9db93b30e62a4d1e76d4757e18a209a119c36efb157d27580cab613c544900f4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Size

712KB
MD5

2b2578f4cfd50cf64e8c354f78e62329
SHA1

179de4c050d005b5166024ed64028a0625b50eb2
SHA256

9db93b30e62a4d1e76d4757e18a209a119c36efb157d27580cab613c544900f4
SHA512

9221ac9813a29a7ba8d7f301e3824c214ff07fbec1852f529d47e6e049c1909929c42c2bf7c15200b19ac8bf4e520825b7ccf5db1cf7df2eb57b96d6fbb50c44
SSDEEP

12288:xtOw6Ba9U5VFWwHiC4mxYr8PCAwQy3KVMsMWsYNv+0kHe/6eZ0hW4:D6BYwH/BYcCAwQEKesf/NmLeiTd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1732	alg.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2516	fxssvc.exe
2092	elevation_service.exe
940	elevation_service.exe
2908	maintenanceservice.exe
3696	msdtc.exe
3044	OSE.EXE
2588	PerceptionSimulationService.exe
1552	perfhost.exe
2240	locator.exe
1060	SensorDataService.exe
1096	snmptrap.exe
3928	spectrum.exe
4316	ssh-agent.exe
4700	TieringEngineService.exe
3712	AgentService.exe
4872	vds.exe
2696	vssvc.exe
4572	wbengine.exe
2864	WmiApSrv.exe
4580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\379c9d94e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8d3d68a99acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c492928999acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e6d8b8999acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000feba998999acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5eca88899acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007effbb8899acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ea8678999acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089dede8999acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe
2620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeAuditPrivilege	2516	fxssvc.exe
Token: SeRestorePrivilege	4700	TieringEngineService.exe
Token: SeManageVolumePrivilege	4700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3712	AgentService.exe
Token: SeBackupPrivilege	2696	vssvc.exe
Token: SeRestorePrivilege	2696	vssvc.exe
Token: SeAuditPrivilege	2696	vssvc.exe
Token: SeBackupPrivilege	4572	wbengine.exe
Token: SeRestorePrivilege	4572	wbengine.exe
Token: SeSecurityPrivilege	4572	wbengine.exe
Token: 33	4580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4580	SearchIndexer.exe
Token: SeDebugPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeDebugPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeDebugPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeDebugPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeDebugPrivilege	4532	2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
Token: SeDebugPrivilege	2620	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4580 wrote to memory of 4684	4580	SearchIndexer.exe	SearchProtocolHost.exe
PID 4580 wrote to memory of 4684	4580	SearchIndexer.exe	SearchProtocolHost.exe
PID 4580 wrote to memory of 3320	4580	SearchIndexer.exe	SearchFilterHost.exe
PID 4580 wrote to memory of 3320	4580	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_2b2578f4cfd50cf64e8c354f78e62329_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3664

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4684

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4703dbc73fd5d84c52a4b8482959bab0

SHA1
34818c794aa949f49d1e7159113105d6ecbd7c1e

SHA256
0dd65b81dbbd1f362154053290fcf0be3d96467b5fb992c90a1d7453375c54a2

SHA512
1a889420945f78ac214552b1a16f3f1d4ea34e930f3c4fafc30b83b57bffabb3dceda57b4c6f0e25db169366fc5dcccf21706ab9681570be054d903db38f440f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2d873f33aa05f584db6b80f61a449822

SHA1
cef7285a55fd336e3b97584eb3599f0447c86b65

SHA256
776042020f6893f18e40b87128ab2dfe4c1b99d9ef8e6ed28e9f29622a028054

SHA512
882d5a9c52cc664d401b916cf20612530c5a9f0f4637b083ce56b19743d75df62b5fe4b2e6eb941e7e5585d5844ece10bf10a2146e21e7c8f77e062e228286bc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3bced84748574bde506c9a7e6ca97679

