ae999f0ec13487b64a16923eed3ee17be5310b67c45f0aeb84b7238ebe912e2a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Size

1.8MB
MD5

827cfef6743e76e1602e7c17b41071d0
SHA1

0f849613d8dcb3af80dcdcbdd3e9356d76006f44
SHA256

ae999f0ec13487b64a16923eed3ee17be5310b67c45f0aeb84b7238ebe912e2a
SHA512

ba6617f97186dab8bbfb48ee27581976d9c2e492167355a12af3e113c6dee870f02166df0e25e5c8b9f1cb5a6a81f5906b23d2b69681d41be97a5ff513f3e9ef
SSDEEP

49152:GEW9+ApwXk1QE1RzsEQPaxHNZ/i3da1YS6ozB:A93wXmoKB/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3188	alg.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
3004	fxssvc.exe
440	elevation_service.exe
4476	elevation_service.exe
4208	maintenanceservice.exe
2444	msdtc.exe
4540	OSE.EXE
3960	PerceptionSimulationService.exe
856	perfhost.exe
5016	locator.exe
4576	SensorDataService.exe
2500	snmptrap.exe
4312	spectrum.exe
2120	ssh-agent.exe
5112	TieringEngineService.exe
1588	AgentService.exe
1332	vds.exe
4872	vssvc.exe
2724	wbengine.exe
3124	WmiApSrv.exe
2852	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8eb3e804293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090739403e3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b9c7c03e3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000937b803e3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036385e05e3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f791803e3acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af6d1004e3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099000605e3acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053c72603e3acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe
4204	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeAuditPrivilege	3004	fxssvc.exe
Token: SeRestorePrivilege	5112	TieringEngineService.exe
Token: SeManageVolumePrivilege	5112	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1588	AgentService.exe
Token: SeBackupPrivilege	4872	vssvc.exe
Token: SeRestorePrivilege	4872	vssvc.exe
Token: SeAuditPrivilege	4872	vssvc.exe
Token: SeBackupPrivilege	2724	wbengine.exe
Token: SeRestorePrivilege	2724	wbengine.exe
Token: SeSecurityPrivilege	2724	wbengine.exe
Token: 33	2852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2852	SearchIndexer.exe
Token: SeDebugPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeDebugPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeDebugPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeDebugPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeDebugPrivilege	2492	2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
Token: SeDebugPrivilege	4204	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2852 wrote to memory of 1280	2852	SearchIndexer.exe	SearchProtocolHost.exe
PID 2852 wrote to memory of 1280	2852	SearchIndexer.exe	SearchProtocolHost.exe
PID 2852 wrote to memory of 1016	2852	SearchIndexer.exe	SearchFilterHost.exe
PID 2852 wrote to memory of 1016	2852	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_827cfef6743e76e1602e7c17b41071d0_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4908

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4576

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:468

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1280

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
46466f89139f7d33fd7a437fe376c860

SHA1
d3315bda84d6430fcc8106f1e4cee07a53f53afc

SHA256
43528ffb8b659906730ac5742e904436a2012f5b8e37ac4b5d2b80339b5215d4

SHA512
1afb66f4e500d0582662f3b3aaf9e6eaca63de2943f21c596106de8b382b7bb0836f25e3d7d039a5e3e71d62756745b943d0ab71d3ab7bd46d00dbb5a793da02

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
4a6808ecc99c332b31e8aeb90a2d25e6

SHA1
c9897f4420567d2d8333799254660c9d086d97d7

SHA256
7dd0e166c5d5660bef36945a4fbb7abb4db28012c05cac61e4a24a01e4944365

SHA512
324109c0e7f90b60f908bf6df22e4e157ae92c544eab29d29cfb79eb52dfacff09532c7313db4197a8fd6d963d19b915f493fb3db0d635930953b76739e29a09

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
a830330018c964f7ce5d0678367ff3fa

SHA1
3ebbd3b10b6634b73e0b3ccfaa489b674b8441a5

SHA256
e6e96f679b969ef6c5f7219268c2503ab64f116b37d35cd28834097d247b43a8

SHA512
5546e2152f04651fb506ad169709aa5f121f399067cc002d549ae86a2e29397aba7be06ea0036714d565e0ac9080c74511b09bc5041fdaa06cdac899cfb79833

