07fbf86b24093254bc456a1dff93f7a91ad0a6cc81cde194334f5ec5aa0f4ebd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Size

1.8MB
MD5

8c3cdf5102321d9a785acfd6a087e8fc
SHA1

7de0a4c44e06c6f9e4290952a2175bb9769df4e8
SHA256

07fbf86b24093254bc456a1dff93f7a91ad0a6cc81cde194334f5ec5aa0f4ebd
SHA512

c3f03e212c7ff337a4af02f51504c71da5ea14b3603eaaa1542d443a7fb17e70adec2940eb270501b40a4c026d001b243cf4d34071b2452d57ab482f841e5516
SSDEEP

49152:qE19+ApwXk1QE1RzsEQPaxHNlpAHrVQ1/fSNvi:v93wXmoKdpAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4196	alg.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
1968	fxssvc.exe
3040	elevation_service.exe
1672	elevation_service.exe
4248	maintenanceservice.exe
3628	msdtc.exe
4568	OSE.EXE
2020	PerceptionSimulationService.exe
3656	perfhost.exe
1804	locator.exe
1528	SensorDataService.exe
3560	snmptrap.exe
3044	spectrum.exe
736	ssh-agent.exe
2980	TieringEngineService.exe
2912	AgentService.exe
2104	vds.exe
2112	vssvc.exe
220	wbengine.exe
4168	WmiApSrv.exe
1244	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6dcfdab8e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exeDiagnosticsHub.StandardCollector.Service.exe2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046fdda56d8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093086a57d8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e99f756d8adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe
3068	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeAuditPrivilege	1968	fxssvc.exe
Token: SeRestorePrivilege	2980	TieringEngineService.exe
Token: SeManageVolumePrivilege	2980	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2912	AgentService.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeBackupPrivilege	220	wbengine.exe
Token: SeRestorePrivilege	220	wbengine.exe
Token: SeSecurityPrivilege	220	wbengine.exe
Token: 33	1244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1244	SearchIndexer.exe
Token: SeDebugPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeDebugPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeDebugPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeDebugPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeDebugPrivilege	4296	2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
Token: SeDebugPrivilege	3068	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1244 wrote to memory of 640	1244	SearchIndexer.exe	SearchProtocolHost.exe
PID 1244 wrote to memory of 640	1244	SearchIndexer.exe	SearchProtocolHost.exe
PID 1244 wrote to memory of 3080	1244	SearchIndexer.exe	SearchFilterHost.exe
PID 1244 wrote to memory of 3080	1244	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_8c3cdf5102321d9a785acfd6a087e8fc_bkransomware.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1132

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1672

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3560

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3044

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4924

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:640

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
20eb969d51897e76b1ce886c9212422e

SHA1
82a394c36d7edbd305ab832f9bcb45f1bf203c9b

SHA256
09b35792f6c558e5aaa20958542764244593af3b4187f5c2fac7a6a2a06f7790

SHA512
7e53f26460ba3ea511e9b4029729f5993a1d715d9176a5c24d46205343a51369ca36ad7d7a2127fe757b4cf222009d68a4ae324a5243d89dba64e64c03fcd864

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
31ef98e7e453912e4cef9d866bc9c97e

SHA1
ff06fe02f11a639cc7be8fbba9f9ee399514b8db

SHA256
0fde36a85b583ac4eb0f9fe3b9f4ed67c04bf902fcf4cc6145b5668d964f2afb

SHA512
6dbbe6a52d3ecfb3f03f6c3b225777ecd4327d4afb2b9fce90cfe155aa03ce45c98ea36af6e550de0e123292b83d919383df9ead36426d88565e560f3f624c41

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
3b7f55bee3e8d5316e98dfc7c1378e8b

SHA1
d846ec97d92a3f7c3a21406d2e9af2f3a202d4a6

SHA256
ebd7b4abf46dab01f4f338a73b40c69c866ed914ce420fff1cc65ed7dc960aa5

SHA512
4dd0d24c7d7dbe44ce97533e0702ef8f9e1db2fb6f45e41d801dc19f52db023b8a6a9b0c879ba1fed9d94b660ce093aaadc241135cc5d8857c4553e5c8a093c3