SHA1
48fc760bc0d3342628fe5fee7e4a76c5335ba556

SHA256
6d00baf71f9e628d4aad69bcef061cab955ffff2ff97182e2579889c9a224d6f

SHA512
8bc1c12cbcc8ed2db8a61e4107b3504dd38e9bbfd53dcfc49a5fea87c923511298729423fa80cdb818415e5fd410a7f84b848375cc68130ff11cebca826d4c20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0273b0c7d686240c84086f19ff0a8890

SHA1
21b904e6bd88cd625aafe6bfd979c1d7235a81cc

SHA256
a9deeb034537909b615f867cce90e4e4ae97251a628e7825d56c08a1d4ebaeaf

SHA512
d6f37e2c23d71e9624c3fcbd880be18db762066527082d280bc5c282b1c4e56adc1512c600c44a9c93ead82df096e02c602c4e9d38ce041ab23002ebc3ab0501

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fdbe5967a6674ead524472cb8f42b610

SHA1
39f36376f709ab8070a31e34b1e1d8aaaa333555

SHA256
888ee9fa17da79aab4a455e1bb33143b0cabd68381393a71fc293a65e7dfa7a3

SHA512
7ab0975ff41c3457cef3655c1d38d5655b2af034bc61f075d128bbaa2237b1b88cda35c1a2ae6f9f7f0ab093a9056e02e6af8de48eea8fe9e8f1251a25691851

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3055bc59ead35b241f64ba7101885eb1

SHA1
a65557a306c4cc6558750c1780b04e66de660328

SHA256
58d1a33224fda374097905dbadd5608e19931ce3a0cd6a5f4e67cb77bb4eea58

SHA512
ce2776417a4f1105749c1f68c2d2c4f8b2e99922ea5f8ba85be8590fbce5e5d7d4550af607d7e752adb55f7f0b970c3a6249cee2a46a9d64dbf5e80729cf85fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2d90cb3f367cb314e073704ff4aeb9a7

SHA1
0439c1c8207f5a34eb11f422a34cee7b9ed6be1f

SHA256
ebc11dd4c8461b717c31e777a08910367a720d619432342c7453162c430717bf

SHA512
d3ae016da454c11937f117ef0ff166eb2095702aa55555fe2f71a7b35182a1183ac68402c0e6ac6d46eaed19e054e3e358e5caf7b4c617b929b6e79b857a5a43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f5538ee4e8a9181aad65fa303710634a

SHA1
f7a8a79c7041c0ff5a4ee5365ffe68b83c2c9dfd

SHA256
278f45fea3c324572c32949c59529d5bdfd4fbb3a2b49e0a0520457257b73af7

SHA512
03161c8ea9c1fdbd7237abee34eaee54234daf5d2c81070e4227fee506255df91af023a923139473ea80acb4fd04181bb248e4f3449d26c0a3032d4b942f8628

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
8845acda7fea61664131a80f9403c874

SHA1
f3436688c0e42e856f665fe0b1a4f5c91e76d039

SHA256
ccb6577c885d80c725666291844a104e8af9ea76c28e867f5a5a268b5204f0d7

SHA512
c91ca3d9472b8e454bb23c367232a1f4b274b3b09c0dc1f30a9a871abfcb773598836d08a1bc5a799974aa13ca81f698c474d6d29cb40c4d6f5e485a36611a28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
14f58b57f0f26a03445151c0af99f61a

SHA1
312fd78ee84f46052d11ba710cc9e55f72b573b3

SHA256
73cc61a00611397a9ff70bbb5dffe589f9b19071087f8ac9d6169f8fe77a96a0

SHA512
af28dd4be4df44b7504bf5d6c09993117b685ad14952621e1bd2644fc73439f6975e506cdeeb01c6f69af09a4fa7d69c5b50a559fbc8dc15b11be9a4c814ddcb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
df1d4f6aa1e745663a6c16eb2bc96be4