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b6db40d0ef1a5377a9da506dce023625

SHA1
0c8e039cd1b8557a7d9e848dca12e7f8faef89d7

SHA256
579b5a4f46952ac9984b5ee098fbb6e005f8a704228eb5dc31f4c12526836543

SHA512
ff7b69a4630800afa4ec3c78002c0e0e80d294b88eca4e640facbbb2aa71285bfd6539d15a01f57ce6e9eda3f054d3a1fea06a0c7718b5549be7b08232b9e866

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
ca4388be969120b637271e9fb6112ba0

SHA1
41128f55287291bf7e7dd6daf057645d134d1c1c

SHA256
04d09fc1c93be3e8ea0fab42bfff2337c02339f185bcd75a430c5817220fb827

SHA512
92590ce08448d639afe7c739b4c56c048d318c8ddcab73814a583e3c7e5a12642217e9e4cb53404f6358b1e479bb96452a1f7a5f7eebabc4c99bc3a1e528d2cc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
70c712af5e12424a95944bcd6f828137

SHA1
c457a2489dd62ab27aaedb3dee95caeda24ac757

SHA256
59d22377cc9d8d51efbcfc4a33cc26a002af3c7e260ed14efe6b0fef28320140

SHA512
61bc2f3664906c99640f05bddfddb27c2f52f6d5aa548f22dca2ca7b75cccfcd862b50d7cc62799d1233b6075078369be3ff417a6b2f772a306adc814d6013e0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.8MB

MD5
e7ec01f51fd989a0077e6a8dedbf64ff

SHA1
214fcf1d18000680e6d150c2d6ee8ed0267bea6a

SHA256
abd513380ad74abe84ce6b23b185a2266c94f1865ae663847f4223df4c7b0ece

SHA512
ec189a93aa2511dfd5be72592ef461217cbc168f086b62df3f6ce6d1ac318eeabd09d808578be40047f921af545a67b1430a7c823df3a946010b5c98b8da71c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
913e94342da39da3bfa29e360215381c

SHA1
625f9833666085577e9927a14bcacc15c104ff10

SHA256
414d273d1d18cbcb582603bd44e6e68fbcccb9e7ae15d11b1f2a7f9c65d077c8

SHA512
d48a5f09fbc514a14c46fe16a01488aa3bc7c6c58977190ded4113c563978ff23746c292dcfa4b5fbbe3ef89f1f6b881bc39ddad46b17c12fe6d3c7e79b61882

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
c2a96324ae52ff16f3391df78062e0aa

SHA1
98a883967c1de77dcff3bd51bd6f4c591f9ea071

SHA256
bbf8265094bcd4759f63b06b1ed69228e72ce44f3566298ea4d3bcfc42a04f4c

SHA512
e355d084250d447f22a32509f91059fec87de060862a2bcafba3186c384febeb1a137a530bdc806b24eedeeb6534cfee11c3c4b27175778bcdc7cb070a046262

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
fb16cab49c88699e94ec317eef023f36

SHA1
d4688a1d688ce9f4c183e7f8d6879bf1b22b173e

SHA256
0d781d5d8f9eadd45002d19081f9cea150b00c91c7bf933a2a9b8493f7b6e457

SHA512
ee5357de668bc91185364a90a93a0db870d3cdd8d169ca7db653f193503391f6dd9f07821e47da14eb790312dea2c41a0d01ffde919eb762082d9ce4b8aa6d6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
0d85bc7e8247b5a6ff1702fcfc563472

SHA1
37ef73e20e8ea51dc761b6d77ae7cd37bd19da77

SHA256
b193f212f486aba1de359970286162280731179ff5f61b942ae5d13352cc0f1f

SHA512
121837c3177cade9525843248dc937b27eb5b5567750df069ceb67de07dba38c59d6dd672f0bb683b6391e292c0ddec7b988e0abd8a1ef09c1a0e3beae21a00c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
5669fce1e935acb16c03dd2ee05c5f3a

