ff0696043f966ce0e7c3c35b3e6f1aa94b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c5b0b52473c25734601fd5e0add8e22d

SHA1
7605aca0e9dfb23979fa977612b9f7e7412c6724

SHA256
aeb090621631cc6ccd634127c6d2402b71114b2e0d31f21852e5c5a5f705e63b

SHA512
d34306e6529f2ea59eb708d0fcb374cc7f73e4dec18a2e51c50ca98b5663012957014b15e760162ef8047f5179189383f3afaee2b2d43b3af2e28e1419682c18

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
63e92a036dff1d0c978db48d606fbfa8

SHA1
cd537c05af1b75c710c3bd09d645c0e359bad367

SHA256
8483cda7a0128188d79cd4366432f2570a7b2dd58ffad315071422b8ebcb53d7

SHA512
30565d6561f101b4d492bba67bcc91ec411e837fa31d4216ac6dc1fac07f8eeeb1b1c067988cf51d356f21d571cdb2f5b7e2524579da17f44ab6360993893f92

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
20628f68886932fae2007518a8752939

SHA1
d793bd55516d81cb91cb2f84055f064d56b83b51

SHA256
8e735b1527926dad3830ccbc9cff7f570cc21e8f39f217363aa1ebc0e3defd24

SHA512
2c53b8daabb57fd0e10433208dc8d2b8365df51a80ed4db3c580688206605dbd3bec6688ccde60098d009da7fa0a5ced9ccd0a29b27dafd6f35b48b9dd048104

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bf15961fee07a50d6f3a49959d927d65

SHA1
02944866b2ed37be700f15e124a1a0550b5a6826

SHA256
49ae43fe80006603f1b0101676c0d8c5f2d65daf497a81c948532ab8e96ccb8c

SHA512
17c1bdcf43a5527894dbe0312fa521729b88cd3f0a73b85a97022410a26fd01380ec36c6c67cde058b1429f00e340409edf31d462bb4b7372efa0918752ede31

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
02ef62fe9deb8562fd8c7f58589c5a5f

SHA1
9855319396ae06f1a137398c95904c8c9885fc42

SHA256
3f7ee50533deae95b70863b27ad635b2fb468819056d43d38471cf346a76e05f

SHA512
2b1c00415f44130b5274b106cef86b656e8dab21128346e280f4bbd134e4dbc509d68cae95dc208106ee7c56cc5a6be33876ee7b3a49b598004e1402a3a6d8de

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
c888d5169aeb42533b3ea4769c3c0cd8

SHA1
18da623cadff55018846017f479c23fc18879b22

SHA256
8d20f7290efb12ba5aca097e62dab9d4b7033a034091221040b4b31c6fedf032

SHA512
68a2ec68691688277c44e5594327880992241c696bbd822ce1fc563cb429929427a546f7f857d0b27143a0b468ef6576689b5b059c5b0f4c49801926c2391796

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
b1226429872268c41df17d598f212701

SHA1
6f1b2384e0ed7494b63032646097ee0d2857b8b9

SHA256
404a36bd42479c05fc75ecc347588b3b35ca2b32ab00a803791d3944de059242

SHA512
6536d5f946c8b77adcece5a38e65fe0eca488c2ba8276069e7fb858e2e947321ccaab579aa05f65f3ebda51d88820c04e13a915d8eb5c289534c6de9bd4c9f11

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4b92e2c0ca2246576965522792fb4cab

SHA1
2c0af733d788800ca0e3229d61e2d66a417a611b

SHA256
d2a23f94b9bd2830671585435f58ae21dee9847ff7936794c639499b7979a6b4

SHA512
e60ac52ded36b6d57a895b8bf0b93d09d60b95c04a74296f0aa8e6dee9b16cfa7b853012765436454c4b8a9f423758c18e12810eab8c4834f16214d1a78606ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
10ea8eea0727c82c2c68156449d798b5