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
b861d9cb051f5115f9dc0823d9296c8e

SHA1
29ae2f4801f38092c5d661e6fb4426eeff3b5006

SHA256
2c60bb85c10a3930eca9a918f8607d415065bb8d4d335f4bf6eedd1b25f6e0be

SHA512
4982a7d2cd0f6f9570ef189d396d8695697507c6f459994b7cc1efd52a9e4c50ae1fede61b9a241be30678e5f39b8cf78f56aea91356589b7a5a44a6da4d75c5

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
7b3ef884caf34aacfec92fa97596f02f

SHA1
ec1eb1a2b8ec250d7bf1777f0c27ec9a92dfa586

SHA256
06b37d61cdf59bd61bc887fc04edc23b18dcfbdbe1d89a0ed0704591170825dc

SHA512
da03029993af7ce07ed0f548e48112543db959c0031497624c714d3a7b0865d8747935ab4146277d38f5459b84cfd53c675ec41cc8d4dac26b43af7f39ddefbb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
a8519cdaed2a104d495dc09856bab0de

SHA1
ce1336e3629d566e6cedde0fbeae5d96cd87d98d

SHA256
e306ea58977dd895fd51e831ab5fb7bd8547aa0b90ba4f66421eaf4c035cce3c

SHA512
c7bb39341d2f68d89b94cbea17542ce5c28357b600d5dafc6837714cfac08dcb6fdfa35a01f706ee03357f9ede7eac85727053cafb41a2e115b5825734e9ba5b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
e171379f947cea5b70eaebc1434f7e9d

SHA1
6f320dedb5941c927e77d88c86a6c505b430f45d

SHA256
a11effd78975523b46460ff50376f79a3b7bcaf52a9d4e742fbc3f6ef7a3dbcb

SHA512
c1c37720b389fa810678ff824aaadc478cf86362db7b688753df3270775360c516fd6ab00bc91681dcc5dcc1859b2f7d47c489b5c7ddd39886d6bb1df8702fc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
eede708b0354a91144acf34c09fbfc76

SHA1
881914abfed287cbd92de94c315c272a440bc9c8

SHA256
de84997a684afb3fe1d30274c63f5f2a08eb35f5767b8166d8ee12eb2eb9b206

SHA512
30673bafd939fc51e6b61ef1259f82506a497d1cef441fc21a08fd472ffc0c5a19a5451c0a0f50b201166fc1c7b74c32826b1768f12ab61bb0b4e26bcc72c493

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
f28a70d39988a306af3ee4d6b13d31cb

SHA1
e5aaef1b3ff30e4c128c8658b66396acf519ad58

SHA256
18e541ebbf4ea736d4d6d50785ce1969980a364099d008856344f75cec91fa3b

SHA512
551357f2e84dd33ad17b894e340b48f90adc92b7a1781be22a14f821550281f961d7cd3dfedb8bea66031a39547e7e6efe89526966fb200239a6b5c1247e1063

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
5809517dd2e284266668ccd74e249038

SHA1
d9c69d113439d83812976264c4ad8da12c36c22d

SHA256
0758bd498ab90a8d3c8bd067e1ea1971950c7e0feb5cd7ab95d90bd0e6e8eeb1

SHA512
3da14007f609af9583bf65df4696f4890e62db2b880b6486d43b7f4cd6699b510efc809da05ee7e8bd88254a55427cdd228f6b9e2f0a8b9fb095f10d053af28c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8323d14d62ace69e054c762973660b1d

SHA1
d9a6801b62b2958ad5fc36938e70b44d0ea45fe5

SHA256
087e9a30029e974c6f93d825f643bef891b375a16a27163b09dfb5a38ed2cbe7

SHA512
aa51b9a9041bab41254bfdee55eaae6cc9ce9e6775b7cabeb9107dcdcb45a3af3d9bd019752fec230fef5105a159f52e63e1069f109616e9de59897cba8aaa4c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
30203920568f9256406263721b30bf85