SHA1
08cc3d16a13770f5dbaa1e4c4361c5b935b91c8a

SHA256
3548f60e8de0996d3b7911e88b0488be6dd81f3c98fa554a6290dae3a5641837

SHA512
eb9659975ef77d6812e522b29f58dfe3a6dd70234715ce8004ca1ec7627871bf60c281d146c2d9d5fa44ea8483b467a4a24867de30a823b22dbf86f2d109020d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
7513efe2817caf824c6ab8437015d850

SHA1
e879fd979fe0a5a45f0a129bbfb4f0187f4858af

SHA256
dbc5563a4b5cbeef8c4fb2a9c5a0dbab7397ee6a7829e792c5c88dbd8089e2b7

SHA512
31868b5a3b2b708ecb0916fec10dd4edc890a8c9edf3bf2b8041cec89f9466a1b77ff0dda1e8a10243d03c92910b608508c22d5d7bf365948ecc20958ebaf736

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.6MB

MD5
c6d665afd77882da2f90ef374c5456db

SHA1
7901bf90739a0f0381dcc79943b104d94badfb12

SHA256
689d7a08e77a8d2d9390151c1c0177982e4fe1b4604f3807c3c3ac182b2e4681

SHA512
7a9b46b2120a705a5bbc058479402774c699aaae767cdbc8f5d5e70ab2f1f017a6091525836fbaf82a6bc872de418418a3f4db59ac268f9e8ed8a9e92055aaaf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
39573c18b975ef81cd8f97c627a41b61

SHA1
76d0c50290b49b28c8f93fb7a7a9507f67853bae

SHA256
c50e5a9ea7ac7fbb76e82b8788115d47613047d89a955482165ea452901701b0

SHA512
ffcf1dfaac7d343481013eb10c1447628a0be714678e20155083f8e2a43d08db218a027a9bf08987fa9ae93854765cb3e6ba7e887078e5d4b78b30a8155af3be

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
569188b7229d8b4ca358c3e5c83f5778

SHA1
d22513ba627ccdf716b89519c5f509c1e9f5b828

SHA256
762a588097c62a24a0ab1753272fa4c08fc69db942373988318977c17c15687b

SHA512
a3d58cff2ab42c7ffef4b5b45843bb1b02559a48a0f5326f7ec200e63d1ddbfb3d9a1135e5e3fabca5baab1f17413db421e53a6f47d2486314f99dca4e3ad787

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
7ce51742d1449fb5a105fd0279a1002d

SHA1
a39b606f7fe3a3af1abcea0d194436cbdcb1e7df

SHA256
436d87f25771f33eb77faa2b247c9bfa501661a2800b87793571f483c4d99700

SHA512
9f16e90b559eb4a2cdbe66570e53d4b98374a32e36c236d50f81f3fecf672f49b883cfacd92a5336ffa7b080eac969cd1ccb8013f684a2aec51b29efaedf1550

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5cabc35fe427182b8179121d6b00b1f0

SHA1
8ca2272a44122bb7af02c9067c24df1793ad4825

SHA256
5bb4d1097991f3896e008af6256a233856254d7ba0397a9ab47f53f8f39c57d1

SHA512
c30b6937553c4413f6316dd46c00226d14c475f0a90e8ea54e202c0d7726ebbb95db7fd46b128bd68f5e666ed133e00ce716fdccd4f84db95a595fafdd245238

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e60c8c124f08de5bfdd535a4da779827

SHA1
c8600b2f4c0e9366cc0da6d920b96339635cdd65

SHA256
f1e9192392b7cda5a7a519c9c27212a7acbecdf978103bcb6625e22a6119f6c0

SHA512
76ec646c1d1075534ce2d7a99553abfe08a0c8e970a655d6ee35a5e4f32231f82c69ff9ac19998568ba08ead64d71876d14deecd33d1ffe0e6d4867b42b74652

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
74f1a04caea9bc4584ca1846c5c91c0b

