d21154fc454ce1914bc6819f99795d25a7e3a9042a5e703cf7fc4e6166f610ee

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Size

1.3MB
MD5

01cce8056d8dacf74d446ecc05af16a2
SHA1

8f4a197a8855daa0925a0f0de059b685ffe80346
SHA256

d21154fc454ce1914bc6819f99795d25a7e3a9042a5e703cf7fc4e6166f610ee
SHA512

f682dea3b726bd39c7d32b20d4eb5c54dd5a47b4791b243e9f3d7e8f40855b600963b67ad776a8655268bf59e30313013a662cd8ff3b1c78bd8ae50040cc85bc
SSDEEP

12288:BtOw6BaW+Xq1gYgR+8DAoczI2ZfnwlQTePINayz+ByIne7xmmZjIUTSl+0/1:z6BiMdIuwe3zfIe7xmvH/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4696	alg.exe
3524	DiagnosticsHub.StandardCollector.Service.exe
392	fxssvc.exe
4840	elevation_service.exe
4064	elevation_service.exe
1624	maintenanceservice.exe
2108	msdtc.exe
1292	OSE.EXE
1520	PerceptionSimulationService.exe
2652	perfhost.exe
4768	locator.exe
3532	SensorDataService.exe
1460	snmptrap.exe
4232	spectrum.exe
992	ssh-agent.exe
1760	TieringEngineService.exe
2344	AgentService.exe
4320	vds.exe
1696	vssvc.exe
3400	wbengine.exe
4888	WmiApSrv.exe
692	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\edbf4458d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c306fd69dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021216ad99dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b5379d89dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b52f2d69dabda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c965e6d69dabda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b114bcd89dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb36f3d59dabda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe

pid	process
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

640
640

pid	process
640
640

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeAuditPrivilege	392	fxssvc.exe
Token: SeRestorePrivilege	1760	TieringEngineService.exe
Token: SeManageVolumePrivilege	1760	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2344	AgentService.exe
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe
Token: SeBackupPrivilege	3400	wbengine.exe
Token: SeRestorePrivilege	3400	wbengine.exe
Token: SeSecurityPrivilege	3400	wbengine.exe
Token: 33	692	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	692	SearchIndexer.exe
Token: SeDebugPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeDebugPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeDebugPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeDebugPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeDebugPrivilege	2024	2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe
Token: SeDebugPrivilege	4696	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 692 wrote to memory of 4532	692	SearchIndexer.exe	SearchProtocolHost.exe
PID 692 wrote to memory of 4532	692	SearchIndexer.exe	SearchProtocolHost.exe
PID 692 wrote to memory of 3152	692	SearchIndexer.exe	SearchFilterHost.exe
PID 692 wrote to memory of 3152	692	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_01cce8056d8dacf74d446ecc05af16a2_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4532

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
63d8e08477d40a81225e7f073f8dcf23

SHA1
9a413ff10b6e7e2fc5eb4854b67cc534d7256c43

SHA256
9a1b088153c6ed3c40358a503d9bd12e0e4a66e32c5b11fd20de1d2f34e7c336

SHA512
c578c2535008cbe62d80bc5f52e5452cec05f9e7ae72bb979c69136f58246203e9b8e27f1ce838ce042b51d1022fd072d98c750345c5e587635e11952b57a651

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
aa86a9f50924c2af97d365c2c5a6605d

SHA1
b35150822f5ee4f7fef1b7f35a0385c89e4a221b

SHA256
589f6001b092082ce96667bbf791094498e849105025ca8dec31be983db43b39

SHA512
1809ba758bf40ec33d7fe7749bc4255d1c6e69fa8fa6825eea8c87b6134d280c42afcb9a4c88ea6d22ed8a1b066bc053bc556d4bf03f1f65a1ddae435848145e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
ae11cda11028962a77b618b90f40ded9

