06daf177c30b62c34f58e0c003f9891ed803d0e3b3a862bbd6ddd155720a91c5

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Size

712KB
MD5

55b242a8af0055b1bf0f6352c15ba9cf
SHA1

45ee7a8cf5637cefe449a62c3806fd6c887926e1
SHA256

06daf177c30b62c34f58e0c003f9891ed803d0e3b3a862bbd6ddd155720a91c5
SHA512

7afdb67874267d097551913760c972aaf9e1dceddad465d9a6b17e053e947be659c8dbe3b54678924a98b0b769bf8b2f49af4092d8892837fe1e310cbb4acd44
SSDEEP

12288:etOw6BaDravfgGchah+H/cXy5YFSRNEaNZ2ONbQo2bzTWSaVVQtGLfHtVclBq+0B:w6BeaHsK+fM2jEaNZBqoeW7V6tGLfHt9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4272	alg.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
4960	fxssvc.exe
4176	elevation_service.exe
2340	elevation_service.exe
3444	maintenanceservice.exe
1732	msdtc.exe
620	OSE.EXE
4100	PerceptionSimulationService.exe
3984	perfhost.exe
4172	locator.exe
1516	SensorDataService.exe
3788	snmptrap.exe
4140	spectrum.exe
2012	ssh-agent.exe
1320	TieringEngineService.exe
876	AgentService.exe
2644	vds.exe
4368	vssvc.exe
2576	wbengine.exe
2872	WmiApSrv.exe
3624	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ed3eedeaa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98703\javaws.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d38d20735399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001eba24715399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b4c578735399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f3e4725399da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dca3f5725399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef4d55705399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2753d705399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000545f87705399da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe
2640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeAuditPrivilege	4960	fxssvc.exe
Token: SeRestorePrivilege	1320	TieringEngineService.exe
Token: SeManageVolumePrivilege	1320	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	876	AgentService.exe
Token: SeBackupPrivilege	4368	vssvc.exe
Token: SeRestorePrivilege	4368	vssvc.exe
Token: SeAuditPrivilege	4368	vssvc.exe
Token: SeBackupPrivilege	2576	wbengine.exe
Token: SeRestorePrivilege	2576	wbengine.exe
Token: SeSecurityPrivilege	2576	wbengine.exe
Token: 33	3624	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3624	SearchIndexer.exe
Token: SeDebugPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeDebugPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeDebugPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeDebugPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeDebugPrivilege	2936	2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
Token: SeDebugPrivilege	2640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3624 wrote to memory of 4816	3624	SearchIndexer.exe	SearchProtocolHost.exe
PID 3624 wrote to memory of 4816	3624	SearchIndexer.exe	SearchProtocolHost.exe
PID 3624 wrote to memory of 4424	3624	SearchIndexer.exe	SearchFilterHost.exe
PID 3624 wrote to memory of 4424	3624	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_55b242a8af0055b1bf0f6352c15ba9cf_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1548

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2340

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1732

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4140

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3528

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4816

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
2⤵
- Modifies data under HKEY_USERS
PID:4424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
a26930cf826e59b18d168eb0c9f8f9ba

SHA1
bfcbda4ed506ca110b47a8c25a05b1985ba71220

SHA256
4a61e0622d95e99ad552cf09178ff15c9c77f9e62718df9ae4af8b25ee91e5be

SHA512
7245b0fcf266b589a89dfdfb02ae78cd143cd760d49008654b6246a9b347f29698856551f94a64b4782fe63ef6c5d8df62efcd78a77e101458f8150f079e3f1b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
3051fc83300e9f674f8c6ce45e84fa28

SHA1
f39277c63713dfd455ed7a38c18fee3e632fbaf5

SHA256
aa23898060b9f6befc0234475dcf6c54eeb9a5e969e5ab21e69a9a0b9210bbb0

SHA512
bddcfb167caee94e481021e595d9069e8daa559678bd8281095b9749f9058be1a1493616a72e25ca2b032b0570129ce6a955e60a7efcba2ffd5abcaabe3941c8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
34e87d9fd9a62813195cd7f73b2f9157