SHA1
afaf26b2d58857450d3628017f2174860a61ad84

SHA256
3648eccacca45e856f33f1e897a948b42195dfa59d8ea8e9657d33c0c49aa7d7

SHA512
c3d2753fff85fc031b23f598ba01dd7f2a39b10326145ae9a4ac33b67de7734112dde0972f92272c3b40d82d5c5080c217211605bfc3932451bfae5053fdea0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
b5f1ab7345de7a2e51796282f4de37a0

SHA1
81f028806b4584875498dabb3d80c64091b7650d

SHA256
451127819ce5e112a37a06df0639b80e195c6447f40c20ffa994e0e9c92bff35

SHA512
f1d4582a5865945ff3b38efd05582d833c10e56f76471dda095e879d40740746d0026258d1c2baa2f8e956e652d0586c8f69eede5667792ad6afa15514ba8373

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
5e2664e59fa293bc3444bc0c49c0b754

SHA1
9de9c125c1ea8f35481e18db208f64e292d5ea10

SHA256
27cebfcb05181dedc1ab7f134088a88862272b39b167e74f3918ad937e9f18af

SHA512
f34a506fedf9ef052f5d4a1df3f5fea15acdd6864db72ff32093176f7f3b13deda01068080a5d2cfa1749bf03aa561884af229384f5aa3436084fccf6b73e975

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
9dc98370f7767fbd5ef93adcc29bd664

SHA1
958be69872a064fd82c9daf2437d46abb6a0687c

SHA256
56b8b7ea4586112a5a8dc25d51812ef747f78925ed68406c2ab1f35d9731f252

SHA512
c6684b136a5518d868854441744265664c29295ccf3c8e4b27b0a642712d1382b2e34279602310f2d7f70a9459fd79a933eb76223cb9b0227286d926acb7014d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
d936a43a67063ecd7e13c04fa83467c3

SHA1
b330aa1202cdf05051251a00ea42833ebb8f2787

SHA256
f644b3babd563f7666fb99c3ff012201ab1df9ad337d21846f151a9286c391f6

SHA512
741d21680dde893f433b6571bb81d1f32cc2a89f0bf9e5c4393bc6e62fbbec1cd0b3439f2286b6a01724bb481c3c39d580249c099fc3177f59919b37313d962f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
e68bd37151b005ee17a80430ca0d1fa0

SHA1
33f5d4412eeda6f8bb7f01bb611422bb7f54200f

SHA256
37b8747ed34608a07d1dab432672daaacc273bc469caa870c646290a04fe585f

SHA512
1ad41a6571f398362bd7516471c9a723187464ea43aed2b4c55b68ffcfcec6cae4b32fe1f593b8a0bf523b3c5ee5b399dd425a50f1d285412d8d8e3f38149b20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
4e9baf69027dc6997955efe67b310a78

SHA1
a7d942ffd96790aba39952038153ab169801a6d8

SHA256
af74c8605d2971c805be1b4c0838e3ab97222a29a2fa8ff46c208284f89a61f7

SHA512
6d7ff2c4b223c666937ae7b47adc6fc30c076ff6e113ef9a4b4fbf0dc8ba648388b291f13c3856c2ea5b9becb58ea13a7acb0a2710592477897cdb7c60151a59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
d3e3288ea2f422717c4601eaa78370f7

SHA1
b935b39b2b461dac5bd76a6951893082b529b680

SHA256
e4227ba089e24d7303d3121081b4cb4a172033f88ce61c0397f17737b3757b19

SHA512
748d11b68b38d512967d42d881d3241a726620148e9baae6834887b7db176ab9dfb76c94c5d043ee39eff1241aa036b7cfd0c6cfa892b8f4a87615fdb12cd658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.8MB

MD5
07f232432c2fcc7f895c4e80387f5254

SHA1
8faa9797021ab3c14f3e3cbe8da0d2a52505c648

SHA256
191b571e97ff516bbcb7e5779c074d4cbea12177f03094ecb785dc31f0c997fc

SHA512
c47c6f35e7266253bb86f49e92e214a417752d645d1072cb7cc15ebf41aad20fba2001474a3f42a98886765fe53e43a9e0a961b8dae5e46a6f24549f5ad1592e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
e06e2fa5c02edda0d592339433915ffa