SHA1
13fefd5e23a2e96ffcb869ede5f13937dc2517f4

SHA256
9c89f412944b7067ef1b5b968fed8a02ee10be58f4ef7b71860ae147c0b1541f

SHA512
284e8f7ef5c42f6626df330ce0a4798ef4a07a9444df2e312737dea200634db020f5e937381e05a46df9a2a8615469edcba1be6a4e0bb6014ef6467823b10935

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7815035aa64ca367ddca017ad4d3c9bf

SHA1
0a24f7a160d7f196b0d9abecd32305a77857950e

SHA256
850e84a95ecfec00abd1a57ec88ae1839d841b6eac0ee44f7209ecffd0f3201a

SHA512
40333c2e9fa2b2617c8970d1b51af1233cd8f6ba6cd5883366d128070d6c87a7ebd62b4998a8206db3f547cbd683098e5a7c52f48746d2020271c7d9ba1f83f0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8a78f8c2bf7a48296d265d0baf9abd1a

SHA1
87f88961a40b0bc3d19368c8bb19461f537f78d6

SHA256
83791ee647494f086df2463852e33d185a9f6e467893058cdf2d66b31cba9cec

SHA512
0910feb67f4d579c22916ae0d9a0450dec54194b94437c06ff3b790dcb2241698dcf2617f0bc4a02512f12ce01b1a50249bb5c8b44401a5c3c76f9e05d2bf4d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a80aaec19263945a1be3b76f73074361

SHA1
fd589b0479bba0a644068b847bb0bf570f6508cf

SHA256
c73ec0324b2dd62c08820d5c5bd0e1cfdd253857748069cc500fcfbd9be47372

SHA512
f9b3d8ead9d13dfc0f6b1e1e6c77a2ef46b44368124f83aadab5805dd3826d69c3e96e665b18780ebf5f0fc66139b8d3d7d146ed0ca677ad721f61efeb6679a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
19de1a9fd6e35cb39406cd57adb46cbd

SHA1
8c8a8d6756e589bbb3be97b44d1a9d7121058691

SHA256
bdeeda41afb12b8656b8d9a8bab8ea0f338e44d3c56af7fc3d097dd733508420

SHA512
10d534873c3389025818b822429f5edd749dfea1759e6cb54e4e5910ff5f5f480ce3ed1bca51e8f782eec17be2a7ba402ced5d7e7bd8696089fe56baec00114c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
48561600539c1e206a2b571da032dad2

SHA1
34d6495800d87c4584371d5167bba5afe0b618e7

SHA256
bc917fa9463bda0f24b05aab0cb406741193a8730ab53cf67ff9403180740aa7

SHA512
b1ac6f647f818ee6c72549ad7734178efb2c7f7ea9b235f6f81bf8518dfc7c4f3c43f6e3651695b4166b1aeaa77336391b5cc8253083abe3bc18533a21b3c2cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d668b9211689bf1fea0ebcb8f904844b

SHA1
77c445e968080e49973d3bc0713290336a7d0a65

SHA256
45444ccc842acf98826cda454c579d0acecd3491281b139fe3e2bf5e32ade3d0

SHA512
b1b9b09e0284edf1b01b4c14809d81f202e2168a54da1e77ea1dd5ead0bb7a75be0751430be25b1bb92d19016a36042093205fbc241d771bff1c1b2193600baf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8006dca017a217320cc049e9d7e95e2d

SHA1
3dfc159e194cc0a5168ade081c401dd44a28fa58

SHA256
d87229521be218af475374b3ad3ae2195681af4a97dc93ba5120982e04089133

SHA512
4c5a6b4dc4207f89394ad59a55a4f017771ad78dfc474810798cdebb54f9f0a7c84b85e48274c247d6643854d8f69efc97b3e56baf38a249cec370a0fb45c5b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
98154d66c1d588bc72fcacba26f26ff5

SHA1
a961042484830054c8fafe6509875d30ac15111c

SHA256
24d1bff97439b27158dbcb095340ff62f35ab19758c779f36150b3523e6b8a23

SHA512
03b46b7d58ca202f0008a030e6527dfc63502916bf36bd992da15dad539afd2aa6a9011d2b471fa372050e43e568c8fc2be8e3d2dc4b2898cc6a5dad709dfc70