SHA1
911db1d02eb63ab41edae5d9e728f91ce7b424c9

SHA256
f55d1a4566b42609b08f7334c1dcab6a283c7f4d6c0decbf373010ff435da5db

SHA512
ecdb53c1847c23daed374007cf37712ed90c55b2df95cea8ede50332a914bc0457da4477a49ebae51b67400180d66077b5c4b5049fcdebcfccea7d87ec392e53

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
326d9246eb5681e7cebb0165de965133

SHA1
1bc00ff2576893fdf2d9d673a62fe9fe30993066

SHA256
960cf78420cde593cc5af19e1ecd8c3030f772ec992dc4cbaabca8833760ef59

SHA512
ef8ac3e1e587b80abf839afcc8bdfceca133e1e51e3e42333ae3db22d5d8e7293483b13ab2d3ab6abe02450a6ff059affaee27b5f8b95582af6eeba9e3d76ffb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
72ad06f60fbcb58a90b36321a6dff40b

SHA1
cde605203c021a205777d1c9275e985855471331

SHA256
fff3bd2db80bcc0e22f5482b8d642f60d07f78dfd65266a7f0cc7622534e351c

SHA512
5af55bd84d54569412ba6da6d94315ba0808e6e331eb55d2523088f48fdd797d78d7718ee101f0a27f0133b2b1b26584c2d33ae42412afaf75b6a59f30d80116

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
4302d8b3b8eac33eab2c5deb3a6dda67

SHA1
a1c9ff7446da9e131b99031041f07fa2cc8bd1a0

SHA256
b5a143c085e7cbe03fe5f0542f71dff399e00c5fcdde85f28e6a00904e3526f2

SHA512
d31e71aff4abe02ac3fbb078782b0e2a11d95b525f52c09a8c052b691254bb3c62586d469b068bc0014904edf0fed6e7e49792eceeee815bed79e5e4cb24e57f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
62fbd288d9176e13f134e4961d5d3c1a

SHA1
24db91f911a6c54615c66fb92b56bd3c9af288af

SHA256
877ef1ec22ad462a1bfded3f14fc4d73be7b002a8b8f48a3e143b4d968b42eac

SHA512
0d26797459216a80afe8664559d0a15c4039ae887806b9a53b88e49a69b18528719938cca69861c78fe024e0097e20ada47ce4c286d072c00a36101c78177204

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
9ed54dcbf2591942eaba91c7246fdee3

SHA1
34c77c3fd9e0eba005cc311d86bd23831b196866

SHA256
ec6951cce0d719c2a45e40b7995d6885929e1b508535fb7f42b3c2b12a097fea

SHA512
c8142aa30aca950c517515292727e23b0572795360d5ea66e15ccbdf0524ca473b645a447abeae24f5b818966ad166cceb226ee29aeb94182f3d2dec37d2fc5a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
a275640fb4ecf64e34a92a66da0c6261

SHA1
78b3e38760a5cfe7bd7bcb62a1a93eb65c16877b

SHA256
d9355be063029dbbad617da28c7e808bf78f7739fb3d6ef2a9b525ab9ea1bed3

SHA512
56eda72581bed86155973a3dd7b39f8e44dab8b79c52b7c2d9baabe5a565128eac8a328051f66ff88d7f403281b2b89e89db07776a39da7e0637add85991b206

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
3ee7a5c5c93967512e327d5c67f4daae

SHA1
f976c872934b92d4a570a879543c818fed2d1423

SHA256
f37c3e3fa4941fbc12a833eb8871bd74728a058a20b4d1ca82dc6fe6b43be838

SHA512
c0fa7a035af7f5720b679bd04cece05ff8c8829bc1f3c6a49f1069ed58c4848e6f51bec47ffab06b551cad4733beef2725fcd644f55082b55ae585ee5ab4d4b1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
9757c61fbbb749120a79c0a68886e167