SHA1
3caf2a52ba970b9fafcc3967c9a13bd65e331e28

SHA256
475b192fc6f20777bc7c3b2733bf826d1188737f5f85a936e89fd862f8be6292

SHA512
5bb17808c0b00fb02edb46e71712f0a7acfda92c37340047f1f4132d3cf978c3e9c8b2f762cfcbe038550173fab10f07cc812a8381324c90de858507575829c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
3330c2dcde83eada2627abf039b98fab

SHA1
cede0a6d4fd24e64f73c01cb45b4e6c42b15fa45

SHA256
f534fd19a65f848bd6796c2b22811c998d114850c6e5653fe43dfce29278c826

SHA512
df24737d834b6434638f421fa34291551e6843729fefc568e7781b831198d578441fbfdbf722c20e016efcd85694c46074f8018da4af5e828feec3c5b1759d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.7MB

MD5
cb882780b877a58973a0f487214508d1

SHA1
cdc06dd3d293598c1ab764dae6d75dcc9ef39d9e

SHA256
4e9820f9f2b10c2dd6f8764c6b38aa2f0597e6270f39fa564da2541dd4885fe4

SHA512
f24f4089c897b2622783c1fc6451808051ab6a93833427ac507a4d1d8422f464a8e9b1e7c9ab375ed422eefcaf49e26be4c6c2b059e3263d2a17bf8dee4c64b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
81ccd501579c9364e9850954f7748a75

SHA1
31a4a12abfb2e2b143383d8fd739c8d28b1ed93e

SHA256
561cd93cfd260cfd2d105daa95ce186f4923e1cb63ca08a6d186b7ef1167ea71

SHA512
4c5ed457a5ebb8399b1be0eba8f624549b4ed9893cb41cf93648cca557869e0a458f9fa78d028c4f31c8b1c73f65b6a136747c1dbc930d99c7d9a924ee6dcdbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
3b0c9302a44b5545416da826de40768c

SHA1
2040b1d39c0a0f387487a1e99ad1b178a69cd577

SHA256
f264dcc7f1fce8dc03f77c8bfba4f0fd19e25a553b0ab0fa27170017caec9cee

SHA512
fc7db215997fe5e004b4f01efcc63cbf8f91729e2c91531dbbaa1542cd7c50c225805607dc267afc36be9f3720bcd46b45f116efc34f288e2db89edadad35813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.7MB

MD5
19af0603bfef23fe9055aa381eb155dd

SHA1
77df5493bf3c75ac474b9cccf44ff9fdf7538e22

SHA256
1d8879d1ad4566fbdbf706399bda7718b48623a693c9517b45e82c7305cd7dac

SHA512
58ebe1c81cc42913f7f329b9a8c496b42ca9f19991b2c7c4ac923743a32ece20d5c54012253ba9bce4a5f37aff45d86ef6ac3f08665cc2244cf8d3fd0c019e22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.8MB

MD5
7514fdb4bb550184c8d970e619f0dacf

SHA1
ca3f4269926fda2c2af3a3623e612e160aad1fa0

SHA256
6256b3f0a5eab7d8d888e74e4438cc7a69b78e1dbb576ecff5323013e5fa3e29

SHA512
a0a62c1368ba68376beb43dd4f0a2e82f4b19a9318e3fc6522e14a7041b35bbf31016549d79b38fef789860c1d58b9c54f644e8bdcdf59d4c601f382c45bad3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
2.0MB

MD5
9faf1f77585e3663c8db8c39c27d4c56

SHA1
9e57a8ba63a82fafe596b483f1dd6342d75010d8

SHA256
f4f61a000c98dcab798419b957f8cc2b57dca33c909f8599cc79ee7141942291

SHA512
247318a9c16b2da614fd0836753a60b51bf5ec53824b6bfb64f4c9260d9a34244ad850fbff70c31255264330d65cc73389ed945e93d68c12b227cffaf4126059

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
45825af0bcad1fa759821120a1f253b5