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b523fcba129b2c3216982f4990f4e285

SHA1
d7d9133126afc7eeaeecd2ee1e81766b5f1b623b

SHA256
34c7eb16a92e1365eafe32928b81bbe607ddbc348be8023d6d5d40b38056df01

SHA512
c63d84a5934e6d6054216990e33a41f588a8476f8cbc16d91e492183510600d0e27d6a0dbd282d587c3d8ae42bd360b7619ed9eaa83a9f0feaf000e1510fea97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4fbfa5103af5d83b039e998d296b25d7

SHA1
7d29959af35bba450334f1cc42c53566a81b7c9f

SHA256
a794e85546320e0ee80471b83dbb3ff94d1633b58aa2820c941e335c412cc2ee

SHA512
4b9973fc4b404c193dd2254abc6af618b29f4e2b20b8fd1be8b1ef343f485b1a85af4e006ffb768144b1fa681e25724aa4dca7bd569a9154484866a22dd55d57

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d073148c31736af37827506e07417f24

SHA1
25bb5a1bd726efc95dbd7bbe2f0296d41508c14b

SHA256
6859f7b70b1cb4b015d82a66ac86c3ee6dc34a065c3c627a7d33132a038f0136

SHA512
ea781bb7b4361a7ec41191d52ae6224703eacd56ab1912cdd87e410202f76a070ee5e1f4141f222bae09eb4eb9a9f6ec4b888094175219f666de6a856e7ef941

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ecbd689773faac8f5b9ce3e26211019e

SHA1
4c2776a13c5c3135ac62a31fc98913952a5c3d89

SHA256
b675cad5fd6bb68dcff8c337b86e41607839a0b7c065992e87555716cdddcabd

SHA512
3d8678c30f1ce9a75871dc6670230186e501730fb61e5ebd0d24e3268c57aae253eb3090f3586a2e3c3f483f711f0bf97f523d6ba64f4e25839940e2cc53cac0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
baf25b77897d4d9da42866d3a5e1f7d9

SHA1
51e7ad4852c48c20b5f790d614b62253ceef5e1f

SHA256
42ebf235bd21081baaa6500def4a156641ca2b77cc13cd7c15ff3081b178959f

SHA512
f3b25c9c257caf3efb2efeaafc4e61599c0aec762aa1c8a3577100fb01875a41dcb6a9e21789fc857e790af08e453101157c08f59952d5c7779e1e6feb6acef8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
df45965123426115c432787c47bee445

SHA1
c94381b74b4a63642e66505e0078bf9bdb341c24

SHA256
310cf98a278facab47bc9447b1a4f7bdbeec92c1119d1643c74e198fdf3a472c

SHA512
8626b5c63fec030a82eff6cefc419f5d442335628463cb3905221a622d0453422b094a87d61411210bc62cf626e27d5618425d752630d391fb6aa5ea7a8ce7f7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
42dfb898dc9fdd6799a2fbf83af05ebe

SHA1
51794a75a89cfb4cffa1f6bbfbdaf46daa30d327

SHA256
e503dc4494f1b0dd54c685e3c683f3f257885f8edcaeb7f1eefbe4358651ee79

SHA512
274c1f5258d2dfc129ffe2e2327a88756fc46e82b8a4e71567721ee602b59daf02d561cf59e94a369d1541c4414c4a81364d21d2c1b473995633e998745c11dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a695fb25c59de26bbccd76e232c679f1

SHA1
c0843edd61a361e61b1a4138c903077cab0a8fe9

SHA256
95a72815a3af8adb2754cb5e2dc51d2ac3947736f7f542208dfbfabfeac99212

SHA512
78a76d4a4ea5cf8d45d6738f6c577e9d30a61edc80bd8bfb9a6a2d1bd35feaeeb5fd964703e02f5a8cb29191d6d1e3898f8996149cc2b69dae2d1a17db578c4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
23b7b9621fc7fe2a2914aeb3c2465f39