SHA1
d9b6f0bced5f86c1e4b087594e89cfe94987a095

SHA256
668c023081b4f6b1c7cbd5c20fa665314268a9f824b21ad5135ca7aaeeb3c0c5

SHA512
139d1140b1f9166a7601d183f29c8e1b992fc086773f3e2fad8a9ec1d969bb9325f5f333f614e8c7116c57c46783e59b8f64a4f6657cabd5e8b759523b0ab10a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
808c41d4fc1a03a41c176bda2ca41db8

SHA1
6a9c8e6272daa1e5db099ddb1340bcb442182c5e

SHA256
5563b512d995c991691b16d44d2eb8ae4bb146d38b01a1290f8b753f420678b5

SHA512
c75de3ea0e5a89d914d77d2d8b21f74bdbaabb3b2bbaf9270f1c6b5c99865ef6367d2519c4e2e3f6f9666ea03de6c0bc5ec552dbfe5d695f492269a9c13ff881

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
63238f75cd05fe3949aab33bcec4351e

SHA1
8012d39753ac1ff4ac267003414331a93c5f2fcb

SHA256
be650be190a5a4432ff5e65376b5ba70fe5cdacde1da0a9135bc2a3b81951fb8

SHA512
27124d712884c08842acf617e17bf1a3b199da76108e3e606f0fdc9446cf34cbea619dd55bd481357ed113c2816ad10b6240db351d064ce9917756f49935fe0c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
3a30c3b0ab04cb3af5101c63663bb9f6

SHA1
b22f2d4398c81640223b2e6a3c3d82ec30bd4efd

SHA256
0ea1ad19fb28d0b0c8421ccd1316dfc987db44e104d8831bd9f5ba0e93386eab

SHA512
e5e8b2a827019b2124e950cf250b3fb1d3f86b33911f79939f0be5066548b58244d526d95b303326a43c6a4a16e57be118336df1ba4b3ee4f2f558c2eb10c824

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
10150286357bd9cbf75c7bb782940af5

SHA1
eb9508b189f6e4942303029a065f4c048e7fc3cf

SHA256
3bc47c3256cba977999bb0a1abe690859c73c2955c4ea01d30b2cdfc56c21b46

SHA512
f3f4b124d262f86ea2238d521a71428367e28d08b895e31f6e9c663caf58a115468b37232704ced0d5221a766be106e8e344b05d23f7526531853a01e5a4d9a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4e71d162e8bd30558122cd0d5741df9b

SHA1
063a89a23720d86261030ad2c38736397dda318d

SHA256
fc0cd8cee9e37192ae06a8bc32b3c3937fee67c2dcc86ebc3225c59ef952eba8

SHA512
b5a705a268da7a55bacc4062b2c9e877bb556adef68252ba162be49bdc6fb1d50b56ae0ae16d9dd3cc8930473a50661135737ddf8706d720ea9a04ccd2718dc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
8242b62b36f3960dc9f0e9c77135a9fd

SHA1
e2ffdd032c95f74a055eafd185b8117c11b0888b

SHA256
37963a7ea031168f82b0a8b709cb775cde9ea8fef16be0ff0f847827c52d2265

SHA512
4e8153fd8eb624447eef72655daf94690358c902e1b7c8374180eed999836c8cc8d7065eb646dfe8ad16c968c174188c76f143908483b3f5b4e8f618d4b8983d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0ee01d8ef767677a2c6ee469c8f495fe

SHA1
8c49b430bcd309bc8d08cecdb11a7d9589e2b5fd

SHA256
f0484dcfc2ad11f0293118431c50c93116d38418dfb0adcbfc4e0c024cafdea9

SHA512
7bbd71e4ba15ffa7a7a18e9730e9aa72800587675f989322e93905371c467322338709c97aa19da95f4a4a7e7903fcf3686f8eb8f7d2014215ded682acc52208

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
786ff768fc1a21d8c795a711a8121495

SHA1
c445a6ff710323a15f2cfd7163fcb45e718db462

SHA256
49ad7182c20bd85c8cfa894ccf79a6149d6b77cf0741a9bd55483df6f3ddd3eb

SHA512
3694dde5c8ee771a669497e1f9e092253c4699cc7824860caa4ad55add4bfa30701e0489803cb8e9757c5e55db8ea5b3e39e860ca0e9dc98c2e1238979e77f32