SHA1
289308fd305661dd6fed524e7284868588735d57

SHA256
b60e0e16211c15c42a197631cd4ac52b9cd703d05ddb9ce9ec84479493433882

SHA512
ccd2ecb0b4b41ceb695907d6465bd9a913725c3d01d9f27cd4c18c44c61b5ac774af5a217ccd7a582e1abcbbd8bc05b6506954d8e07768a22559b43e1ee1b575

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
5d849b86afadf012564dfc7a88c424a4

SHA1
1dbf739036e83979f402ed6cce6222483ec7afd0

SHA256
81af477c4b09dc8883510e156d48e5fcf82713a8ce9a89d2448005a7bf73b3d1

SHA512
61a51437fc5065eebaced91e46092d8797442c677cde6bc9e918db379a2a7dbb604f3bb614bd8cb6feae663926fd5917969514345f7627bdcbcf40d328ac1683

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
dffb800c39548426455133a3b48da04f

SHA1
a34f9cadce8695f35322595351687d779e2a7063

SHA256
c8eaa444adcb0708f43476f0981eb95dac8a3ffcefe5d0ec9f0a9b2f25bcb031

SHA512
8c51886b662ab512bb12a596f9151dd09d6514fbfd8dc2c57046b89bc0f07ba2c1d8502e758237de2c2ea7db319249373d62ba6157fb52f19132c3fb46bfe585

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
d0d08be517b10adb4abf9825462b70e5

SHA1
2f18474076c918912796d442f8579f4d44ea2b99

SHA256
fcb16af33dbe1b51b92c05c93e98e87e52f5d4b596ca190aa66df30c33ce8258

SHA512
879083705bda02f806cd46e8a4ea1d684b67bc3f61a0a0a2fb6849abbfcad497b0e6183945b35f2cca70ad9aeaaa47baa9c52858257ea471a973e5cb6f29a6c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
453084d91579db5b09ed3b51c436d368

SHA1
927c78ac18b1fcc394e7a720bba287f2bde2914e

SHA256
13c15743015fe27fedfc4ad408c7190e614110c1fd40894c75cc1000ec0be34e

SHA512
ac4172373c3933aad0b7de07d62aebf7a36bcb4a7ad449d0203ed0bc3a878aaf7e10fff55ad916499cb4e5ec99a12c90c5258cfce9189ef03a86b4e4d23f8df7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
b7edb2b842774b3123cab7f039d9bdfb

SHA1
0b0d17cc6bb3c51b903b1056e44be2e64ba0a147

SHA256
9dada7bf5c2e411587a635d9f879fab482c72241d3652b7c889388ed208312b7

SHA512
7fb919c4f220f674ddadad94a72a1207593681159bb0f173c8bbf2f59edd5ee13fc18315899c24028274e3ef85d2c4d8d774ec2e1982d3bf0ce5f74951ba8f9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
ecc9b132a7b0a4c512d713ab3602f7d8

SHA1
6ef7bbfb4bc7b0877fa336a7388a51c375c85fa8

SHA256
3015ff2df0eff87e6b3012fc4b19c121a052bd2aac6cf967b4dcd8fe4c7372c5

SHA512
5fae66da0943f53ce5e606725d00dcdf877cb604770da9fa2939b19975bdb448f524f9c50c4a5be8fba07e25875f74801b488697728482377dec43a73e45e490

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5c4e5e3a8830d83f2dcc2fab724ae53d

SHA1
ab87e43ce466f5c543b98ec1d6cb9eccf2357298

SHA256
bf47f41ce916bacc7a86894b19c0cd3fec968d353425ae4d691a337fcebeb6a3

SHA512
3c46d480fff0cb69665cbb6e6b42a4bbbfa220a770b470e3ddad8abf6b0f83d075b86760f12d17ecbd5aa66d3890d70e0746136e6256666fc2b290644ae9b03c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
fdc713a8023ed21ba2ad518d9d340fd1