SHA1
d622e683f4321ef22a8af0b72f8f621090da3534

SHA256
66afe866215a90be15cd6822ce69a20af9d31428c9df073381af7138febc40ac

SHA512
cb9a9cd3f470bfff4efbbdf47057d13027b1bc853b168b55336f55f55638ad759b4faf0bf92a341a5e284988a3b74b3b10b4972bb98b6cee76d232a3ff691805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f927e9096077fbec442833344edf63a0

SHA1
21b5f33116c6eca3147f97cef041deeb600b9769

SHA256
409b7a0f628aa04de0bde31cbd0b0323141988db07f3e0639d6147f8d9152e5d

SHA512
2aa7a654645e5b8185da1165dcf528b139d9ba1c2e680b23a9c61c3006d310495e7d1d34ef5d4877580e1e3ddbfaceb4567f091b2dafcd9da6d7de8e7f10bf00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e74f634a9c239c7e7dfc83abaf550a2e

SHA1
98a3307c7151400557c9730e8efc26a9d40f7001

SHA256
d49466a33720b8c1a13d54a6a6536a6fee42d6d49d806c8e0ea90f2cc3e496f0

SHA512
dbd7f9eeebe5cf535fdc1b6ac5cfd86654f0bc944ebfbb0c304d013091fc39c063fb93489bcb2f9e2ffe10d9f3004138b1b1ea08d9e7a4b6089d15cd29c99abd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ae12b839d8c5941b8fc7703d8264fdff

SHA1
66f7a676380b423efd0a432a246b64b57f22e4c8

SHA256
814bd6fbb2d2e8d58d8f2341d3d0ef9540080929d98a116b1fc9c77c9d458bd2

SHA512
44de869ffd750f7138f50e354ac23067f7b0096d3235415893a4a7d4aeb8055d5d02a88a48dad9157529cf47068c9e8cf23febddbdd53becc00e20e260d3ec72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
19fa64f781d09d02e21270bc30cc9de3

SHA1
f77eabd2ea05fa4a4bcbc7795912136d01b07b77

SHA256
0c1d07eb571313004d23a83c9b1e8436622248f7c65ad150498403043ea2269f

SHA512
591c34dc4e0f96f2e70d22ec23f930581d3bd5c501ca95c0eb729cc04f4c31a5315386580bf710fd42bcc93f5c6e7ff583af36b6174254e31b21945a04941bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c695d2bf9ed3d8751d9c6a2252d5f1b5

SHA1
acfd113e290fadde2add86c8fd635d5b7e42109c

SHA256
e58c9afbf2f97197081d0266cc51f76ec07ee41023e66381e6c713574c2d609b

SHA512
e09381c9e48cf4045f74f60b006b3a739b57f0d8d61b14ede1d871a1a90cad49e6987e71bb836d052e1302959ef746cfa5fa9f9a96af7dbcf90897435abfc908

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
629f09e54f826061e2397487a13d697f

SHA1
63850a7e524a772ba422a4afbdfb6cc29f83aa03

SHA256
435f2c251420ec8fdfbe74a0d629890e9504ee9ac7e91adc94081e9f114bedd4

SHA512
c106f052b222c96948c1b2671afc00d700fb773e8a7849691c9ef417a01599e992bec2e5df022864701ea671edf2254de99e6a026a745e1e003685599001087f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a89ef6ae8220b26e08116b7d0bbdbbba

SHA1
d9b137772c09978a2149d55662b241588ecb2335

SHA256
5ba9d04f982e2fdb51bcbe4ca5e14e858ea24a52ee8d99845c17a0d3f5300050

SHA512
aa6d7cc173371500ccb6046a01f6d1dffa0ebaa7071a52634800caaecff5f6f39aad3a504d15c77593b659ffbf842a8b45ca496ec8bd2c273696a2a5c6feedc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
210c157141b327f2f434e8e8040ee470