SHA1
fc7b21bcf365d0371ad3b93bb0e5c447c56fa084

SHA256
7b37e199bfeb3a3eb065e1ef42bc1e9c25aa5fea0a617a72cff4f614b863bb0c

SHA512
62e05ec126428113f20ceb2f0b1530b94d3505d717a3dff7b010d0c7153efe139a4f671a93a97281e8a10a71c970c985d79e07e240108ab165e620b00c03bc95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
703caedab066bc0cb09e146a0556381c

SHA1
211119d5703c8e515b7ad31f3cdbf41a04204f82

SHA256
0a2d0a3127d6cd9b14761e23f464d862e283fddd850d748f254acdf1f75fea22

SHA512
5900b877a9267ac66e69df78cd94db2e55f277665bd9a04b45106d010eb8b36140e321806b0fcbb7cdb142ade1b3f39e662e2f4fb2a13751bcb5f6387c15d3c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
9680faa0a70475332403c1e3b1d05416

SHA1
45fff2919ad807d2ebb0bbbdc63e17c8be2ed2f6

SHA256
72b7a383888507d6a012c6d687a86d248a55a7c173b3381452d121af93a6d0a9

SHA512
d98eb3ddf61b05ce2670ecdefa7fd0389a9bc9dfda9d188f1e891b8c805f5f1d4326c36ebc7895473fa9ab9e81d56f27d7e1bfeb2df18bb470861cb06e8e987b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
0d1c61acc78f1e61312be3aa63b76035

SHA1
72fbe72e92fc19956bbc4ceb542dae39892c08b0

SHA256
b843eaee5b519592ef9bc76244c34adcbd56632e37887e877740d89fc17cd9e8

SHA512
afeb3858981d01f5eae73e3bf3f767dbffdfdfa7473950340bee5fa3653c3f22ae9c27ca65c1fe1e80eb0febd972364d2db361ea1ecc1a74a7ac18da115b6ac0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
cd45e9eaa73b6223a65cfbde76fd36f6

SHA1
8b94573b7c9a6e270905cf8ca08fb7e9841e0fcf

SHA256
a2998c83128dbbd8a2e240b782b42a60fe31205be1b059dcd733c1159e4c2c68

SHA512
7c158cd6d4078e0fe8ae86e5f27124ab94b16bc4aa9433eb20fc8c6c52f4bd6bc090e05d57b7bdc4ed4624e1637d75c0679fcf611f251134cdebbd8bf9603151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
d596b9dc433045a52b2993613b48497f

SHA1
7691ed0d0fae032f5ed77e62de1f6a96af91d414

SHA256
d91803dcaf9c1bda5c7a2f6fb648272932f68a819b3875f2db1d7adb563065f9

SHA512
13aa973a25a43bbfc377dbf0d283a8f3650b1bb1540aab9c0c7f66b6f9ded965943f0a1db8fd38cd30c32f3db574aaa632ee2c9fb4d483e79e8604f494305010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
9dbba717d61d0cc5c207cf6e02d7eb81

SHA1
12e474525ee70c6ade8b9588059b4cde2154c826

SHA256
d5046ca8594f6fa51d1e41578ffb43b54a57daac0961c43bcae6c469a60c2ae4

SHA512
bea7a5bebe9d3462cff7fa92d262ed3c13326b610ef23f99ce4023afd681910023f22b04b2be69855fcd0eb0995ab8bce48b0725f6d8139f0c19dd919acda6f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
1eba2fccedfd5c1f4df2f31e54d0f07a

SHA1
83e2e66ab685c05788b2228df3a908f15cd9c009

SHA256
bd4e13a14a720387214938811973d4134f999a47f5cb04e80f59a194e65c5969

SHA512
0d4c974dc8a86c373536ed20ad4d7706138001fdeb8dfb461b468070530952dee8d73e24be77fd1739ca3de6754edbab2157950b2a81861eee2e55e732609428

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
7a94c0f71e7509e1c52779f073e36301

SHA1
aff7bb5e45d5baf62a5a6bca1f6ad74f3bc4bbd4

SHA256
75c9de08101e6d7ad7da1c1b5cf95d73349e912358edb83fc9962a5666f59452

SHA512
a5f1e43da0c92bfe683cada130bdac1328ce30a174ffa6239b93a17ce8d065bcabd209966334bdbbff890cc2fb3350c2e030c7baaa6b34bf9c5c58fe5d5acaa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
86b7edd1e181b0058fbe289710f30838