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ce66c61815c51d99025b146d3fb19482

SHA1
7192ac7754802e41ef65b9044117ce45e555f0e6

SHA256
b036fb9bd53cc77938eac601ca0fab1e877b833c38f17021a0c9b70d7c14285f

SHA512
74dff683be21abd7295b61c42062948ddae30785ce6fb597e99377bebe9cf4c96c86390b5aa73840127c01c411a42951ef9c079495bd6973fb44c90a5735df7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bfb1dc2268535820a61a373eb390a5b4

SHA1
d71a0e73d17fe063cff4fe736ccea006248d2184

SHA256
b26c479ea1bed1cd8bbdd6507cad90fd1db89dd3348aa37686159b8655d7a72b

SHA512
23cfbc83426d5101e33d9bbad07326c12ad18714391cbe937ef9768e973d60ea03052608717a153251daf2966886d9c559e8cc67da4afcdb2e3c644accc32c1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
fde1813d401da8129cf1f5cd1860a975

SHA1
df32dde7136dc662963a33f9dfad330ee2d3e25e

SHA256
0b13aeca254a962639bc7ebc76e3c612c094dafbd5a3892718e222e12501f446

SHA512
67400fa7cef5215e692fad3ff0d9885d972a50944ee794c379af2ae35aefb10b3d0d7f8c1a43b81e8d61d599f825aa7e7c6a0bf0dba256699d5b2569f3544871

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0783c445df946d6e71f66d67786c5949

SHA1
906b8d2c089d5ee7c7abffad94039381c008a68d

SHA256
3096371b026806f99734a4e87a611749f6dd7580431fe56f32302d3e699c95c1

SHA512
0e6b5c55ad4f3be5ba3da6f2dd8cddbeb82b1d6d84ac7eaea7d2d0ee23858d299204326b453db7f07f31d5cb0a5743ab3a8bc80d999efd594b07c9369aeddd05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
13deb488a4e14e04288e9a3ac669862b

SHA1
34f174f6e29021b6d40b2f8aa594f2012b29d670

SHA256
4534ed41236e2d5f2e3fb26482d11ef1b50941981bf6ba1ae16f4bf055fc6449

SHA512
ba361f1a4c88c8d1b3a8f8358dc471e34afdcd9f822daea13de52064a090d30d4b591708b1ec67435e8b1ad9f91893f513ea14b6bb1b2b2a98047af0573a9be0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
d64740f123736837bda2f375a0a06d09

SHA1
5187e7c8474103bfa5c0a90dd2eefa1b8e0d7800

SHA256
602272f4aa84a91ff8329765a86e2208bf4b5b5546a80ba3acdb597baf634bdd

SHA512
a8d89bd699e47ec279277e9edf5cc9fe4c3c1059e96bcd4dfb3ebf24a62abe224828211f59c5dc532d26450798712e06b0cc030a71838d4c7e51c8a3f56455ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
39bda1489f88ae09b7c58709e0142984

SHA1
6563f0ec6d7131f96890dbccdcf7f1bf71a147e7

SHA256
d21899179017ac608a4bedd85b2bf03d0c6282770c97ee1e92fc6f47b0d8085f

SHA512
bc4a032f16c6ae08c566fd0717d8e7540cbe456f064d562e0f48dd38f0be5fc942f8a5167e92a295622341ec9d093bfa2c96f4c7eb8e282edba8f409887829a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
cb3724d1456e2cba7db18fcccd3143a1

SHA1
b87aa643dce5a777ef674b1a21d854d182d13582

SHA256
4da503f94aebf08ce8279d03e59f6bcf0376ee962143e1a56bfc3c09ce49f375

SHA512
1967334517b408030e00ecbd5a6409e22bd49c0c502acc5d906672f77a3e54f9d40e0853d8c39fcf49449ae7b3d5b4638a306c9205092a0c68aca391adcad09a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
84cedef1c3665837160bf92e0266875e