SHA1
fcba797026093cb879e2badb14e44f4ad45e2743

SHA256
1f7f9901c58f61d0f7f4460c1a81d39bca6ff76457c8e96c5bf8a35b8a6f13db

SHA512
9b1740a376df43848b09a21efd03c2c72a38fc74226e5b9aadbee0a97c2f18316e9b660919c232a2abacc0c46f5a8ea108a77b6108a8ceba56775552b69add51

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
bf017af464f599d358507c275bbc5efa

SHA1
c83824b43fa4c3bae22f50581b2b62b2b6d19410

SHA256
57cb5588836a59875415aed57f60c3b3ddbc07283a66bab5a3f4331ffa4eda7e

SHA512
57cdc61ec1d71d8aaac0839a87e8ee74fb434027a97ddb1e96a740fde409044937e1fd49c3e0bbedca0d63bfd9545ba21978828882b14890ffab805fb37b7d3a

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
3d3563725e41107a1ae8aa86e01c9ade

SHA1
82d4ac2aaeb2ddf5328257b7be7ed599f62b2148

SHA256
9f27862be7750f39d5b34786249c0295fc9793c225a7e0b6e6349c49aa2e4300

SHA512
9c94bed9eeb749dea0516b420f3cb2f350f9c2807b92936434e22c85a2fabf2ab5ac1b8a02c14b1059527373d4f5b87d11e29bf8547b1034f5cd0a71d17fe53d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a9e3c765c21f3d08fd1243b71a5dbc82

SHA1
315af06350f814a72471aea6103beb6798672218

SHA256
0cca43a9becb60e87d73de41070f7db512bb78543cb2200610fccc1be78e732a

SHA512
cc7bca4a1e66e351536642ff9be8a549e9e437ce2ac9502261d9d89275e98a82a194d15d2384749d628e430565d750ed166e312ff81ee7572ead57ed0574ce56

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.6MB

MD5
d85c1f9bd6dee2d345d60e7fc6119fb0

SHA1
d2cedecc6fd9a7c9c1bd098558f745f205493df3

SHA256
7547baf56c7f6dc9c487b298eef3d9aa83dba6e6f787ef929354bae885a2cb93

SHA512
300be6f689e2324d282aa691a8645c6a4fc55505e9de79dbfdf99c2a579a997a4249c18fc223825ce9e9702acca9501e30b50d916a489015a4e4d7f38d609f53

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e3046f2895654742ea7143196262e926

SHA1
5ecd1ab4c2f4ae9ff2da4217c71790b9214e4623

SHA256
df545c7730166ef90356c512529bce0d10408704d61ff864adce3baf1d5cc4d4

SHA512
a0d36e6298396fa18d16edd1bf91db84367dc789fbf90533c181f60a97f2581de1f202d54acb30a782dbc1bd14df96336b105b341e2b15980ec6349b8e9d3752

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
92e6c4db16d2e56cd407cf524fbd8312

SHA1
b0747a3273a05cae34ff272afd6f03b95efd123c

SHA256
dd830e0b235517466177c449db4955dac7fb855c32dd1571146429f2694be617

SHA512
e53c2fb6c3801985d81facdf8365d2e6d81f8e2fcd30f3c3e98566e4147fcd35c2a0a62a96271e9ce3ca2ab028f45a78e6d2fc416ea64ec2423b15a402de97d0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.9MB

MD5
d3a0bce30fdecf9ccd6e12747121f88b

SHA1
ad1d9f63b9672e4be9ecb28e73f34635447f89ac

SHA256
588bf87491f0ed3331c957a2efffa57e8ceadccfb27e6edc1cde5e8ca2b2de8f

SHA512
4bd4771dc28fa4bc10993fd71d99eecf17d451b6d8a36bf984cf2e11af95c1bf5da0115778d3a3cade0df53971350cda86ef035da55c73323a88e43b942b99ec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
62859c00a639ae7a3c6a1df01b4baefd