SHA1
505d4842caafae4e733c7087171edf290b6273c5

SHA256
1b237291913608b4cd840a380b92ea19abc7dba588fcd8e3cc2da6a525cfb99f

SHA512
51e51ab64665c6f9c5ac967ec465fea519be83b40d3e75d103028862d4f93476858711374a424e1098104af15e84d9d6ee3ba35773bff23fd40ef276e188715c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
eef1709f5e8a9bbb23b99728b22b2306

SHA1
25db192db32e4fa0cc6a00d216a185e708455089

SHA256
8bbf52d3f8c6e3f06c4e49478c6e47efb2a61f03fa31272e911d1b2beea4c296

SHA512
28ea2e7a00be8e2d8565c410ba2ce9b66c84f8c964846837f14f2ee1584377463a75371724e5edc35de0265297265fac1bb5340e024f823da1366e9af24ea711

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
aa1f1d00cdbd228d093a47c29a28fb6c

SHA1
7800d2c3e03ba7d9bd5d3964efe46e2301043429

SHA256
02c6095d767e6c4b834b359cabfa7d5b0f67e8500bd4f068337736ccabfbe300

SHA512
91060295b0f8da426266d3efce5d9a178f49b48b0ed93a6f6a20ee13d373980a2ac02cea35c4e7d5b3ea9c52258a801e68c1350b39697f1f1c577b4f6f6588d5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
8c89f5074adae285bc3699a0e02d290f

SHA1
500f0982c8f2269cd28a7a4e585f0a97e6b5e182

SHA256
077cf375abbc2775d1260ff09dece0173ef290b33e1fe931e820ef3f5cc86d1c

SHA512
4a9edee62cca47893512ca94a280cad018d433563993573c85770e32320e00c4a872ad74d5db685f50fe76a6ca247b20378d0e3310d5a0ce299cd5218e4363d9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
6dc407da0cf9888b6dc5fd371844c3d8

SHA1
f70bc8dfae2a538abc412e1047fffa492764ecef

SHA256
075ea40ff8cb70b431e7f976cbbbde75de68224a59ecc26f03dfa07d1aaa1691

SHA512
01e3019688ba1fbcc0e08d6b28261bc1e3fac50b97df17dfdeb844002f8f85c4cd0103c6dfc64b4f9416842a16d7bb0b373fdaba0a337e25c422dc5cdba0335c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
f24c28f4f12d0763b45547114e43b754

SHA1
e674869a51ea718a3cce90df00fb9fed41e8008e

SHA256
0e2f690362536b722da3544f3ccde50984ca4b187a07f62b16b022936a246733

SHA512
bf627dff027bf6769a4f58c66c946eec043cc17ca129d2128c51c9966c9d368b6fdfbcc5bae4c8b5fa1315c4f60ad1a127e094eba43229b859d41236209c02a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
2b0fe9f8dafc736f7ca93642a4d012cc

SHA1
61a71b7e526e3bb4835c097fa9d3b25d483002bc

SHA256
64c4fb9218a2e9f6641957d50c2ab8a60e9c368256848434536cd44bee86dbb4

SHA512
4d2bde2955233b5feefaf75f56ba9dc3cb427e63147d753b6c6e712fa7fad9f9518e40882f8452842f6a85df0057f7783ae95c7a62828976f1146f906c1ceb69

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
e41d184ab7bcde25ed88cf97328edcfd

SHA1
e94b1fc64887c24c346b3636bb4b53b548ded9ca

SHA256
f7b6fcd50bd7cfbe4a4b182a4987f1e78b65709fdc6086e1ea114ea8cdd3ca3d

SHA512
a8b67428bec93572ea4c8e39c65b5a6152b4d664c471baac95554b94545f39a45dafaa85bb9033f8271d636aa7adba4c629706fde771341a8e2a81de59b0a8ab

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
cd727be10d55bca5d249828f8a784fc7

SHA1
96119ed232f42646abc4a2098e8db0273203b2c6

SHA256
e5b3d019aa6c320d729fe98d02a846b67c9bf8a165c40d51468c6840e3ca9d41

SHA512
661fdda7918edb630f4a9b41d31d437ee9a32e2e6db51c5cbd913d206bd901496f7424d0313b5e8c54f5fece1737d4d3564e633fb254deb459e20f0b9da05e63