SHA1
e43448cefda956d5f47f056d00aa90c61eef9886

SHA256
2f3ba9d9430375ca83b111872f0e6e6e0a6d17debf14d2573e9347edebcb3c06

SHA512
b063588d42626263b1c4e0163a180def97ac19bd97142d83ef6f78b122aa607cd2b305bdb8f8ff10c8ac13c09812035ab8d9bf8fc2f9405a5dd3972720875a54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
eb0853901e31f0006905088fe90bab67

SHA1
7fd863303ea971d48486f97fe3d4be31c208094a

SHA256
b96f8a3ba0d691fe51beb069b713207a2743f33b97be6de1011758609994669a

SHA512
e26b5c33675d7fdbf59ffcbaa7c83070948f4a31b9701ef53b271405580a33d1b33e3e394bd23a0c173235fd569140d32eb3aacad02759d95850b7b32ba27104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b94e5993348f0e01d1e77524d9c63909

SHA1
ca9f84f8c00f331a5dda0d5577fec6aec7e54e46

SHA256
f1e220cd44d0fc2ed9bc77882385a5a1da3faea4bb8810625b81db2ea0a62045

SHA512
aefc56975514bdc451734eae82f3963883f27421261de54d86e2104b42578ac5c9a642ecbd1be06f9068172e035991c20ad12696e4ed443b496ada995755dce3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cb42b89e4b9f1d2cf020fdd2576a5a3b

SHA1
401e9b38b8554a83d3be3f8c99b391ccf7286379

SHA256
58c10f9ec2dac9868d48d8d60fc45118d419520ab10c52594d842b007bcd17f3

SHA512
d6e693e56ee6ae6ad67a5ffbdfa4e3da0565b731d244e2045d5f4e041661b25f5f681ef79724824eeb81e2fb63fe9f90535d1c30975f0fd1989ec82e886842dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
894e1b21de1e1780cdfe756e9cbbb830

SHA1
2d7e8dc86e815071e14c23ce20d60f3d1fc4a81c

SHA256
28b1c22b496d253223b0f0303553e188a42cb68ccbd993816d04c3a83ee656f8

SHA512
ed809a117f86e3badc0ef2bbe565e64c4b0d89c13caeba7001fa9d060acc33e8c2267782b0529f33f8f7cfce614adfeb0bfaf9fcdebb379f5d1c627795fd33c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7ae4da074507fdec6ae6c6c10653f9f7

SHA1
876e73b87ee4a2db1f3071bd17dd2955cbd281e1

SHA256
0941583fcad44e9aa6aa74d3e9453eee283108a9faf47b2cafe364c54b3da53b

SHA512
dd769a025a2d04ab14cf9704c1f9864bf9b19059776d5c37cfa9604cb488ee9fec165766ef4e098f611fc54761c8cb9ed848fac492a3f5bcf38e3d73d0ff9884

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
12167f9e243212032d4e5a504f160882

SHA1
fee37e6cf3fc5215dd3ed337f0008d113cafbc1e

SHA256
2e09fceb6e349b8b27ba0171dca69bf94d6e9c9cb8bc54cca1daf13cb2c378e0

SHA512
ba69a43046e2a6e598bb81b39f83ab8643beab8f960fda7e5c56e532e9ac9e7feefa61fc2ce782106c25d15286b009fc43539ae51b2d8e3bd0cc7f16c7637565

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1c092342d439a045ae75097d36c886d1

SHA1
59e8558501ec15fc45f1fddcaa092c91f13d6313

SHA256
63581788eb35fe6b839c2719d623550ab38fc277750eac89cfbf1f2005f594b4

SHA512
2a5acea4482cac6e179da43c85fb01af35dcbc4b569ee9ac0d81f14d6834a77318366b46d2fef3f9e4bfab37903e315374a99884844c7db9b2d2d836c2ecc462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
71e141a179bfea4de648751c58c768fe