SHA1
2aa483b793f31eaf57db899a5b330acb770745d5

SHA256
dcbc6f53b429dde40b32a8178abb2397c5e1799cca8425d7384a3a19cfb5ad06

SHA512
7906ca694997985d57cd3b58e05d7057a4c9c7f4663e0294f1ca86506aa162f4218043dade3e0da1f08d9b348e8320ecf0c3ad240e0b2c4fc6f7d8f9be5215e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
43fa886fbe4bd9d70b193d59c924503a

SHA1
435e3325ebbe3272f8a9f1abca909232340a6201

SHA256
7d1b186fe4e777e6319dcad1e3807ee58968c34a68efa442e265bae8d654f243

SHA512
c419555d37f303571aeb78b7ee89a48094dbb65f3dff446b064c355d063ed02c1a862f322bd6df4520de2940eac9350e20f94b9d59ea2a8afbccb1bc7c85f04e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
13d0485626f4cde4c5851c4da20de6ec

SHA1
8e06809d6fe338e6f2ce65c43ace5e95c88fb510

SHA256
2a36b1c3f8a26778293d98eb7aa93cac6e067eb9a435ec3e5064ee94cabaa952

SHA512
a304afa06aadddf6fbe4faf6312a470c6fa5c7beeee13bc8fffd0784ee5f1245068638d4fcce03bc64ba1fcdc556c07ed041063dc8ef7ed4d837bc55e81c7dcf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
541c59a74ceb764598b5f88a4e47415f

SHA1
b244a78e98b7d791862884c0b7b4b45d52635d9f

SHA256
4ab767ac8e5ed0cca35bf6fecf5d1dade66a557800fc9d4d187f08084efee118

SHA512
ee721549b3a6d5926eecbebb9aebb908393cf60b472f6874b2ed16991274dcd2cf19a4cbcd094aeb16d7a9989ffc194638450b6c01aa4e6268d5c3e88e34bce6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8c01fb52c8133316d4480badee7be671

SHA1
6c172e6b24eb0a566fe3f0385a88297316343134

SHA256
dfe5e3ae54c031f6fcb3afdf1b50af193678f172f0f14958930c0f9cfbb3b44c

SHA512
21646f5f3acd2ba90cee20925bb789cab091a5b1216b88dba74bda557d792490fcd48db6625a6726d844b49f030b476a80f06d14fe4eff605e856c93c1805602

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c596b7dbb4624f08471a2d6abf48694e

SHA1
63bf215629d073e6478792e1bc5e1881221deb35

SHA256
ca56239e71e46925d3bbe53b8c1c5c95cfd7c3f61e26db3805f7ddb68bb72fa8

SHA512
7a7e386a35ebbd3115c912ee7f5c45272b63bd3f4b57de0f7b68fc470f265ee2df9e2dcf32126bad241f6d340e71535bcfd3b90b248bba7051e06d4778257cfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8ac9e28a2b9b1ee8e6788c1646be9602

SHA1
1e0e1b3180bd62a71480b4cd16f1dd45d65e7b2a

SHA256
b49c2621d97d9f6c8526a617ff51a56fc80123c3a2fb62e41a1387bbe066c125

SHA512
0b734c1d658669b81eff9e3cb8b78c79cfc3abd7e44ba8e907c67dcc99ea7addb262c30276923285cd99d384c2ba482bf084f1349951a460170810b02db50220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
db8eda9a63151ead08c47b68ec87e2e2

SHA1
182a6714adc308a3d8960f484914ea73ce54879c

SHA256
238ce0c594728929429e3cf258d4228a3c078a0e9c82cd5d7d12c7e095a9ef99

SHA512
fda30d24ab68ca01e74e2a1dc0fc23f4d98a924adf74517451ff586559f9cc575cccc0b9dc40bb0f6af57113c9fac1ab67faf6156578b917fbfeb66804d59f64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
658df6ec74b707a32ce2f66694333553

SHA1
7c6df66525809603cec9176bf31eb5570982f402

SHA256
4eb3a01c6e1cf910b7fd155e5c15e83a19a1d9a2565c9174ea160b71b0fb51e8

SHA512
cd67d441299b18b4a3b1dc6764176eefa1b4d8e3eb73a8c775755732621542afcd88a3c3d0932dbc84cd893f5a97896585103180134ef26eddb06cf6bef41894