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
9a94033508347745978b262bb84e19d2

SHA1
e1667a84103a0404bc7adb6d686fa66675b0c6d2

SHA256
72da42e266e9337cc911ac8ad5995b1d48a534b3eef65f87113a9fcfdabfa20b

SHA512
7a2f7b97f6791ae286fec1aeec2ccfc490381770c19350023f85eaa56147917ca1a1c70d014fbeca061e955e9d75e7782c4db256c2fbff5df1e62594d2767408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
e2a1e66e90238857852b5bd8b2b59cb4

SHA1
111fe0afeb078a897568e511aeb98ea8eeccce94

SHA256
b897c817b5c8c2de296cd8d94f679a8f623c9d755bf185147cf90cda86bb3a52

SHA512
dca6cf4f83370ec4e1ff6f8dc3bf59e2858a9dc9168ff176efcbc9bee1b9ed3ea1db03d897d84d047a2128882841f2666934b071c2b60640211c25685781bb15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
6d5069bc48ae71770cfcf9c7c6773815

SHA1
955ae2afee70a2df779387c5b1439c438afd0d44

SHA256
a297373ef0d04f58e0aeef0866f899e164e7616e3115ff75d74cbc4c82ab8d8d

SHA512
fb4c5e7bd92aa0bbefccd2eaf1d895cef595c838036cfd6040fe4934f1fc48b0756c8497f217ff69b9b038a91d4cdab955a67096b10121d5c61c7c6dd69d1939

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
7a3a4e001b12ffdfe7ca331228c721b4

SHA1
a81afcada18488086a924c1b6c13a709ee5377c6

SHA256
99b0db10109be61d88f31722a7a180202533873b26690ae7283ab20a47f21a45

SHA512
1b4534521d9484a2b6ef086e495946d8e7c6ce473d034ddc93f37a1407d5790382aa64ecc22687bcbf648f08c6e2946071c365a3326ffb8314e93a675efb9783

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
eeb4e52c5aa76a4d4305ff921a122248

SHA1
83d872eabf501bfabe97fe34c3fad0e14dd3220f

SHA256
a2153c7ede72304cd3bb478fc766e2539eb9ca0a616100712896450a5df262af

SHA512
a95f1c26d2972940dcc57bc4a87051583ae3f1e1a458dadd1cc2bc0aa4572e500d0f1757e4c74da0794701bbf745b02ddf16c1eefb7a983e9f55c89831939522

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
6cae219bbe02d15c0f0c7dfbbd16f78a

SHA1
a0e6ea330e503ccb99c0a2f49fa6bd161576e386

SHA256
0a8388b7064027ae6b2259841467b84146ad23a7dcb91e66edde5636579bb083

SHA512
96c0314d0a1ba31a545091115954461283074a3a2912026bfc18ebf3464ae24697e39cff1a8fe1c9fb543825689b2c2dfbaaadcd15c912a96488dad56709be88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
bf77c26e1423157d50da21b93d31b0a9

SHA1
0bb4944510620ab75019c1cc78233f201f152299

SHA256
3bee0b388aaf0b5a4185e91f9f182aeb76bf173924656a4f62312180788f21be

SHA512
7d14381fe868cee41f45ebc2d203c563f6061a8558d3492b5d816c7805c28c8b9dd39e86e58fb1a6c154b02186e529006af58e408ba70eb46ab369fe1e421781

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
3dd5a50bf65f3f3241c1ff47277153a2

SHA1
a32e40f2560354b8b99b6f040d95e8bb50a7074f

SHA256
cef44f99c28abf3ab1d32975d63395d1efa1f3bec950272697c1a7e488353d8f

SHA512
b5a25f453566575aa870b0c404b645578df5e2c691dd6a3ebfd43dafdda8a44dab394ffd70c07c3e8ca54c73976f3bc314dcca116c6d91786d4db653dc79e5ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
bceab496631e3eb5e950bd2ecc7c7229