SHA1
0f8e6829e2ac035feecceb41b345d8f8cede1265

SHA256
1a25d47e628e228368433f31cdab7a391c7306168ded2966d671304d9a5cc683

SHA512
3911a506801407c48fa4cd06d0ad661e961d887ed45eb8833f4c57c319a699bfd1369d5393d92ad995ab03a054ff32643e09e241a315cba2194e31830cd46350

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ca46539aa5f824ee51767f526941780e

SHA1
6bf592def0b731957132527f170a5d59b978837e

SHA256
31e64daab1391fb963324bc752cf251c114d73abd7aca77958271cdaeca76d41

SHA512
536a4917e2438f93dadfbc7d6131aacda2ff143afcfa603b586d801da940ef9ed294eca4ba4713a3cc91010a2c5a24e4c0af9d9de3d0bf50dc4002fdc9e85f7a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2a293b3a12a5d36ccc698819e9e5d197

SHA1
4d93ecd3efb178dd33058763010e6f819f7645bf

SHA256
c1bac9c322c1c014f6deed4105534da98e0c216e913dd384d2ad38de5da5eeb1

SHA512
74213b5581aafc5894c779431f7d837b11ee7683cecdc5468051c724f26db4bd559263eb535fe683cd2e06a7d2c0107419c1396897ee41a4e1affd0cc42ec035

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4aeedb60a7eceba6e346946bc8908266

SHA1
a570bb15bc172a5325f70dce4f8a0e3b015b028a

SHA256
0d7097247d30f27993a703693837534de613f88ae6d8168508d38576ffa18335

SHA512
fedbe6ce048994746b5d525b744c8515bdcb3b3e04b6fff0690d2504ca4be2df11a261dcffa24878fce3849882241ee4de253bbd4099c0725e74f2e56917be8f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1bd35ca1f70162cf56f20dd4b433cd80

SHA1
947161e5b7ce39c4868e5afd2b9d1ddc48f549e3

SHA256
eedc3202a26579ecb4fa3b83e0f5dfafbc290eca6e2c0a257696a2fed38f67d4

SHA512
fe556262bc9aa190afcb082bdf23b3e3eff6f4fc3d08c976d38a8742455103446efffd08a26d41fe382d7b42451538511169f9913d1f0846fdd4d405070976e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4048a9d338b00ae033c0c7b05470c411

SHA1
1ebaef2ec51d40af467f6cff27777e86500cd624

SHA256
6d2714d149e9686bf8809b165dd3b20cfdd9938ae8fa95f028c6f7a8037a8185

SHA512
4664f3751c4ee9f162f30000ec650b94738817469a6a6aba16d9013c83d24be903344e61b7e105262700d1667f79a677321771e8a798cbd0c86c3b8160e6e3b5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ccfd2f8b6c2c0166c2d68c411b477be8

SHA1
b65b90c4a345115e13eefd964441e49ae07e3b0a

SHA256
8ba9c3264ccb3e619d7cc396dd1f83d6cf6f4f08a4985ed3113c3f7a35d62fa5

SHA512
6ca7c816a98b505a49ad77b2ad99d931e59d0700867ca0e6149229c9f94e0787dddb4c6e8c4e577d36dea1ecd21272031d1e0d23e7fed6e9d4c8a0531013d7ce

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
930bc5fcbdd3e9f8f2b3fe33f35fdc75

SHA1
2b9b635ec95966340f863745591aed535015b846

SHA256
800007060b5dd1208c6894def41a1bd57adb4a777a80c3bb074a5ae6055ec635

SHA512
1b5bd17453f00e908a22e564e1a0defd6d43a9940e241d7e7553a216509d7d6ec2b34e1323e1b072313eff7149eccae212484560c2448bbe80e9250e4b409e6d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d9386078cccce8cf9cf226d5607e9acd

SHA1
d2d5b4cef886347b6a7dffbdd2332d7fde763edc

SHA256
296a51f65c422946bef81f042ce6f1329e0f147fa7ab0077c13484ee20750e00

SHA512
c34ec732d4d9af81e4a4f0ee122e90fba5ef73dc1c3a2e7072b407bef381e12c45e6190525fc8549dd782b9d5793f6f38ef070f03f608d06e589fb87735e218f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
655633438f528dbbe4162c5774c5fd58