SHA1
99fb68ee92c703dfd9d8f87e8c73403cef5d5e5d

SHA256
55441b59cc514c691469f4a53c8e3b968c36c27739f49e8bbcfd6f42487d9a25

SHA512
5c4229edd2d83bc68e87793ae078bf4af37a659858eb3017b1d01b7e09b87512799a472069de356ce74ed3cb857099b6e28188eadc61bf28431db27cf7e49896

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4f52f719167b1513d50c938dd67e7489

SHA1
5308bf1667f1406888fee4a62b31a242ca5e7373

SHA256
6c2ac43de9d9c52cb7b514654e7047c4df68e10603c5b9850e92d2a9cb2e9c5e

SHA512
98caff3b1911f6697c727851ee078c06c2da6651877493a105b5ebf3d481e1c132b7480c8292a9d8204fa81fb6ca7d73c09ea2c36b88c42039e6154ad36aa790

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
ab1900f6d7f89a44a35105ba3d852439

SHA1
506aa0b7506fdf9a9cf308e62a0994ae98b3a0b4

SHA256
1b4674006fdcb48342d1833ebaca2020f954371284faeb82987bf1f1b1d10fdc

SHA512
bf5682d24b0370889734c25edce1642a718298c58b0c7cabd77145cee6def170c2b5875c3d5e2b1856a3aaea53e0019dd50693e15aed99addcd7885813ae4ef2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
63d23d5298d4eab51e279ff4fe9acb6d

SHA1
04bdc1e598286935fc7ed00e7403cc0659b2d678

SHA256
534b19fc463e0bc00308db9fce9b6b4b94288b18048889fc5e4b02b13d98663e

SHA512
38574046c4e20d7ea135f812ac7c94e1501efc200654896b0f9d7764eae9427cbf48c33186963313d490688b59eb1710c7511b40475a5b2fd851a7a2e1cfe15f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
84f0c985069d63b5e83066441748ca73

SHA1
62ce2e82f5bcde442e3f0b34f59d9f5b2c1bede2

SHA256
d4c2fdc6fa6b8494b5708a93bf723e717d3e8856c5a02659ccef630b12dcccea

SHA512
c2ad2614750784638685a4b3ee972ae919e9fbf9019881348eca67b88d80c09efcef601859c956476bde4722a54ce7fdbee8c099962d0c9495b7aa944ab48b6f

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
40a98f3cb8b2e5c1f37d897d81fe350f

SHA1
b9000b5b371f9f53cbead6defd30d87ac609282f

SHA256
d60a3e1ec5676f6f9be46aff1013ea690d62d6f94595b3d7215ee7476ae59928

SHA512
0969116697ee0a097d5118e34e522b773a63ced9c6032fb4d9f0e02b7bca8ee9bec2f44a8a648497afdf56c1b55f8556219aecd3acb516cb501b46ad8528f495

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.6MB

MD5
34c6a2cf9d7379ef9504a9bcc14f99d3

SHA1
b1b1f017623ace13b605a35f9633c882ec876c6e

SHA256
d5c4b56be6dc405d9e2f0354d698c5b18c983deaaf72d3db3d1782c463bdd6cc

SHA512
cdc93da2cdea8cdd62349740c34e57f7b97dbb57507c9c04debf12d784e374227bd63e54a7be5e8a0e8438bffe3fd98f37a14fc32ec01b0916442cdfce723cf1

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
5ce3ad39a40eb57fd7da0d4663377846

SHA1
844e211398b10a986cd8877ed09b73a9f8eea22c

SHA256
bad98f4e936c1607aff4ac8ba7e7cb76b51a7a01f90597dc87b4216ebadb4643

SHA512
a01d28a4afabe227e23c5f912c9858a7860a6746424b1f9b05c2c0214fffbef9de7e7ee8160ba11c381719a9616affeb7dbff63a9617a8bffbe004b3bcc18ed9

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
4a50b9a94702b0088562d0f43afa4a22

SHA1
2ff0bd6a4a36f0aee1ff12f1d1d8c79d8955fd62

SHA256
56cddf37bf929056272defc641661a46f3b3f37737dd14a4732d65680a908cc5

SHA512
7f41d9fe1868526b2137bcc2d26ce7e583ccbd53e13df4a44267110e9d00ba685d295009a1c83d484e024f9de6c45d3678dacf9943d8e35987754fe4ad38cd63