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b578e9c3a58584d9594b53bbfb516889

SHA1
38961afe799f06160ab70afce190a9028c4a6315

SHA256
8c81d56fefbd3a17c81345b7149f0a7baadc79728a85e8aee93c28d4ab54ac27

SHA512
352d4a90c67a3bfc06dac66b3f96f6bd0f5d4ffb197ece3d945100d88b59ddf0e405adfd735220dd699a55597779949781d588742ed00e8e7e58edcead96d172

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
1adb1317db6ef9e812155509451188d6

SHA1
9e7e415d25c024d6077e41d03cb84bfafe67c8ac

SHA256
257f2afaa44408562b1e5fb0b3c2ff431cbcfee8d4d41c692d1e9511c92228d3

SHA512
62c083457f633df5891f373ec0b23ff3aea89125b7779543475b8dae86f6f1a2fe04f4f14a1c22617d6f9672d6adf9d219481db08720b5e736f4114aef86b326

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
15a1d479bcc4f30687b5e4f3c95d1f5e

SHA1
bbced45070d35d78b866a79cc323369f2e492e3e

SHA256
f402024e4783d579eae4f7fa76d39a47b2ac7412875f9971d105a332b15cbe26

SHA512
34c973274f5b0d9b8c60f592959aa633ab5f3254cff7f87467d6c547511d7b470aae24a687f893c11df182c59f8a91a120b0f61a0997877e087462fad153bd37

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1c3ac5fb8880b3b61a2178f3d4c4ed6c

SHA1
906e4122481d9645cd911843e95d7cc9b558ebb4

SHA256
c6a454e9878b8d7011de905f62cc4f164b9e331ccfeb3d5b6a3ff5cdfc8ddb9f

SHA512
5d9067e165318e38fe79715bbde5837d4ce7b0b1afdd60db8e7e2e32c95b45e5271b868f8c9619de0a7385acd97f9f2cca6fdc218dc34c578ce0d1ef3fa18f74

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
abd45f029ac6e64558d3a3328f20b80b

SHA1
f8f81dd9fbe2134b411d06b9387872c75e2c3c7d

SHA256
8b40de28608f54d106963b6ee08be0f36c9a3a6f442489ab07663b15942fbe3d

SHA512
6cdec89632c4c37ce876b116c0c095cc46074993fbec4be268e10fe7945fe00e779caf80ba6153e44294d80c8cf2c29852de3dcfc62f949caa539a31e7df5f06

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6e21560af5d90591ae9261054cac4e8e

SHA1
219ecf9c63d3a8162b370b4d3346493f991c12d7

SHA256
fa2afc3209122a28afe7bcead572691ff1d618bdfbd4b5652634ccdf872cdbe8

SHA512
e66724a124e2f690687346f8a07ff009f78fdcec8bb291102a5805ad217b43f592f80628de7ffa79ef603e14bf145695699a026532323f3b2611ba8ca079ef86

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
540fc0703ca93cb7e06491147298070a

SHA1
27832d1a313bdd48ec2ab4758c3363054363dba0

SHA256
1936f2272306f6ef6e3ca3a5121e8f51940d8cb54b66cc7002b636e47dc56e6f

SHA512
5a50128e7218c45c2142ba3712b39f66dd7f47cabe0788fe5f6cf393996a50622a80111610cfefad481474a498d35ffae522322ab990baf7a392f8c0be1dc51b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
7db53493ca3623fab6b0d89c9454e3c8

SHA1
b07b0b4afd34aae21930a423be7ace696c59a7ba

SHA256
35c6cd1abac58bcddc9d31d5f7e8ea597f37247e560fa16d87e62f2373c57005

SHA512
563c70c71da2581cec0d4597a79c030175332c64c4f0d61738c5adb4fcd31cf2cd19d5c788a5b8acc9c2e5e70b29a27c326e85a4eb218087cf3bc9a73696c009

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e30ea7f2a9d38acb8495532adf11e4d8