SHA1
90a7cbea0d1fea6cbc2ba0b70e7be2b9c94fd165

SHA256
6a555395cb0551250c7059e2cd558c39b00bbb80fd5679fd2e00a49ca80de167

SHA512
f0d62dc4e20d68a67db08755972c2df7e52afa8ac4f07ff9f2add1a14ad34a1a320b9a27f1863f81c0e90a68f1f1e123e62aa6ec6899bcc168743bdd79d644e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
c5e7043508149eaf43a53c5332cd61aa

SHA1
c0f69f69b068f397fb4768d722765267f5263dc0

SHA256
2a8001be28f3f9659cd58e44474c8c395370d7dbb5e27993d177623f8e307338

SHA512
1b9fe8dafd54d6aca8f921f69889a36c478d9c249807aed0d6bdfa41a02f3b0833f747d5444f628a74c887a2dae44b8adea8a1ab079e26625896f2dfb8585496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
26d5080c850d863c7330af515400a7cf

SHA1
0c8cb08fcc96b108eac68db9761d15e9fe78665c

SHA256
6749ac8c63b4c094224f3b3fc8d10ff92511fc8f1beca4a04d0d48d6648a7b95

SHA512
300006d7181750d5e2b84f23e2dfccb2a5229f80143bcb851fcbd21441ac22930cb9472c11a29a9fb85a9104de1dc94c6c8cd64c2608a27e82bb49b9e6c74cbd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
125fb61488a6630715db1362693afbeb

SHA1
27fae6905624dbff3d6c35060567c1554fd68900

SHA256
506167f861d9d8563c238fad8b23e774e6500748f69a55ab96404c88a83fedf6

SHA512
05e676b3a327715a26461c3c5b351d7ffd2a41943189d07b8195aa5ae9f7783c21cbee10cdb81406beb69bd51204b6396dc80a5d162fa03d2f302f7cc2686418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
0f8be3d7cdce3bbeb54673c4b193a8ef

SHA1
b1bfdcc5e1801568bbf27c27be5a60a44563dda0

SHA256
e144e3ebd40f90f87669c2863fb015f2c66e809d587cad47161002ac1f50e705

SHA512
2abb8f41d7ed231ca95de36257ab6d96b6d59ab793e9165710f0b031c80ba170eb2c6034da7089955947c910e3fe2a49bfd403eaa86297e01e6565116b75ff46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
31f87c32d25cfb1000b2703bb50bc306

SHA1
0af53a3047f1cac320f5f56cb9167c9f3d512866

SHA256
29b54ab5f5ac6f2c44dc4e340dc273d7ee6a1218db25a6d7bc05a47962625831

SHA512
982686e7c24bd621c7e28110417e25b3c77c1b9cce09539eb29910df8e12eb82a4646972202638fd797f0bfa72047c7597686eed120c9eb744068c05aa4a6cb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
4d3ad4083180450b6c61a356070fa296

SHA1
1d42105b7b5eeca19132923792373a10fcf99a95

SHA256
b8e2dd4cc98bbb9b5396de81301dbb7e0cc473d436d02cf43fc4e3e8ea5a5c0d

SHA512
2dfdc2c446c8ad8cefb187b94681d6cdbe17e989853bf69b01d6d520eab22a8af75bee5dd02c6c5c04f2a5bdeb52c0d3e0e126a9146f899e8bb4e247e071b695

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
0ba4d4615fed86ff660621cbd5615da7

SHA1
7b4fafa58c8877a54312147a4f8b7a54416cc086

SHA256
f2491809c652484af461c19b7bbea8989e9dd6b4da5dc8f1000b66b3afa88b0b

SHA512
696d702027a17338b25ab9d673715afc8a1c5a97fa548530a19d2e2a4cb94604c82fae7607be8910ec72b49164e8efaba015ce98fd64e127298286a9d51bee65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
9fcfdf9cdb81b4762ae8dafc33e1848a