SHA1
b4c6531e3412c0a7a106489109f0941f2e45ab0a

SHA256
d388691c302a7ae7ed51217a6442d68fa76005f709b9015740ee07d0effa744c

SHA512
31c580eba3a15b839e9ebcb82fe49f208c250bd47b84e94a793a5b8766a30f48c2b7e25187177ac9aada480385a90bc9ae5a0451cc9fd0de29384a42dbd762ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
8f2df949953c93438c8de3a26e559804

SHA1
dd6192a8eb093e99cb164a712efb882ee3054d0c

SHA256
0928dc7ae03c7736b3e96dd0372899238776c54f1813c9d972c5554c0be3df14

SHA512
134e4a053cd962a3799ec4aa676a58770bdf810d960b36565130c89c4bc0d7105596c0c0dd03499e189d506bd8e372b8b8ee8ed253145cf3eddc3cc990335b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
226c7537e0780fe23f3eb8f960f85825

SHA1
daa4c442f2d1a7d4229936f456a0b0631114c8ee

SHA256
ecfd7a11610d8668122985e7ca7ee741c2cb5c25db64eba4a5a53c0f66f69718

SHA512
b9f444a8d096ad5f49d625d0e1d4bc82ed3c33216878d76fbc8d947480acfd9dc784b2c85ea9e1b7f65e417e13b2a09aa92d2de5d3f9c7a5fe3cd141a8825773

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
fe9cbd23bb43d5e0d97016ca3b9aa701

SHA1
3e41988999371c57969363aa28bc7f358b1c04de

SHA256
5755279b0f7a5a273417c2d7c891368150f34f7101c30dabfedf07549e19b3ba

SHA512
74ff0bd4b98a380bb291caf786eafa772e3bcde79b374e411bbd12f3905e8383639bf928192d1c9107f6d03cc43e3d93591271deb0b8ad2e0315407c996d2c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
fc2ff106cd9bb0150cea3c54a9b788aa

SHA1
9bce9f4a9303b265170959a9160f3b8b880ac5c1

SHA256
b2a0272b213892ab20399df7ac41ad7f1fb843b39f176d85e2bd8fe8918de6c0

SHA512
93e433e2ff0689d901ec8e841fadaa1c9c47c46d7f691e3c0207d684907eb879fc5cea563071812c60d41b3be218c2a0cd5347e805f4e3473ac6988bf81c340b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
4687263741aa179bf3b92c90035b0e0b

SHA1
73dcc60917a699b20401a0ed6fd26d9b2470384b

SHA256
97ae19a99fd9ffe131001f810576da35f40628ff36f5aae264c7bdc0ad4dc996

SHA512
61d05e325e6c81a4e5b86c07afa0bf06b4495b26cb802a9ce29018570d1310c49e0a4c2214f9677dcbeb6717e0a687dc0d73f01b3d8b444cda9e03f8237b95e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
3228315193d3f88721ca7f1636546b2b

SHA1
182ab0ae54d5b4362363dc128f782a5aea808114

SHA256
557ef2dfe5de5fd4833190fc1df5274a0a0ed3242465798d20b6e61443d19e8f

SHA512
8951f56d945c009eaec63ae3e62dfb34c5a9442fa01c6b42569fcc0f11b2303bdc520fe1788a3216d9856fc6185d34295b365b2e702eeb444ea11b819216a640

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
134a6cd71adeb0ebfb19310dcf4e8dae

SHA1
b92e25062cd49ac6973cc24d22e625f5cb87f727

SHA256
d866322575ee9dcc23bc43a22fdb29a9860c7818d1494413ecd9a35d9aad1e1d

SHA512
bffa4f9596b42014854c6e14931379b76e95b9c721cb186162332845239315ba28f7e60a5eb78e9e7e814f5db4c55eec9a7b60a7d98f3f3fdaafc055ab1ae0cd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
20ded236eaa6cc8a85565b6caf6da43e