SHA1
176ca8316ed529a2b199173dde584471328f75c8

SHA256
af86dce4b466aceef1ccd6e5d6a53d7843c16694ed6a61ad7ddfd9500c406fac

SHA512
48ca7261699c13b857c642b7ecb876ade09a212a157c0ea725bc04921b21690d4f54aca2f3f463ae9559dd3696d9e699378eb8d13c1452d25138d97be3b17f0a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c279beae58a412bdf8e1bface13c99a4

SHA1
f82c8822b48b9d7b8ca291d64362a3c24d18c946

SHA256
77dcba793a62c747010f68a0c093be908ac1f4b98ff5609b15bc966905b7b8af

SHA512
c5ed5f86bb365a05080d51f57b0f4f12e575c02fc1011be50e4fabe6f002b2fc7ca4f2f39374d77ccc8d4c42e048da5650745b7a0bbd6335e7873c65b265d48f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d64319a75a94278a8e3399e96155e79a

SHA1
e8cbe36b1b62511ce11176e6d74f4a1e26a6aa56

SHA256
031184af5e1e61059d4982c84cc1284f098a0f18afd09b2d6a859d72e593cf39

SHA512
b7c700cfa93eda7883c625f81f15951cd066652e5107c9d9452656f0e7e52902833d54bc3ab675de9488ca1173e4f6bd21c5e2e7005602cefdc22e9268bc02e8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
931d6c04c1f2a164104db0dfdbc3ea3f

SHA1
2d2e498ce8c5bf30d7e3a70439123b763db113a1

SHA256
79c26f1019bca5c75230beaf9c3d132b1251bf0252a385b5336404098aa329de

SHA512
fd05bfeb9a2d3e8aba528c90507987f43ebeccbd6c140eeb3a0c652e9f25628d44492922b3891fb8d31479c96724a2c2a3482d93371dc2048b2f24178f354218

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
92c74da96fb73321882554494ef30e9a

SHA1
a9e3617245be766356ab2e509a2b30f7b22d24d8

SHA256
b8635af5e2c52e28fc11833590dd95dd24df1d38e48e5060f36d0adb85ada044

SHA512
a6ae94ddde037784eb60a2ee91b2fc323d7319a504b93f5545acbfa764a9d2b552ff8b53995a430986d14335cea8e6f57b649e3133c5fb6f40c4dddc92f4bc3c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cf55d977678c1090944ffda2c428cd8e

SHA1
ad629abd8ac5e01e04268c2594fde3abf802da40

SHA256
cca6ceebb979c567e5b964adebe55de4da71dcf64bb1f47fead3c731b8a7bcb8

SHA512
591d9ed3aefead4587bdda328c2537b474bf0d1a2a12a992eaf9e2253f5ddec84e9b1b276b8e5a7a5e074a15a38e28a777b9b69cf3d5104f59ac739ae79cedd6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
cc50d79b70fa93e7bef75a2b51292b27

SHA1
da3941453d9655cd999dff90552d8dfe7059fbba

SHA256
3d677f17553d1431ea9f75b308bbd5cd9f301d126cd76fef499df5f68d5b5cc8

SHA512
02721005db6bde5944f4beae4481aee43e26a888876b1fbd013307b36773d5ffed19c5f1dd9d19b0395061c3e293cd6d98f2bd6d3e3e6561b39fdc45d75040f9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d2ea82b3640ebcb861bbea7b9b13438b

SHA1
64634580a77856c54a7ea41a2d28618db646fe1e

SHA256
bf2ba74998126d62996de3d675388f5de63f17be4cf3ac7a04812f5f00410711

SHA512
a47d4c53ecd78bb222e62779b7ebc4e5d0331de0d757a32a43d66af6213e73d304f3af14cd51fde992a31aabc821b869565b0f41b1e84fd6829b0a6fd8ff1ba9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
62218677e4ff9f7911c5e275418dae48