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9f4c610ae7f8153d67e2d98a889e28b7

SHA1
927059ce4215535fbf137ae47e69379ca93e96f6

SHA256
b558a6e7307fe9390ae3432b39a18231ff4e8a56f4b1430eda94b627c8af79f0

SHA512
5b96b7879d84f3eabf62ec6b4a7d8d001a1cb39324d888f2636b7aa8079d827b5a7973e21781dc5679b61a6be96a164405e1da51d46719615f4d626a738136df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
84c5b2e4117fb928a4a98b8bc6912861

SHA1
f45bc360f220b4cd972252006350281f1e380355

SHA256
7f139e95d334adc08dbdf41599d50ba9ec0508a70b1f1444b85f1ab5b890f1a0

SHA512
9387bb33eb71d1b62d136650840eec6e49302110b3f9b07d4fa9cd976077de1465a6beb206b9a01fe076b4adad78846b1fb302f9caf546c3068fbf330d099685

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
6f810bbb1386fe68cdc0303142d16df0

SHA1
04aa1daa1000b82365337580304bb729540a2919

SHA256
a26b946b7cb78797839098284bc25d8b15110e8eb2ef98be5c119bad31679a84

SHA512
366bb3a052ced9232bb13cbb4dd00f5da6200b1d0cdc88df168790a17aae17c20099d29833ebc8a7a3e75c6bb550985b473f5c9fdc6b911871a8c40fcb53bc84

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
bd75c6a57fda051ff0b52d5bbc69120e

SHA1
42932e160e71ddc9a9fd8129afa7cd3625d3019d

SHA256
6329ae5e404947bdb6dad39dd2616c6840f12fb2780a6e825c47ef34d927af9a

SHA512
249d13a89e3234e7f3d135114c9eaec913602d6c880462e7e551e964be5e61373d93ad8916d22a751865ec63ccacd553001fd58751af892726b07a00794fca94

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
c1389598a8a03a803c08ec0a76ebdef8

SHA1
6dc20b4ee331d77e108edb64d4e884dfeb689f78

SHA256
94467d6608a4fe96495e0ab2bc1998be569aa157d3f76fbbd020e9ed50348611

SHA512
ade64628f6049f9a43257627c54e3b36d9360e79239f00b6011aa979571e3e6be73df72d28e2211d58719bf056cf229eebb618f8c208421f8ac996acd54ec52b

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.6MB

MD5
bb629c10b775bfbba19a52fdcb72d698

SHA1
d5fab7c60378d919b9a3b2334bc71550defec715

SHA256
93ca193c04461eb08f9b98d507c39926e3d507e1b5a241a8773ad2cb8433cf35

SHA512
f2fe6d1aa3154e32e436f51348a8543e3e8192d4057e0924c1c70f755a6294114cc8fd1fa762e466b54509f00b201dcea3cb7200d52b3de78a9a79163749ba30

Download Submit
memory/440-132-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/440-32-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/440-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/440-38-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/856-100-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/856-105-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/856-99-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/856-164-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/1332-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1332-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1588-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1588-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2120-394-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2120-141-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2444-153-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2444-69-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2492-6-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2492-1-0x0000000000A80000-0x0000000000AE7000-memory.dmp

Filesize
412KB

Download
memory/2492-87-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2492-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2500-118-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2500-269-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2724-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2724-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2852-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2852-414-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3004-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3004-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3124-413-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/3124-165-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/3188-111-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3188-12-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3960-95-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3960-88-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3960-89-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3960-160-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/4204-24-0x0000000140000000-0x000000014019D000-memory.dmp

Filesize
1.6MB

Download
memory/4204-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4204-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4208-67-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4208-60-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4208-62-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4208-54-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4208-65-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4312-346-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4312-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4476-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4540-73-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4540-82-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4540-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4540-156-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4576-393-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4576-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4872-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4872-157-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5016-112-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5112-401-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download
memory/5112-145-0x0000000140000000-0x00000001401D6000-memory.dmp

Filesize
1.8MB

Download