SHA1
27b52bb86bf97896746a1ad6a69398002e447267

SHA256
c12ba518b793a23fb362e4d3fa564d8bc6a55e66d8f669884f9b620f37f81da2

SHA512
c2ef4000eb4ef0af7fbf5ca0b69d48912e604a2fc1708834892906ceb4e024c8f436788c5d3fb4aa4c2247d4be869de0ce5a5c4c3b7609142963a1d7211d09be

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
8ae4bb588e2522f49374be93ac6f3873

SHA1
4be0dca1bccf67b53d0aae1aaac6759d6f3264e6

SHA256
475cfbb853ea6531d437153ae83401e675c23491bda3bad7d038bd31403be7f2

SHA512
16be3ec98b814730672a372ff7ddc1ff26856cc4320f90be7411477f039fc7f8029b049efcaae0cacffa4ff57c5b1d46f278f75b563ab725ccbece568bb8d62e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
d4a993d9170a8e69827e5ed099dc6c01

SHA1
186bb87d185ffa69a62d1df4e25ffcac8c933557

SHA256
4568763a617312d309355353e13f9ec7797e59468af8c116896c92df8358eb15

SHA512
2ebdf09173d959ef6457abd6549f96617c8d0ebce5e58dc67ba00aca6cd4f89e2a33cc8ff72d1a4ca8cd9fd555a720e81195f4be92982dd7cd58b5b19734e046

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f1e47d83f0c2cf7a3a001119e613f5ce

SHA1
7c03acf739ec37be6e5bb9fa83117db638e91a04

SHA256
c890c315d3ba28b4521683853b2b837b7dd18625511c7be516e3507b1aeb2038

SHA512
7b9162459913963f9f844da5f96ad993daafef53e28512775421aa7300aee8dd9f8c1eaab38a825d228355aeebd1c088a1bf5d1bd39939d1720cae12add8a933

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
cef61edd37b35a5b199fd1be0e3373da

SHA1
b1f66343d9e814992dc5ad16a5a7039ef8855fc8

SHA256
08b51d910d8d4f47a277b0857c9c6ecbf64ef3d67e99693f50b2a5882a8a6af9

SHA512
82e45475947a9bdcebedc76dcb33fac4d014b9844d3ad8d0043e2b5c5c7cce32061191c53e91e63622b631b0c59f1305ec0375e3712a0eee8c769cb619a92596

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d3f16c2c5f831bcfac2abfeaeb64be0a

SHA1
1ddbd30a9a678e6078ac0b841a66ab04d29044b2

SHA256
32628e25650f4be1641fa772fc3694e8d4cf49d1711caa32edce366ba5746e13

SHA512
a578b91705751fd75cbdbeaa2b4cab9ee79e298826ebb3d3fc8d83af4cb7a203382e16a7ff9b0122bcebb8d1ad2da24b94404d1a988e61871175c62749771661

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
1f5bdeb62e2c8bd0909b8193a0f52b05

SHA1
c9f950f82948e6ebc4aa8171a423e9dcf20bb3ec

SHA256
f1654167fcd178d6a5028916107d5cc10a464c7553e131731a7a1efc9df0993b

SHA512
84d61ba279a6524c4b89bcd74e9082f32aa9a1c410b0e181f302cb53ecbc025d2daca2ef207dd0efefd7162c56095719e42fae52e6fc9aa5856ffbc8216adecf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
94e7b1f446aabf32e400d64d15818953

SHA1
2a5764b75bf87594a1f5e258db698f1bc193f32f

SHA256
9d96d728d7c83cdf7c6fccde353e9554ba07ecbe968c2bbbb79bd2ebf9cb8c37

SHA512
10c46a5cb84bb22a6aa96b5f5acb6879b016b7226b9fd92c609339313f1cf397018b118a8dc6df3471ee7b8b7c307756c9da164e0be2b8b14f408ce8743e3e93

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
784d7b35814dff0c75ba8bf612cca90a