SHA1
1851f9418dc59356bafc40f3ace8f41742eafcd3

SHA256
c307da3901fb372a002329df656fb89821fba8e7facad57aba2604ec7d0a1344

SHA512
c555d56970a88979caf32e00409df4a0b1145d7b21690f45891dd7d99d7e3dd317f195eaeeac72daccba68e014b15c1dc93779221bc0b1e0e422f8152129b4f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
836b07330d0eb085caf00f3cfe6fa4c0

SHA1
b088d086cc193d85f5ab4c1692d76d02eb8d8c8d

SHA256
9fee695d04989800eea3907867c5578bca6514efc71489978141d8f219f43e67

SHA512
63681a9a57bd31ce06d1322c1ea23d2f11c3acce4ca1e71274ad37baaa990edd6cc1f480c56259ae996c292abc7217027640785efa2910743af6c554131d276c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
857798d17377da23e87894d6f836ecfa

SHA1
4606a7d55c555861fa162410597a7064f5e87eef

SHA256
2d3c095a550a756c022e8d9b60e5e7e9a2a9663b20483c0354f340bd28f7f76f

SHA512
72bf1461e1c1d192ab1d6d25efc8a45cd1063c8e08d83cacc72b57eee4a852d0c870860c7e8bb914782ed9b9b4798ef5b4f6980502373696d4ecd2db8903850b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
789eed7b2b8740776d6806258180c287

SHA1
43514daa21e0e9539ead867828d82b5a911aaeae

SHA256
7ca354deb546894351a9a380673ce5c9dcd66777a6a33f1f50b9309e6c465bfe

SHA512
a9e64f96e41ca140449d4f0ed55343d7b444610ee390f0b78908fd9f9610ac06ec83b523793bdbdd2574f77feda9bb361eafd3dd49a1cd6ebef270c3348e96ca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
d5800b628e10e9cf6a99101028543790

SHA1
d43ec0a9bd7c06dd22698cac321bf9da3b3b666a

SHA256
22e175e84794fe19861dd5e79d3da409499445dcbf26dba89fdad4bccb1b2d3c

SHA512
bd30f82f0fc15a3c5c7532c13af6223d99a6be52ce4eff5719aa456c8524a2e4e90ed75cebf52c7f56a9bb2047bf7594e96040d117fcda57c1aa44f9c0196786

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e3d3a1a91b212629cc2287514ab8f231

SHA1
c837c0aebf97aeb5353acdccb6681941be06a74c

SHA256
826d564971f771f8f0438455c8b4b7152eada9a3a3d55bcecaf1cb04bb661e42

SHA512
dbe84d5c862c964d9ea8480887bc609b44317ba38724fa8956a66ac4e67d3114f5ceba994ea28d4c8e5dbcfdd160691c57228773aa359a061ef5edbccb24570e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
a7830f6833de9ce5039c33a027817193

SHA1
538b2c69bf3355d71654c94128a7d74c84a5a607

SHA256
ef245826de68273b84b52c645b594c6256e36d7f10038d771b02e9e0951e4316

SHA512
7a609b16a6d9ad5035f08fd64ee450f94961a8f3d703fa0eacf5a4c4bee56b8f750400e853d957f5da06f330572610337c2fbe43ffe12f078203c028f0ff6925

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ea67348531763fe31812d228f2353afe

SHA1
6aabbaedef8a1d1b7ea8b5da113444bc0300cf5e

SHA256
7637dd70a1d8f05c15a79a7ce7e25df33b866872fbcbc8ea8ffb9c074ee5cde6

SHA512
cd1a5f4a466de6ab6f42932d1c358e772302a11fbd67a105c8095fae446f4ad2ff1273be731dd61ff859cb4c233491fcbaaad1feccc83258856e0fec108bc0d9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4c623a411488ff7a774bf00e5ee03dc6