SHA1
16b34412b6f91e68f0988ad651b41831dfec343c

SHA256
2a3a7b202b970f16e5f9f98ed247596b8e2275fc7ec947e8331456faec5a880f

SHA512
f12abedd7729b3c614061a7b94862d32154f0116af96ab4caf0f087de68c807f0dd09c044d9d18acd12f24fa8884722c2f12c29404d8dd488c68dbfefd31f85b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
edf8be7405f6c64eeddfdf099a762f33

SHA1
e0143a533846c310bcd4037ee5a5b566e33b4331

SHA256
3d61ab9eac67221609fdf07f1f38fe33cbca96b39f6b8d1fb5e58c68244f754c

SHA512
7a19aeca494eadfa49278a4952ffe07ccd9074327410cddf9ba935172fd4c87d8e199a2b8c9bc9ff6154788f8c75a04f06feeb06a40ab52aa00b8516726e83ea

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
2a825157cda14bbbd038d20801c03268

SHA1
d9d77a9143ddbdae446d67d18c166cca1451a4a6

SHA256
ab19ee03c7519bc81a553b23cc8625fa69f10738c2eb6e1eca3a7815bca0a5ba

SHA512
6300fe0a39ad8e9c8f344ac324959e800f9efc0073e7ee02a1b3aa7f4bb0754e601d01380f492f3a3a436d1c5eab9ddc8eb26ff4690a727b57e7aa169d447272

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
d3c3e5e2059d066d0bdcb1f97d799075

SHA1
c8458b1d127f95b0c00b2828b31297a5392765cd

SHA256
6fb4b856c24417b1f7744be122de8305c390049e57aa07b88a88f402da23cd06

SHA512
61ce4d05fee3de58edb29b181c99eba33d147a3dbec13244d7047fde544280376c6fffe0158fe90e3f50de4d80727df079eaca430af7803dd6306ec894a129b5

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f00c85c6f7e4904d6261ad18f8d4a216

SHA1
dcb2fc0f577f3141a2789c701032b0651f92ae66

SHA256
a0e47e374fb3444df18494847e36c53daca9df8de5ba82e12a424f4508a72bf5

SHA512
7955ab6d8ec977581246a6ef2088d3a78f2cebb779ad5e96b963d6538bf0c758a6f1d6a840b2982d1a665dfd20a2d196e7aebc78a998ae3d10a6737218ccafaf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
77f88d32dd2bb15ae7ecc252b2eb9148

SHA1
9268afcf3f52ded8b20efd375074c0c2c4adc169

SHA256
f64fcc383a3190e2803c9f65b695d37d698eff7b52adea59c56874ed0b97f13c

SHA512
00fc7acd6f21cc15152cbea8a805d718a7f0307b5b4b3ec5abefe85b99e95c977d541e241ad8ab3e1d791f042bc66dd232932f77fc13042a21e23b726f80c043

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
92b6a4c06569b09b2ca479da10f1720b

SHA1
b9ae031486a0a64f8f8b64af0f32cf02dec4de63

SHA256
e36a1179226755e67fce99a1c1753973bd27785c0522953086c77c3216fb351f

SHA512
ba078afce62ed9f2f052eaf30fa69341268cc1b331944a8dc082bef31ebb0c8f76c264acf6f7a01b6b24eea68ee4441029b81781dfcd2dac8984a43a8fd7b17d

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
d047c97513072c5ad285304c926007b0

SHA1
36e66ba6e7f110eb4040c8b0c7537aec7f450e9b

SHA256
064dd5481f6a0b2afc86de01fabffc22444223d951b0ce3e4e3173d98947f5f2

SHA512
5e54cdca728782ec5fa5d94d2ee5bdd5874dbe5840e04cab857447b63e7d953010869aaa8b1a5c77568baeede5f17b8d1468ae35066bcfac5e0a7840a2be5ac6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
472d549ab33e938e6793491455d13d16

SHA1
c2146b2f139ff5ba833e0432ecd42fb988026250

SHA256
da3f2749006f6843ba74cf329dc2d9b7f73ec338ba12e8ad11c323edcf787111

SHA512
edfa677bd793c4c2e26d019c12b750243adeae19bb451b7fcc8925a16780115f860fe1d94e708e39a6dc9ed9c2086dcc5bd6668375b84614ffc06fb979e1692c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
ddefb3f2e69e03c8aec3683087380623