SHA1
7043c8d516a58eff33e45b30a9257f98a0996846

SHA256
5d591c180051bf740c2b2f7d644f9edec66a092152bfff45a86dffb22f438eb2

SHA512
83d4e560b15ec10a7785588617f7604dada84b99f24c52bde2e709dff7c210de2e42656211ade773c291fe9ef69a4f219506092d62bbe00fcd7d2b495fb0a20e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
8f39dcf0b42d02e004d9cf723db08791

SHA1
b9761544229758808597a629c3926469755c80d7

SHA256
34c09a15c5cd99424ded3a1307307af051adb65acfcd7df49fa1a1e79e082b97

SHA512
d5c0ecf516e9516c76f137f53b084353f717c419f359324f42bfd72f7689c37de074af3ad3135d3976bcdc6ad462a9ef614b0a941596a1743db60de1df9c1033

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
09afbbc5cd29578a1fb3a4fd25808fcd

SHA1
39d8a2cba1b523ce939b568336b4ded2501ef3e1

SHA256
43feca0b4555b33b25e8362e9af5db584c43c64f3f06345e1416d754ca16daed

SHA512
7d071f03e4a3c7ba59f8a8ae12e3393d41a2e3d35c949fecf670b5c3c15bb042f1b7ff7a3426bd12f001ccf7b119980dc851eae0e34bd2becad94fc4014d76b2

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a3427fb4b4826d0573e7c2552d3e0240

SHA1
6dd9faf2b16474f575ea2d36f529030e036dd990

SHA256
d04b7a2304bff015925a894136473873741c3e9585b6c1819d701ecdb2ac98a1

SHA512
96ed2ef9b9900fecdadb9293c1adfeb595f9518eb0aa929465bf22a1143ff9a113429b851dbde897cfb905e6ab5abfa04e00016b6d6dfee085e907445dfe9cb7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
a372cc751138b978f579883d71698bd7

SHA1
4bbcf401a75cd204dc341958146fd0a28ce20105

SHA256
6250a5a06789565f8fd8fd8f073ad8012731429be7b43762c3743de492b931da

SHA512
1c398e421d907346feb7b62ed6d8424a1eee4dc313f35dcc222b42abd1dc8f562a07cd106cec3b143fd235333d89cde5ac51adebcf006192b746ce34a521befe

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5e207a819b1b35aadffda7582df0115a

SHA1
88750a5fcde1a0088ce134f0bc5efb8eb7121ead

SHA256
4109cb8221d71cde16a49949627fc31a59dfe08e8e8aec27e4e4a178ebaba410

SHA512
66a8da202769932c6ef644c60245990a0f1e317aec6723a285b995988aadf7fc4e27a55b953448ef463afbe015364e45ef914051479570f188cf35cbc99012a0

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
e10803ac7750e5ff638e4de8795d9bd4

SHA1
149f6bd5376efe6f622bc98e56c4c64d5ed47180

SHA256
e1bbe2c69d20baaff5c437d412387f81cd72d28bbe8a3a6476c740484e07b930

SHA512
dbc4dbcd2325c004e477beb9a8e8f8281a0f279a0fa461325aebf425af0bbc7c519addc402d74b33e69d6501dff5b3f5c677762b124266c52f924ae17cf5f3d9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
897a488842b54a83b2f37eb1802eded3

SHA1
6a22a743f2bb9093f4dfc1f0e71241a8ed7bdad9

SHA256
b9fb7e0876b451dc7d7f50a43f325f19f999c86f4ea440f21fbcec419ab81411

SHA512
b8c3a6f4f863cf4a4641f5d17c296e9837dae3ca4591695981fcd3028f5e43be1edfe6a78e88a39342ac62464ebcd370572939ba155fc0a8e3f5c490b0f10a83

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
f669e044cff93b17041f43af85c6ce0c

SHA1
da4bdecc5b6defea5c696605addd52e7e67ee42f

SHA256
e709edc7b83f5ba34d96219098932d3c6611fd5340a5983bacbab57653efce46

SHA512
549dd8d0bc46c544dc053035b7353198f04945fd3c9d2401ddb76e675957a0b19a56a20e59e77bf404602ff9267b449ad89207675fe90f16796e41d4770fa002