SHA1
dfa333fe9ff6a5990a480ea2a3b40ece883427bc

SHA256
28bb4921f92d46f4b90aa2fe786c2a48d37822563e89a7017017294f537f260d

SHA512
114c5cc7b54c9adb23f2420dcb5cc294466940d4a516c7cafc7de9b73b928283b86aad9838f21b4bad55851dbb441f4f35fc7f93c0d49144d2b8ef84a76b3053

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c5ef03a7c791e02fd62b0c8c845b1305

SHA1
7d1a1f10be38a551a6433ca8f450b14bf9827023

SHA256
e8981686209ad7593886e6858cc2d83cd842fed3c0898ff97cfa1e171e6f1aa3

SHA512
eb355bb59e68510a3b13602aede8ee0f3de47930677a51c0068417f6092953ba980176ccc1939c5d08141beaabb5f215705241e82f1fd8c0a029a1d57e200296

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
29db4454960c036dfdde82035cf7fb8e

SHA1
56faab5904981168655ce05bb82c41c9325a02f0

SHA256
219064bfb5855fa0094e179c3308bea2b97ca72672b1c592d6a91820381ebb77

SHA512
5844eead054bf855a70fc17c60b2c348d5b02f739156541dfecccecc4df62d5ccf7a90a7f35aeaaff3a2efcd4cf73172efe63679744fe6f6b21bfa8eaf3e9d4d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d38dd25b5f98832f7d730cc030088fec

SHA1
326a576c866d2f288396ab08c6e775e75d4be4bb

SHA256
56e99f096d346940d0e492232c13be1d3d7dfcce964f0ff98ad42002ed806a59

SHA512
b3c1816de8771baa239a3232be0e04ae17522217ede46d4c690cdbb53e97b5e8ca08a22ac787511ad9dac4b9ca30210834662059f700bb1079ec575dc7f8ca2b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
aba062a0234406b73049a58d84ddcac7

SHA1
985084813effa67ecf19c81fe897f27577337c0f

SHA256
745433fe3cd3f8c979fdbb62910ac183f8e792ebd00a63831c658d441002f78f

SHA512
4fd48ebacd1689629ea257940f1dd4558e616b0f276baeaf6e02ffac69f11fcffccf3e63770df4d240b6c7983b2a1e5d19c885df00bb4af9950c73af8921bc76

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
84d959d1a63ae9563c193a95f8f0ac12

SHA1
7e0392aca4450fcf96f59eee2c5c79309469ef84

SHA256
d6b8a99e83a79786386b2c48140505f6769e07337d4235f71a5e421392414565

SHA512
5b4491be94de385241e506b1f4b10aa0347be17df15f9631ff3cf466a10006aa035bd422b69d72822b29a8a3586ebb31da93a16977f0d8a61b62a55e0ecb3732

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
671b4985607b15e21e7f7fd3fe3bc332

SHA1
030845a9f9074f2d600f7605da898e0a5718372c

SHA256
a61cb3793c8e144cd3930af98a14c815e8dab08eb22ef343db7c43950fcb4099

SHA512
f3915c9d6829f5ace6fe4dea61d1897c24387dd10666e3a3360d5a3333821d37a47e9be067024c2748319a4e6118c5e7c28345ca4c9d57b95233790a8b2aee7e

Download Submit
memory/940-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/940-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/940-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/940-473-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1060-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1060-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1096-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1552-151-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1552-92-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1552-97-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1732-469-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1732-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2092-30-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2092-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2092-37-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2092-472-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2240-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2516-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2516-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2588-150-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2588-81-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2588-87-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2620-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2620-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2620-21-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2696-474-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2696-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2864-475-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2864-161-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2908-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2908-58-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2908-52-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2908-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3044-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3044-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3044-69-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3696-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3712-132-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3928-155-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4316-156-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-1-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/4532-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4532-6-0x0000000000B30000-0x0000000000B97000-memory.dmp

Filesize
412KB

Download
memory/4532-466-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4572-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-476-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4580-162-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4700-157-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4872-158-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download