SHA1
f273ba002ecf2875cb4cd7dc6a09f15904b13c38

SHA256
b0ed5a01708b316b450b67abfc4c77eee0962b1e9f31766805a1a2b0adfab3b4

SHA512
03f42e3f1746a27c6bc7dd1f2883947d6c0ca9c11c42ce747e99ee6ceeceaca502b6e1c08a79b547ed040e2a1404b6ef07bcbdd857360d6f8f8db0e3f8c45e8d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0f72a072662c8d7fd8e9e1be395d023f

SHA1
5934f1cda0cb8c549f3067f6bfa22621073663dc

SHA256
a4d4c24f363e5d89c6e1b371463a395dc1f57ed446d4ad51829ac30ce3ec7545

SHA512
7d850b9ad48fcc5fe674a60e09612ba81c67ec6af9c93d41d92d357c94dbb92346e9f044a8b5e428d7317c5062049d49b0fc5abcffbf7e08e6f1d19eeffc7363

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c516aa2d74a0380ff581ef8384ee0f2f

SHA1
c424b42423576f2a4e9f00f35df0500903366705

SHA256
ab43206b06f99060f949b0fbd46c27bca0399eea5a24dbe42f7d4cb1a1dce340

SHA512
9f80635544bf428c1e9036444506e337f80be9d50368cb2abd97c8755591cbc1b2689ed5284b67b5f37db9031d3559fc9783269641e67237601aa4ad82db6d45

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
270c961f64247693dae113285e5f93e2

SHA1
41fa16827a25f96ae3848cf730c2b9ddb186a276

SHA256
aea976fb7c4ba02006446c37490e053659c17fb9889de3f1cfe1415897848cff

SHA512
dc48eae8b64d1540ab677bbf26744a49c79a6ab2b974951c259022a22cf0e8f141f2e0319270ee17cc89329b8911e2394cdd88972d8c7dc2b9b04ef197d929cb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
23d48cddf06ceb684e2102cd0fb22ac1

SHA1
7a5c49c16126f4945b9faced5ba8aa7c0b3b6a42

SHA256
0bd6233f0a8d5dbbad240dee46c1d9f1f7265b376322185a525112128425c6d9

SHA512
439bd08a22868caf24ea56105b9852da77cf8502f8e549b4c2bfc4cb82bea381d6c6afcb527f297ba9f703027151e5e635b628d875e6b717034310668201741a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1d8a50bee8cf18eb9bf5920ae954abcd

SHA1
f224ea4bb82a69548d6a41a2d028b579ae52169c

SHA256
2fc0162ace20ee61be4bb2d78b7a9488ba801bef07ea36e5b1d2a5a41baff20b

SHA512
d0d8ff7f9603d54fe2d5bd246711734c2afda652209357896fc176736917884c7af0ca0672cb4ee9f3eab09df3871e9ca08fa320bc750517a7ae7b50f0ef6417

Download Submit
memory/880-161-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1140-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1140-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1336-200-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1336-429-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1740-73-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1740-79-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1740-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1876-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1904-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1904-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2068-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-153-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2808-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2808-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2808-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2808-425-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3028-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3028-367-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3100-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-61-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3100-55-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3100-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-66-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3228-430-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3228-201-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3356-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3356-83-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3356-89-0x0000000000B40000-0x0000000000BA0000-memory.dmp

Filesize
384KB

Download
memory/3712-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3724-25-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3724-17-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3724-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3724-421-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3828-199-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3932-157-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4040-162-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4364-160-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4468-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4468-7-0x0000000000CC0000-0x0000000000D27000-memory.dmp

Filesize
412KB

Download
memory/4468-309-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4468-6-0x0000000000CC0000-0x0000000000D27000-memory.dmp

Filesize
412KB

Download
memory/4468-1-0x0000000000CC0000-0x0000000000D27000-memory.dmp

Filesize
412KB

Download
memory/4676-40-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4676-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4676-35-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4676-424-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4912-198-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4912-428-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5092-156-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5092-101-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/5092-96-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download