SHA1
ab2e79e8e974cb0fff020d56ab1cde805bace76c

SHA256
18a306207cba845d7a373bd562e3ca6535787ddf635fe84cfd9e82a4510f9f34

SHA512
b22d5cf2a706d9b8f6b1a702b150d449ed41a3816a44ac53599c277d3614b6b7bb19ad212fe7c765ddb919fe1185a0f2084c6dedcd60f26172d5280eccf33bc4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
384f71395febfac5e091fe8f0e97294e

SHA1
c6e6380165b547c8c46dd0560a4d48a17b942220

SHA256
24fed8ff13e5c9d84f987b04215669250e99dd75d05a30412ca61271535cdfc5

SHA512
3da1957c8bd6111fb89cdd52cfbe59459c753a37b8dad6411e934e37a78f2185c3b613a20f43724cc0f135b658631816fe8ac09801d114e8f2105c9b63fbfabd

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5e60a459da7b51cccdc0114162939fbd

SHA1
5e4af88ef8aeba51cd48b921afe110b5995bab16

SHA256
00e768c8da56adb0089cf7cbb74d7f71f1ea99fa9faf9b55bd2526e7386c39e9

SHA512
ad2f8e5bc9bd2815a5188445b98fd34542f7dbd1949cbc0b602fde06d618a375a08a7bd7e04d9c9732c2d15e8914476b3a825c4c0469cd7b45595e80998fcecd

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
224e7d758534bef91c60cf87e73f0012

SHA1
31c06afcf51a9db7dd8122508b29f9a77ffbb3e3

SHA256
2037dd64431eddff7473bceabf330482e913525190eb328ededa4dfcb112d7fe

SHA512
56b09f73830508ddccd3f156237a474b789f15c2af3de349f9b8fbd2da9c07dd0bbbac0ca045c1d63b3562c87c0f95a2150264b93040aee9fd395f710e3dd60c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
0aa29a732f1eabd271f0985864956fde

SHA1
a2a62fa418c24f88da7bd23e5aba558161324908

SHA256
ef75247ddfc02aaf8756102d29de5ad7953b55966e4b7d9f589fcf6b2fb22359

SHA512
07d71e93b2446677b64b0adf72448fc5a32b3bd8fe5e486b80f7ce1c692524fa93bbf8fb8bc2fa5d4d9ab606eaa02c4fb663da12e287a56342b8f3cf02177f81

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
79ffffcc1fdc681db6a897d0474519af

SHA1
0971bd15e7b8144d8c2b4dabbf4e6a2e43dc416d

SHA256
935a9ce537a1308b7ca0230d45fa40f9203d80e5a734e710d501c53328fb9721

SHA512
a89f9f5a3e4feea639bba36d53ad44cbd825c3545156a6474ba37ba2ce7ac909b5c541c0e062c79c3ff1261d812c9902f0a9e31da124098955eec648bfe01d7c

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
8602516ada40bf307d1c162ce2d3515b

SHA1
4a73b516bb04e82f0cacbc840c24231d8f39a466

SHA256
51a9d0271460aba16b957fef4604c7a2a310fdb5fa8ef0ab42762b3f8e7e6209

SHA512
2f5d58e8f5e8333ba77d919764c5ced323a861a86ade17a0e9cecc2919c0d49c88b51333db2decfa8904e39793d2c6346b1616a18eb649c912a56fe764f6d455

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
321ca743d649c4ba6cd37ca9a76a96fd

SHA1
98f8fe6cb9fc3de8a5ae4ace3bc5d166e3e2dd87

SHA256
6e76d7af0d621e83c362411fa5b595e21f2149fa48173b44008227451ff84ba3

SHA512
df6c18dab11f385014a01daf11118bdd261333b5677b80fa86a0c787fec38cd4bc3d64fbd92a269635309b1cfeed751e37b417ef6322fbcca3c21b4e09add653

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
edf6e9b08faf56f39d157d0bbb46090a