SHA1
5f1dc378c9159adebac09e96aaf2c6ad842c93aa

SHA256
2db727aa28bfbee7910be82ed451e5a0a965abe0e91edef65f42126338c59e9d

SHA512
7ae4f3a15b823a145439dbfcbdbdd87904ec70f18a17cd5875ee9b407876586b3a72361c27b05972ad8fbe9ac7f56b3bbf97bb2eb4f880b0b9bce95738d5395e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b21168671fc6dc31ba61270d752de2de

SHA1
278f421a83bc2e15e1f46d9b585ac663c1f9e9e3

SHA256
1fb3b8ec994c6aaaa7ebe94e981830aa038991f08c53cf93d97662837c534ca3

SHA512
5d11329ae9e7f4f9370d673bbe141adbb4580a61bee97bdec17abe9d0ba6a9080a319672ab5ca8aeaf83c4f3ed2d05a5435ff1034faecfe485bef3d2a2d4885a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
e888cb59e60bf3a204c2a59f0f3c63e1

SHA1
e5347e3ff9089dde829044f566daae34b3a8b618

SHA256
6d2b6379871044dbacae1e2bceea3fef9fd71605eebdcbda4f8315429b8fc762

SHA512
1678224c19f4d67c82414935121ec3c44030f1eb0f919dff294f6437804bf84883daef1ddc30c3f175b7ea7cb1e43f9a2ff266a85e91e4b790d79c9dd38e77bc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1102c589008a2cb91f5cfdfcb768db0d

SHA1
600bc1298d014d746b3f4c2d7ea115fbcd9058da

SHA256
12a6accfbeecec2b8252a1866843abe30a07742d5fdee6ccf2e21825009dc2ce

SHA512
87aa2bb6ab03a8005390de7df9569918454b615d16dbed6d7648f2d7b5fc0041e3ae4c37a5d2caa2c88351165d408e1f8f8501675a82c54af8be8911c2a44ecb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
31ffb93f29ae1de5956ca2e96a8bdd21

SHA1
3d97e164e99b996d0e1c7908cd7676ae8fe491c4

SHA256
b0b83ae13ef63774e5027b9d5aed77266008e900ed00b46c0e8b7e3e0fd5b11c

SHA512
636a48b8dc60f0d59c7ce7846b2400c55fc988c5d5488f0e56b45d35b19e7f61f624406fc8b51896f3599889618aa645ac87075008ab1dffa84c5a3474a58081

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
7580dc69a1ebe6d896aa6f98862021ee

SHA1
682c4516dd8675dda4f436b133ee0ed4eb543ac2

SHA256
558e24e2e5b2fb865b52ee15ba25b4d940c31e798234982da7b854a860684830

SHA512
48913e99d9860d28dea33613ed8dabee517cc201086332f01eea912d4fdc1d7e6c111023a746c0938d3f60b923cb8880cf69a73822c5b6f6b26aeef215384f12

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a6d1fa5271c9cbfdd3bdec8c5b895080

SHA1
34242fad8afd43b46ba22a006854958e6825e831

SHA256
ad139d79d094bedafd13f745e6a80868c0518d41bb25707197660a75993c4108

SHA512
9b05b197322d49bb377d8c1f97b01d2095f5c519175a6a33db750a1571e65228a577781acabed8fd7e6dd7d205dc5fdfc505cb730170e784295f48116ade8263

Download Submit
memory/392-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/392-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/392-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/392-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/392-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/692-565-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/692-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/992-517-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/992-187-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1292-224-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1292-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1460-402-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1460-162-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1520-116-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1520-228-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1624-84-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1624-75-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1624-81-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1624-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1624-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1696-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1696-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1760-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1760-556-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2024-7-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/2024-89-0x0000000000400000-0x00000000006C3000-memory.dmp

Filesize
2.8MB

Download
memory/2024-8-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2024-0-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2108-201-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2108-90-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2108-98-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2344-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2344-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2652-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3400-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3400-560-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3524-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3524-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3524-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3532-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4064-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4064-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4064-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4064-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4232-456-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4320-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4320-558-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4696-127-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4696-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4696-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4696-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4768-259-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4768-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4840-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4840-49-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4840-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4840-55-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/4888-564-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4888-260-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download