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
2c16d083f5aba43f8644f2e5cf197ee5

SHA1
cc26171d667e786bfdea60ed8473f5c04b7d0d3d

SHA256
ae6c61a71e473955d06c8950e426b5b6e89a4b5fef2f0953123da8141c3cbc1c

SHA512
c1d2a6764c06e0c278f66e62319f570db7c25ef00c11190a14b270b41ed63215d4684b8cf0a48316fa68338330a76b5f1f8564bf0a4f7834dac3492f3de0589a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
729595d466f954590adba6d6b08d5c86

SHA1
21b441e84c65c176c3a00e934870c2eaf218ef6e

SHA256
a25133f054da8cbd49f9405e0fa9c2a711a11a8c4dda98ad12e54cd6dae5cacd

SHA512
8155930704751c3e76c5a1b6640bda304a72bac54fdd32d5127548430f4825bdcd930a7cd635bb813f2c3e2381cc540b35f44160862a9aa61621489484391332

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
5e53980e98a39718480828bed0058508

SHA1
fc91dfba6e92cbb2cc231113a93a965f4ccc4d62

SHA256
49ae5b70d17bba2176b80557696b5f316bbb9dafb2fd8fbb8ef8d93d3b28db6c

SHA512
0a27fd6c99d6abec85079bd27bca76f64e998e06257bcf9c33df134efcb314235cbdc587f85a05e1fb4a40ad8d2c5b77bd7f6f8fcd3f29a752dbcb1d82b1f192

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9a665ecce971042e865ae65776999299

SHA1
3717c53e4fe905e754cd637b49f6f9389efe364a

SHA256
486bd96ce62ab6f07975117b3a1455eea0e9e4cdd624da7f3f2a667754ef6dcd

SHA512
4d0bf3a7fee278799b7b67053f468c3d68b2cee7c71150949cc15553aa99cd331151d81494d45445f6475eb769461daeed28b09c0c57a8186495d026d032354c

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
6637f5319d9d12bc2f9fefa52afb0631

SHA1
fde35a113b385f7dcce9bdbdf58fa65ea462a5a5

SHA256
2ae8720501b1c6c42ff0a337a763dc8ad4fc8a5e0e7b75bca3db419295467502

SHA512
a41a8e187f50520166d2131f348bf4695f8a62f7242e2311e2e6d3a638ab9c645aacdc99281eade4e34824a6239bb6fcf6fb8f0ed134ec264f14052747fe0647

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
43911c217cf69374ff862ee0145d168d

SHA1
f1c2d4d3cef5343fbdbd3be0703b87f10d166bd1

SHA256
9cc18c960de07f35ba916fa4a66758dcd5119b9c3e899958d63d061543b6876c

SHA512
e1727cc2abc48f90ce6c5851675fc89c9af0bbe6a85e9c5283b1924afd33c511f0a762b31e969cb314655f7fa2c5da78758f5a55eec8b92fa73e0da1af2c58a3

Download Submit
memory/220-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/736-142-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/1244-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1244-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1528-139-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-432-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1672-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1672-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-501-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1672-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-138-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/1968-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1968-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2020-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2020-106-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2020-88-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2104-166-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2112-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2112-167-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2912-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2980-164-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/3040-38-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3040-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3040-32-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3040-449-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3044-141-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3044-510-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3068-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3068-137-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3068-23-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3068-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3560-140-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/3628-69-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3628-505-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3656-103-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/3656-509-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3656-98-0x00000000008F0000-0x0000000000957000-memory.dmp

Filesize
412KB

Download
memory/3656-107-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4168-169-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4168-514-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4196-12-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4196-136-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4248-60-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4248-54-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4248-62-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4248-64-0x0000000001AB0000-0x0000000001B10000-memory.dmp

Filesize
384KB

Download
memory/4248-66-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4296-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4296-76-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4296-6-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/4296-1-0x0000000000870000-0x00000000008D7000-memory.dmp

Filesize
412KB

Download
memory/4568-83-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4568-85-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4568-77-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4568-506-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download