SHA1
cd4a603c4cb2475507283827c8947290b289bb24

SHA256
9f433c2b0ecb243be6cbb9db0b7388bdd932360f07bd864913f4150e4469d218

SHA512
f391bd55b30f7258de0cfa77ff5c948844cdccccb911e32d76e518c9aad97e9114f8dac2942c2d36f84396a072ed75250825002362b6853d02c8f0dad139c1c1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9b23c142f64460fd9dcd8d3d92c4a0f9

SHA1
df7f6cfede1f5044ab23973196214ed5b88398e8

SHA256
0934523b74493f0773148699fa1a672d8b69b70f0ec7904519d83b986540cfc9

SHA512
24b1f4d91c4b930037058ebee811c53ad6b72957810f1c17c26b9e071f9594b9655beb458c374089c9822e258ccb106e386eb05c130af2da1e971fe52ea4e462

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
0a988bfad0cfa1dba7b1c70b51a0ab22

SHA1
1ee0c4453815a4e339ac108f60033d904adc0e74

SHA256
d08c4d3c770a5f50a79f6dbf07d15aef3d3947cdb01b6cd244ecaf3a11b0b9ae

SHA512
4b5e69dd40c8709192f35189cc6bdb482b67dcde00b965fe60d83d1aa86f0d2bf68cbc3b1cbbc39572db4ee5769decda63a5cf9aa74e801b221e2a487777eb4a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5c875016941ebc10ab1eee2d36b1eb4f

SHA1
738f2a6009da4267d30945aa6da4891797649ab3

SHA256
e6adc9920035586cb863391bed2820ec2636116efdbbc40fdbfcbd8be3c8b15b

SHA512
651e4b3364b41d0871d27cf936fe1f355c37ccfa19414e647fbe9c2234619532e70dfa09fec19f60dc67e5e9ad83db16508f7b8277d17ff55835b6bf79c65d73

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
d6bda28d55c72c8cffc37b9f1829378e

SHA1
f6554455871187ee9d85e29716836811443c6706

SHA256
f486993cad4db11db28ed80289b3613476b64a881ef27ebd17423e99b7a86bb4

SHA512
47ed4a073795a24c25940143388c55b28050b874eafa37231ae98ad8acf8311d5c1dd8c4a187e6c57d1bc09fe8dcd156bf604db1cdddce32f520eca6a5dadf54

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
83d9749bef2ab2305b9294036921b472

SHA1
f4dd76e73d5bb6562865c94526d53eecd789e4d3

SHA256
600460ec1c1ab67ecaa4e70270684571083e2cb5e5eeb4dd103e6089afe71aed

SHA512
b522cd5f36c6b045dfd48ace411029da3a4cd2522c91c2734df63d5c4cf2c500ce16e1b80cc6286ac35bdb94bd8b815617ef55fa901a348bc899b2712a32cf7d

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
c1c130021b03fb051bd6b5b5b5628191

SHA1
a75edfc45585de742f644722eb8f01e83db67bfc

SHA256
184bc63279eec7b71b8f9e42c633c51ecd929bb804cf6ede87d49ac053056c80

SHA512
ccc0b3c98311eef3067d6e6a74c45887ae361bd1541bc07c445cf81b6d58467a47ed7b3194f34ae419ee7e43d1faa5516fa8819021d233d1c2df3b88f07d28ab

Download Submit
memory/620-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/620-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/620-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/620-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/876-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1320-481-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1320-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1516-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1516-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1516-464-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1732-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1732-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2012-134-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2012-461-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2340-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2340-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2340-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2340-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2576-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2576-486-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2640-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2640-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2640-15-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2644-482-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2644-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2872-487-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2872-165-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2936-87-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2936-6-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2936-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2936-1-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/3444-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3444-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3444-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3444-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3444-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3624-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3624-488-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3788-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3984-100-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3984-160-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3984-105-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3984-99-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4100-156-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4100-88-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4100-89-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4100-95-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4140-425-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4140-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4172-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4172-164-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4176-31-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4176-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4176-35-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4176-120-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4272-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4272-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4368-483-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4368-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4960-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4960-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download